Anti-Santy Worm Patches phpBB Flaw

sebFlyte writes "Interesting Santy worm story -- there's now an anti-Santy worm proliferating, which spreads the same way as a normal worm, but rather than killing machines or taking control of them, it gives them security updates..." We mentioned the Santy worm about ten days ago.

White Worms

[ErichTheWebGuy]

I feel that white worms, when done correctly, are a good thing. This is a case where the ends justify the means, even if it does mean comprimising vulnerable systems.

Satisfaction Guarantee?

[someonewhois]

Is there a satisfaction guarantee with the virus?

Wasn't there a Welcha worm that cleaned up Blaster, and once the path was clear, it just gave you another virus? :p

A bit uneasy...

[BlueThunderArmy]

this does sound a bit sneaky and intrusive, but if it's breaking into computers and doing good deeds perhaps we should just let it. After all, people sure as hell aren't doing security updates on their own, might as well let somebody do them.

Re:White Worms

[savagedome]

White worms? Ha! I prefer to call them Earthworms since they belong to both sides!

Re:Not very benificial

[lightdarkness]

MSN's index updates quicker.

Google wouldn't show as many results. I am a google junkie, but MSN previals in this aspect.

Anti-IE worm...

[Vague but True]

How long before someone makes an "Anti-IE" worm that automaticaly installs FF on everyone's computers.

Re:White Worms

[GoofyBoy]

From the article;

"If a site is infected, the worm causes a huge amount of traffic and slows down the site. I don't think it's possible to write a beneficial worm."

No such thing as a white worm

[genessy]

Even if the worm patched the site without defacing it yet again, it's still going to bog down networks by replicating. Perhaps a better alternative would be to send a simple e-mail to vulnerable sites and allow them to make the decision to patch or upgrade to the newest version.

Re:White Worms

[lukewarmfusion]

If it comes into my system without my permission, it's a bad thing. I don't care if it's coming with good intentions or not, any kind of unauthorized access is unacceptable.

As others have pointed out, patching isn't always something you should do right away. In any enterprise system, you should be testing the patches and updates before you deploy them to your users. For instance, many of us wait to see if Service Pack 2 is stable before installing it. I haven't put it on my own machine yet (partly for fear of instability and partly out of laziness). If a worm came around that forced users to upgrade to SP2 right after it was released, that could be a very bad thing.

Conundrum

[jabber01]

White worms are a nice theory, but I think they should be fought just as vehemently by anti-virus software as malicious ones.

Holes they use should never be left unpatched, even if the worm's patches are not applied.

Consider: If there was a benign strain of HIV out there that immunized you to Herpes upon infection, would you give up condoms?

Survival of the fittest

[melvo]

The "success" of viruses and worms so far have been characterised by their ability to reproduce. This bears some resemblance to their genetic counterparts.

Perhaps the next phase will be a virus or worm that follows genetic theory. The genetic features that would have to be modelled would be:

1) it is considered beneficial
2) it can reproduce
3) it can mutate

The successful entities would then survive, and the unsucessful mutations would die out. Survival of the fittest?

which brings up another question...

[zogger]

... well, to me anyway because I just don't know. There are a lot of distros out there, including all the various "live" versions, and various ways to install. I am wondering, is there such a beast as a no brainer, one click to install Linux distro that works over the internet and would seamlessly replace a users windows install with a working and safe while downloading and installing linux distro? I mean, a windows user (or another linux user, whatever) clicks on a webpage link and off she goes? With broadband now, it's common to downloand an ISO and burn it, I was just wondering if there was a distro that was designed from the ground up to eliminate that intermediary step. Say someone had finally just had it with windows problems, just said to heck with it, just replace this whole mess with something else, etc. Click, download, install, as easy as a normal app? I know there are "network" installs, but those are usually targeted at corporations where a lot of PCs are on the LAN, etc, I mean one for joe raw beginner newbie home user surfer.

Creeper and Reaper

[tepples]

In the 1970s [google.com], Creeper was the first Internet worm, which spread among computers running the Tenex OS. Reaper, the second Internet worm, was sent to destroy copies of Creeper.

Patching not posible... or not always...

[nereid666]

If the administrator is not absolutely dumb, the .php file must be not owned by the same user that runs the webserver. Then teh worm can not patch the file with the vulnerability.
I wish to know more details about how the Anti-Santy patch is done. Any URL?
A self-spreading worm it is always dangerous, another aproach, doubthly legal byut more polite is the strike back philosophy. If someone attacks you then strike back and patch them (and install other strike back worm). With this technic the infection could be reduced without increase the bandwith for all the internet.

Good Worms Bad Worms. When can we QOS these things

[human bean]

If you cannot stop people from doing dumb things and running systems that are open to this sort of abuse, then at least they could be nice enough to not bother the rest of us.

I need a router/switch/filter that recognises worm/virus traffic for what it is and sets QOS down (or out) on such traffic. Better yet, I want my internet provider to have one. So the neighbor next door's got twelve sessions of Butt Trumpet running on his PC and more broadband in Mbps than he has brain cells to rub together, doesn't mean the pipes I use outta here need to be effected.

Niceties would be an ability to recognise interactive traffic and flag it for regular service. Not an original idea, by the by, was first mentioned in sf by John Brunner some years back.

Another project I will never get round to.

This is the end of the rant. We now return you to your regularly scheduled /. programming. Had this been of actual importance, you would have been instructed where to browse for further news and information. This is only a rant.

Re:White Worms

[spectre_240sx]

You raise an interesting point. Maybe these white knight worms should be looked at in the perspective of systems being patched to slow down the worms progress and protect the rest of the internet rather than systems being patched to protect the administrator of that specific system. If an administrator becomes lazy and that causes grief to other admins, maybe this is deserved. It seems a lot like an ISP disconnecting a user for having a virus on there system, however a little more invasive.