Slate On Worms That Plug Security Holes

gwernol writes "Slate has a well-written article on 'white knight" worms like Nachi that attempt to automatically patch security holes; Nachi try to patch the hole that MyDoom exploits. The article calls for Google and others to incent White Hat programmers to create better White Knights. But are 'good viruses' really a good idea? Nachi created almost as much bandwidth congestion as MyDoom. Do we really want programs jumping onto our systems and 'fixing' them without permission? What about a socially engineered worm that claims to be doing good?"

No.

[mirko]

But are 'good viruses' really a good idea?

No.
These could be Trojan.
If I give you some worm that's supposed to cure another but which in fact is another one...
No.

One bad idea

[gowen]

It could even launch warnings on the user's screen for a few days ("Hey dummy! Click here to protect yourself!")

Gee. Thats a fine way to train users to just click "OK" on every dialogue box they see. And we all know what a great idea that is....

There is no "good virus".

[JanMark]

Next thing in line: an automatic spyware remover. Followed by: an automatic licence checker. And in true 1984 style: an automatic open source software remover.

Viruses to attack Viruses which patch Viruses

[singleantler]

If White Knight viruses become common there will be viruses designed to attack them as well, it's just making an extra battleground. This has happened with anti-adware products - many of the new trojans and viruses try to stop software like Adaware working.

The answer is to have a secure system, as that's not happening in the Windows world at the moment, then frequent patches to plug the holes and a way to encourage everyone who uses Windows on the net to download them is the way to go, as is installing more secure software (e.g. Firefox rather than Internet Explorer.)

Like stealing your bike

[Anonymous Coward]

It's like somebody is stealing your bike just to take it for a service.

Would you like that?

Are they a good thing?

[rebeka thomas]

No. My reasoning is that a trojan, no matter how it modifies a system, has a chance of fucking it up.

Even valid updates from manufacturers have the odd really bad messup. Making a service crash, modifying a config file so it doesn't work, causing unexpected behaviour.

To give support to those writing such whiteknight worms gives support to any anonymous coder who might wish to fix a problem, with no concept of testing things on a system other than their own or a few others belonging to a "friend of a friend".

How would Anti-virus programs react ?

[phreakv6]

Anti-virus programs like Norton AV,McAfee etc would still block these intelligent programs.They are still viruses.are they not?

No, no, and no.

[mercan01]

"White Knights" are a horrible idea. They're a horrible idea for the very same reasons letting MS automatically push upadates onto your computer without your knowledge or permission are a bad idea.

It's not for someone who "knows better" to decide for me how to "Secure" my computer. What happens if one of these virus-like apps(either from MS or a third part) "patches" my server with my multi-million dollar application system and somehow breaks it, as unintentional as it may be?

If these hackers want to do good and create 3rd party patches that people can download and install on their own, that's one thing and I applaud them for their efforts. But, please, don't insult my intelligence and do something that's "best" for me without my knowledge or consent.

Wrong approach

[vandan]

I really am sick of viruses.
Being an IT professional, I get on average 1 request per week to remove viruses / spyware / browser hijacks etc from people's computers.

Recently I started turning them down, but offer to install Linux on their computer instead of trying to fix their Window installation.

If I were writing a worm, however, I'd take a different approach. I'd make it spread quietly, and then destroy the Windows install completely 1 day after infection. The whole fucking lot. People who get viruses are asking for it. If you put your computer on the internet, you have a responsibility to do the right thing by everyone else. If you stick your head in the sand and click on all the 'click here' and 'free hardcore XXX' links, then come bitching to me when the whole thing comes crumbling to the ground then you really only have yourself to blame.

ALL computer users should take reasonable steps to keep their computers secure. ALL computer users who don't take these steps should have their hard disks wiped clean.

Once a few viruses start doing this, people will get the hint and keep their systems secure.

QOTD particularly appropriate

[Anonymous Coward]

Even if you can deceive people about a product through misleading statements, sooner or later the product will speak for itself. - Hajime Karatsu

Too true!

The road to hell is paved with good intentions

[minus9]

Blaster had very little impact on our network. Nachi on the other hand caused absolute bloody chaos.
There is absolutely nothing "white hat" about running code on someone elses machine without their permission.

Re:No.

[mwvdlee]

If it were a Trojan, it wouldn't be a "good virus" anymore :) It isn't about worms purporting to be good, it's about worms that are actually trying to do some good.

I'd prefer that no worms existed at all but given the choice I'd much rather have my idiot neighbor to open a good virus then a bad one, there's going to be wasted bandwith either way but atleast the good virus could stop some waste in the future.

Re:Probably..

[iLEZ]

Also, virus writers, black or white hatted, should never do the work that every experienced sysadmin should do.
Kind of like having robbers in charge of security in a bank.

Subscription system

[Lord Grey]

There are pros and cons to having 'good worms' patch systems. For most Slashdot readers, it's probably not a good thing. We tend to pay attention to patches, what our systems are doing (so as to detect strange activity), etc.. But as others have pointed out, such a worm might not be a bad thing for the non-tech computer users.

What about a subscription-type system for such a service? I can imagine a variant of the virus definitions auto-update that does this. It wouldn't be kicked off by the user's computer, as it could be disabled by the Blaster-style worm, but would rather be initiated by a remote server. Next time a 'bad worm' spreads across the Internet, the service releases the 'good worm' to patch its customers' systems. My mom would probably appreciate something like that.

Re:Mission Critical

[9Nails]

If your system is a mission critical one, you should be running a firewall and anti-virus to begin with. You should also stay on top of software updates. This is standard computing in my book.

There is no excuse for Corporate security exploits. Unless the corporation just doesn't care about it's computing.

Push vs Pull

[gad_zuki!]

I dont want to see any "friendly trojans" but a while ago someone wrote a very neat java app which acted like an IIS server, listened for attacks, and used the exploit from the exploited to send the infected party a "net send localhost YOUVE GOT A VIRUS!!" message or something to that effect. What was that worm called? Red Alert? I think the software was called red alert vigilante or somesuch.

Anyway, I should have the right to take attackers and use their own exploit to inform them about their situation. A real world comparision would be me finding a trespasser and instead of just kicking them out, telling them they are doing wrong and then kicking them out.

Granted, this kind of vigilate action can be seen as, say, tracking down the trespasser and going on his property to yell at him. I guess this is where the analogy breaks down, but its a good concept and doesnt waste bandwidth like the "friendly trojan" shotgun approach.

This would only work with worms with machines with open firewalls, but it sure beats nothing.

I agree with Schneier

[stromthurman]

Bruce Schneier touched on this very subject in his September 2003 cryptogram in response to Nachi (or Blast.D), you can find his original article in the cryptogram archives [schneier.com].

Automatically installing code on a user's system without their consent is never a good idea. Virally propegated code, no matter the intent, still generates network traffic, just because the payload is different doesn't mean the virus/worm/whathaveyou isn't adding to the problem of conjested networks. And as someone else pointed out, even if the 'white hat' programmer has good intentions, that doesn't mean they won't make mistakes in their code which could have adverse effects on the systems they are attempting to patch.

While I don't think users should have to directly interface with security protocols/techniques, I do think they should be aware of them. If they are made fully aware of the damages that can be done to them, they're more likely to patch, or back away from the internet in fear, either way, there is a reduction in exploitable hosts.

Re:Are they a good thing?

[zijus]

I DO think automatic, "valid" updates can be considered as viruses in the effect they may have. They can actually halt a production system. This is real life experience: I have seen network emulation updates, source code sontrol systems updates fucking up production. More than once. No kidding: even anti-viruses updates broke the prod for some dlls incompatible with XYZ. Isn't it a nightmare? The anti-virus stuff becomes a virus!

The point is, in production you are assumed to know what's on your box. Anything automatic that you can not 100% predict, is braking this statement. You don't know any more. And the point of the automatic update stuff is "you don't want to care" and it is legitimate.

So my point: yes a trojan, no matter how it modifies a system, has a chance of fucking it up. Non acceptable.

Ciao ciao.

Re: "People who get viruses are asking for it"

[Photo_Nut]

The parent poster writes:
"I really am sick of viruses. Being an IT professional, I get on average 1 request per week to remove viruses / spyware / browser hijacks etc from people's computers."

Welcome to the IT club. So far, you aren't sounding special.

"Recently I started turning them down, but offer to install Linux on their computer instead of trying to fix their Window installation."

I hope you like supporting that Linux install... And like fielding questions like: "I just bought a brand new digital camera. How do I get my pictures and video into the computer? Oh, and I bought a new printer, too. I want to print my new pictures with my new printer. Oh, oh, and my cellphone has this cool service where I can download ringtones... I want to do that, too. I need to do XYZ with some application I use for XYZ. How do I get it on my Linux PC?" Face it. Linux is still a second-class citizen in the desktop market. Having one or two category apps isn't the same thing as having 99% of the market.

"If I were writing a worm, ..."

Then I would hope that you got caught and spent a few years in jail to think about it, and have it on your record for the rest of your life. Maybe you'll be branded as a terrorist! Talking about writing worms doesn't get you my respect. Even hypothetically. It has been done before. It has been discussed to death before. There were viruses that damaged your equipment. There were other viruses that repartitioned your hard drive. Plenty of worms can do these things.

"ALL computer users should take reasonable steps to keep their computers secure. ALL computer users who don't take these steps should have their hard disks wiped clean."

A) What are reasonable steps?

B) What is secure? If I get an email from "you" telling me to run the attached security update to my computer, and don't know any better, and I run it, and it is an emailing worm, then I am now hosed. Worms do this all the time. Do I blame you because I thought I could trust you, or do I blame the worm author who masqueraded as you through their program.

If some application I download to do X has a bug that's exploited and does Y, and I don't know it, is it my fault?

C) Your statements are quite harsh. Have you ever had your hard disks wiped clean with all of your hard work on them? Your statement is akin to saying, "People who get diseases should be shot. That'll teach 'em to get sick!"

I can't believe your post was modded insightful. Flaimbait, yes. Insightful, no.

The biology analogy

[Organic_Info]

Well we keep seeing the "white virus" explained as a computer/network immune system. Well ok lets consider this for a second or two my immune system is restricted to my body, my phagocytes don't go invading other people in a bid to help them out.

So the same should be applied to the software immune system, after all nature knows its shit better than we do.

Re:Here is a related article...

[Tony-A]

"how would a good virus tell another good virus from a bad one?"

Easy. They're all bad, including the good.

It might be justified if "enough is enough!", but if you have to ask, it is never justified. It might be good at the moment, but once the moment is past, it is a bad virus.

Re:No.

[tallman68]

Nachi was the last worm to actually have a noticible impact on our network. MyDoom hardly affected us at all. We don't care what your intentions are, worms are bad.

Is a there such a thing as "good SPAM" or "good junk mail?" Aren't they just all an unneeded drain on our resources? Same goes with these worms. When are these kids going to get it? Breaking into our networks does not help us!

And, yes, we need to have proactive security (for the most part we do) but just because we have an opening is not an invitation to come on in. If I have a crappy lock on the front door of my house it does not give you leave to break in and install a better lock.

(\rant) Now I feel better.

worms are colorblind

[ed.han]

guys, the problem worms create beyond their security-related issues is one very simply of bandwidth consumption. come on, guys. it's the same exact problem as chain letters: even if the payload/content is innocuous, if these things are all over, stressing the pipes, how is this doing anybody any good?

and this ignores the problem that in a lot of shops, the IT staff likes to test out patches & make sure the patch doesn't break anything. if a patch hasn't been installed on an office box, there might very well be a good reason for it. a worm is a one-size-fits-all sledgehammer of a solution to the problem of unpatched boxes. how would you feel about allowing an unknown process, not critical to apps or OS function, run on every desktop in a LAN?

ed

Well, Slate *is* still owned by Microsoft.

[argent]

They couldn't say "if everyone stopped using Internet Explorer and Outlook Express worms and viruses would be a fraction of the problem they are", now could they?

Sometimes I think the whole antivirus industry mostly serves as a diversionary tactic that lets companies keep shipping software with deep, fundamental security problems.

Note to Paul Boutin...

[krinsh]

You, and that other frogtard out there that espouse the virtues of 'white worms' every single bleeping time a virus or worm makes it on CNN, suck. I'll avoid further commentary because I really don't want my post to be rated flamebait. First things first. As several other posters have rightfully indicated; competent system administrators will do what they can to mitigate malware outbreaks. Strong, zero-tolerance acceptable use policy for Internet and e-mail will mitigate most virus issues. Yes, I said zero tolerance. It disgusts me that people would 'just want to see what it looked like', or deliberately jack their workstation to get to play instead of produce, or feel that they should not have to exercise common sense when performing daily work activities - "my IT person should be preventing these from ever arriving so if I open them it's not my fault". This will not happen - the competent admin will do their best; but the antivirus updates and system patches may not always be there in time. I still cannot comprehend why anyone with even a fraction of IT experience would condone PATCHING WITHOUT TESTING. Fool. Any single one of us has horror stories about applying a hotfix or patch and then struggling to get it to work right or roll the system back because it fried a critical company application. Entire books; entire industries have sprung up around the phenomenon of not thinking - uhm, testing before you patch. This is common for non-security updates - remember ODBC and Jet database engine fiascos? I sure do. DLL protection my left... eye. Finally, anyone that supports the 'white worm' concept, even on controlled internal nets, needs to examine the path that lead to their support and then burn it clean. Nachi taught us that releasing a worm that spreads the same way as the malicious version WILL cause as much damage - by crashing systems, hammering network devices, breaking applications that have not been tested with the patch, saturating bandwidth... often causing more damage than the bad worm it is trying to fix. Secondary to that, the worm intended to fix runs the risk of being modified and used for 3V1L itself.

Re: "People who get viruses are asking for it"

[colinleroy]

> Being an IT professional, ... install linux

I hope you like supporting that Linux install... And like fielding questions like: "I just bought a brand new digital camera.

Er, I may be slow, but I fail to see how the grandparent poster's users, in a professional environment, couly justify the need of fancy stuff like digital cameras or downloading ringtones, or installing printers themselves. If there's an IT professional where he works, it is most probably in an environment big enough so that users should not mess with their computers.

How do you define White?

[johkir]

Besides all the technical problems with traffic, breakning other code, and just another trojan, who decides what is good v. bad? What if there is a over-zealous religious fanatic that writes code which will prevnet you from visiting any sit that THEY feel is inappropriate, not just pr0n? Kinda like what a vigilante is doing in Utah [deseretnews.com] Or a government agency preventing access to public records until a investigation completes? Or maybe a political party might release a worm that prevents you from looking up the goods on a candidates business history, or typing 'miserable failure' into Google [google.com]. Maybe Microsoft could release BHO code which looks at the URL before IE sends the request, and if the URL contains Linux or Apple, whoops, here is microsoft.com