Slate On Worms That Plug Security Holes

gwernol writes "Slate has a well-written article on 'white knight" worms like Nachi that attempt to automatically patch security holes; Nachi try to patch the hole that MyDoom exploits. The article calls for Google and others to incent White Hat programmers to create better White Knights. But are 'good viruses' really a good idea? Nachi created almost as much bandwidth congestion as MyDoom. Do we really want programs jumping onto our systems and 'fixing' them without permission? What about a socially engineered worm that claims to be doing good?"

Probably..

[manavendra]

for most users, who experience bewildering slowdown of the internect connectivity, or the intranet access, which mysteriously disappears after a few days - for them, such "White Knights" may probably be useful. For grannys, gramps and other naive users it would be a blessing.

For others, who have mission critical application or other extensions on the target OS, such "White Knights" may send a shiver down the spine:

What if it plugs a hole, but breaks something else?

From what I have seen, such socialist stuff doesn't really go down well with corporations. They don't give away things for free, and they don't expect anything given to them for free.

Re:No.

[munter]

I agree. There's a fine line between a white worm and black worm. Before you know it, worms will be the next ICBM, with people seizing the transport to change the payload. Bad bad bad.

To minimize the traffic

[Prong_Thunder]

The white worm needs to be passive; a compromised system will try and attack other systems - all the "good" virus has to do is wait for an attack. When an attack occurs, our "good" virus has the IP of a compromised machine on which to mount a counterattack/patch.

The white worm should also uninstall itself after a predetermined length of time, say 10 days.

I understand the concern people have about auto-patching, however I am certain that none of those people would put themselves into a situation where they were vulnerable in any case - they would only see a benefit from this, in the overall lessening of net traffic.

Re:Probably..

[Mr.Cookieface]

It would be interesting to see some trusted repair networks emerge which deliver fixes to unpatched vulnerabilities for users who want them, similar to those who maintain spammer lists. The patches could be delivered over a trusted P2P network which has as its only purpose to deliver these files and of course would use hashes to verify the integrity of the files it delivered. That way, the white worms would only travel where they are wanted and could be tested a lot better than by the lone hacker.

The only problem is that the users who would most benefit from this type of service aren't the type to be proactive in their fight against viruses and would probably never use something like that unless it came preloaded and turned on by default and Micro$oft would never let that happen.

Perhaps the ISPs need to take more responsibility for identifying viral network activity and block it, while notifying the end users. Something like when they go to connect to the internet, they get a page notifying them that their machine is infected and they need to call a certain phone number before they are let back on.

Its NOT for Slash readers

[SalsaDot]

Of course we want control of our machines and would object to anything running on them. Thats why WE protect and patch them regularly, RIGHT?

NO... this is for those Joe Sixpacks, grandmas and - worse of all - the selfish dumbasses who dont know OR CARE if their machine on their spanking new broadband connection is fouling the net for the rest of us.

If ISPs dont employ some kind of active blocking, then the combination of the worlds most used OS (STILL having gaping holes) + users who'll open any attachment and OK every install query + broadband means the battle will be lost without some "friendly agent" on our side.

And whats with these PCs you buy with one years free subscription to virus updates? Whaddaya think happens when that expires? The expiry warning dialogs get dismissed, the machines become increasingly vulnerable.

For these users, patching needs to be proactive, automatic and on by default.

Course the nay sayers will argue that an auto update mechanism creates a vulnerability in itself. This is arguable, but the fact is you're not gonna win trying to "educate" users.

You could just sit back until a nice cosy CLOSED internet standard is imposed on us by the powers that be when the frustration level reaches breaking point.

A REALLY black-hat one would be healthier

[CaraCalla]

If someone came along to write a really nasty one, that could have certain beneficial side-effects

• zero-day remote hole
• replicate for 24 hours
• then really mess up the filesystem, destroying most of the data

That would teach most people to patch there systems.

The Big One, anyone taking?

no sig

Re:Viruses to attack Viruses which patch Viruses

[FireFury03]

The problem with patches (and this goes for the linux world as well) is that people who don't have DSL are stuffed - how am I going to convince my dad to download all 70 meg of WinXP-SP2 over his pay-per-minute 56k dialup?

(and no, "White Knight" viruses are not the answer)

If ISPs start taking a hard line against exploits instead of ignoring them then people might pay more attention - it's not rocket science for the ISP to detect the signatures of worms scanning the network and automatically pull the plug on anyone compromised. I favor a "internet rating" system in the same way you get a "credit rating" - if you're shown to repeatedly get compromised then it's clear you can't run a secure system and no ISP should allow you full unrestricted internet access.

I'd also like network-connected software you pay for (e.g. Windows) come with free updates _on CD_ for a reasonable life of the product instead of requireing you to download it. If my car has a fault (e.g. the brakes don't work under some conditions) then the manufacturer writes to me and fixes it at their own expense - they don't quietly put a notice up somewhere out of the way saying that if I want to I can send off for the replacement part and then wait for the media to actually publicise it after a few people crash coz their brakes didn't work.

Before anyone complains, the whole on-CD updates idea wouldn't apply to free linux downloads like Fedora since you're not paying for it in the first place, but quite rightly it should apply to stuff you do pay for like RedHat Enterprise, etc.

a virus is a virus is a virus..

[ryane67]

no matter how you slice it, its still code executing on your computer without your permission and That's a virus.

As a usually security minded person, I do what I can to keep my system up to date and to keep any non-requested traffic off my network. So.. most of these "white knight" viruses wont even get to my computer. Im sure most /. readers fall into this category as well.

As for the general public, These could be used for good.. but there is much more potential for evil, as is usual with situations like this.

"Hey, Im a program that unknown to you got onto your computer.. My intentions are good, I promise... You should click yes to fix the security hole that I got in through and distribute me to all your friends"(muahahaha)

Confusing situation - but use biology as a model

[Corpus_Callosum]

Think of the net as a big organism. We have invading viruses and worms [and other nasties], but no real immune system to speak of...

While there are certain to be real dillemas and dragons here, it seems that exploring the idea of white worms and whatnot is a good idea, after all, is there any other solution for the systems that are not managed? However, white worms should have oversight (e.g. registered source code to some oversight body, managed release into the wilderness, etc..) somewhat akin to oversight for the immune system in an organism..

When in doubt, consult how nature does it - the more complex our systems become, the more similar our solutions look to natures.. Very intriguing..

Re:I don't know about that...

[manavendra]

That is a very interesting observation, and one that I agree with.

However, is it really a divide of the rich and the poor on internet? and what are the criteria for being the rich or the poor? it surely can't be software or AV updates, since there are a number of tools out there that are free..

Wild West Vigilante-ism

[rjamestaylor]

Before the (US) West was settled and governed by laws and law-men (well, back when it was more obviously not governed by laws and law-men) people took the law into their own hands. It wasn't that people didn't like the legal system -- there wasn't one. So, in order to continue to live and attempt to make a real society out in the Wild West, they hung the "bad" guys. These were vigilantes, the "good" side of lawlessness. While vigilantes are necessary in uncivilized lands, they are counter-productive in civil society.

The Internet is a Wild West (or, to use 1990's terms, the Information Superhighway is overrun with Highwaymen) and those trying to make it a civil society (non-profit or for-profit) should not be expected to sit back and let maurading groups of Russia spammers and Nigerian Scammers ruin it for them and us. Once there is an authority in place to stop the MS-empowered superworms autopatching worms will necessarily be outlawed, too, but until then...some will do what they have to do.

Re:Probably..

[StarChamber]

Why not just turn ISPs providing broadband access into operators of managed networks? Would it not be easier to either have the ISPs provide managed Anti-virus and host based IDS software to their users or, if the user opted out, have them perform periodic scans of those PCs and shutdown any of their subscribers connection until they patched the hole? If the average user is too inept to secure their own PC as routine function of PC ownership, then a reasonable alternative could be a managed solution as a term of service. As for corporate PCs, companies that refuse to secure their PCs should be held liable for the damage that those owned PCs unleash on other companies. The only way to get corporate America to take notice is to hit them where it hurts - their pocketbook. After enough of them are seen shelling out millions of dollars in damages; other companies will then fall into line and secure their networks. I am not for more government regulation, but something has to be done to protect the rest of us from the ever increasing number of ignorant broadband users allowing all types of viruses and worms to spread.

Re:No.

[rjoseph]

No, you're wrong. We've taken the term "virus" from the medical field, so lets take one more: vaccine. Wikipedia [wikipedia.org] says a vaccine "[is] a weakened bacterium or virus that lost its virulence, or a toxoid (a modified, weakened toxin or particle from the infectious agent)." Straight from the horses mouth, if you will.

The problem is you're not even addressing the "good" viruses These could be Trojan. Well then they wouldn't be the *good* viruses anymore, would they.

Not only are these "good" virsues the perfect way to patch security holes that both the vendors and users are not patching, but they are the natural evolution of computer viruses. If we're to continute to use the biological metaphor in computing, we might as well exploit it to the fullest.

keeping the upside without the downsides

[Grimwiz]

There are a few common things that viruses and worms do that we can use, without causing the bad things and avoiding many of the ethical problems

Start with a small set of manually seeded machines that have the white hat virus installed.

1. The "white hat" virus sits quiescently on a machine and monitors its own infection vector passively, therefore not utilising any bandwidth. Upon receiving an attack from the virus it is programmed to protect against it will move to step 2 and remembers not to approach the attacker again within a week.

2. Using the same known vulnerability that the virus exploits it is able to put itself on the attacking, infected machine. It then pops up a dialog box saying "your machine is infected with a XXX virus, may I deal with it?" with a cancel button which cancels, but if OK is clicked then we move to step 3.

3. It installs its package so it can be removed by the control panel, it paches the system so it is not vulnerable, cleans the virus and starts itself scanning, adding itself to the group of machines waiting in step 1.

4. if a month goes by without detecting anything, uninstall itself.

Benefits : minimal network traffic since only validated victims are addressed, no changes without authorisation and if the OS is secured then the white hat virus cannot propogate.

Worst case scenario : if someone is infected and will not patch their machine or remove the virus they may get irritated by popups.