Slate On Worms That Plug Security Holes 417
gwernol writes "Slate has a well-written article on 'white knight" worms like Nachi that attempt to automatically patch security holes; Nachi try to patch the hole that MyDoom exploits. The article calls for Google and others to incent White Hat programmers to create better White Knights. But are 'good viruses' really a good idea? Nachi created almost as much bandwidth congestion as MyDoom. Do we really want programs jumping onto our systems and 'fixing' them without permission? What about a socially engineered worm that claims to be doing good?"
Here is a related article... (Score:5, Informative)
Nachi was in response to Blaster (Score:5, Informative)
Illegal (Score:2, Informative)
A white kight worm author would end up with the same civil damages to pay only gaining perhaps a small reduction of the criminal charges.
they stuff up networks (Score:5, Informative)
These bloody worms caused us so much bother, our customer terminating (ethernet) routers (Cisco 7206 NPE300 VXR's) really suffered CPU wise against these because the ethernet based services are procssed switch unlike ATM/POS etc unfortunately. And the netflow accounting tables were just out of control.
AND the old legacy routers we have that still ran snmp based ip accounting, the cpu on them went ballistic. It was a big pain in the butt and took a lot of stuffing around to fix/block etc.
Unfortunately just blocking the traffic doesn't help as you have to recieve the traffic in order to block it, so I was dumping netflow tables and getting the support guys to call infected customers. Many hours of work just because some little shit script kiddie/newbie programmer thought it'd be funny.
On the bright side though, it promped management to give me a lot of money to get some more grunty gear so we are now better prepared for the next time it happens, and I'm sure it will.
Re:Nachi was in response to Blaster (Score:5, Informative)
******** From Symantec **********
W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. If the version of the operating system of the infected machine is Chinese (Simplified), Chinese (Traditional), Korean, or English, the worm will attempt to download the Microsoft Workstation Service Buffer Overrun and Microsoft Messenger Service Buffer Overrun patches from the Microsoft® Windows Update Web site, install it, and then restart the computer.
The worm also attempts to remove the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms.
Also Known As: W32/Nachi.worm.b [McAfee], W32/Nachi-B [Sophos], Win32.Nachi.B [Computer Associates], WORM_NACHI.B [Trend],
Jesus Christ! (Score:2, Informative)
Don't get me wrong. I like the drama of a vulnerable platform as much as anyone. But I prefer to enjoy it from afar. That's why
I stick with Mac and Unix.
On the other hand, there is the cynical satisfaction of watching stupid people buy MS with a smile on their face, thinking they're gaining a source of pride and joy. Little do they know, only weeks from now they'll be paying me dozens of bucks per hour to run AdAware and reinstall their system.
Thank you MS! Your dedication to backwards compatibility for abandonware ensures me and my MCSE-toting buddies years of capitalizing on the inherent flaw of your approach. I would bow before you if you didn't so resemble a dung beetle.
Paper by Vesselin Bontchev (Score:3, Informative)
http://www.virusbtn.com/old/OtherPapers/GoodVir/ [virusbtn.com]
Well worth a read if you've not seen it before
Like linux doesn't get worms. (Score:2, Informative)
user edumacation (Score:3, Informative)
So when we got hit by Nachi, I tracked down the weak link. It was our Netware admin, who deliberately went around my firewall so he could peruse porn, logged into his dialup ISP, checked his personal POP mail at said dialup ISP, and within minutes, bam. Nachi in the house. Of course, this wouldn't have been a problem if he (and the 2 dozen other users that got hit because of him) had kept their systems up to date.
I was found to be the blame of this, despite the fact that there was absolutely nothing I could do about it, since he bypassed my security. After a week of TRYING to explain to management why it happened, that nobody should bypass security and so on, I took a long hard look at the incident.
While Nachi was good in concept, it had fatal programming errors in it that caused it to be more harmful than Blaster. We all know this. I chalk it up to a learning experience - whoever wrote Nachi definitely learned from this. Too bad there weren't any real variants of Nachi. Yes, I'm serious. However, people actually learned from Nachi. Three weeks after Nachi infections slammed into my firewall, it stopped. Nachi just went away.
Yet I still get pounded by Codered and Nimda YEARS after information, patches, and global press about it were made highly available and easily accessible.
Everybody bitches about spam and viruses and worms and popups, yet so few people actually do anything about it. Don't complain to me about pop-ups. Use a different browser. Refuse to "learn" a new browser, fine. Get Google toolbar. Don't know how check for viruses? Get AVG. Sick of spam? Fine, I'll adjust your SpamAssassin threshold.
But people don't want to do these things. In their minds, everything should just work, and work the way they want it to work. Everybody at my company knows that we have AVG, AdAware, Spybot S&D and so on. When new software is made available, I pass it on to my users. A user came up to me last week and asked why AdAware never has any updates anymore, for like the last year. Because she disregarded my notice about the new AdAware and kept using the old.
I have strict rules about email, and my SpamAssassin 50_scores.cf file is very, very harsh. My users have been told that some of their email contacts may be tagged as spam, and if that happens, let me know and I'll whitelist them. Not one person has asked me to whitelist anyone, yet everyone bitches behind my back that I'm a lousy admin because *I* somehow personally tagged their email as spam. Even the president asked me to remove all graphic/audio/video attachments, so I complied. Yet he complains that he can no longer get pictures and other non-work-related material through email.
It's an endless cycle. No appreciation for jobs well done. This is why I actually welcome such attempts to clean up the filth on the 'net. I originally despised Nachi. I now praise it.
As long as the end user refuses to heed educational advice about how dangerous the Internet is, the Internet needs vigilanteism.
Bring it on.
Re:Viruses to attack Viruses which patch Viruses (Score:2, Informative)
Re:Like stealing your bike (Score:3, Informative)