Kraken Infiltration Revives "Friendly Worm" Debate

Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

Had me up until the sensationalism

[dreamchaser]

" is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.

What kind of idiot...

[llamalad]

What kind of idiot would have a windows box controlling a heart monitor?

Well, if you ARE going to do something like that.

[AltGrendel]

For goodness sakes.

Don't tell anyone!!!

All the lawyers in the world will converge on you if you do.

Pft

[Anonymous Coward]

What do you think -- is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

If someones heart monitor software is part of a botnet, they are screwed anyway or could be any second, so I say go for it. :)

DUH!

[zappepcs]

If you are going to write friendly software worms, why not take a moment to figure out what the hell kind of computer you are on, and make some decisions about whether to risk it, or simply report to someone that the computer is infected?

Am I the only one that thinks this is too simple to be questioned? Friendly.... it's a word that suggests something that does no harm. If the software can't figure out if there is no risk, then it should take no action other than reporting.

Safety, it's a big issue. VW will not be sending their high tech stuff to the states next year because of litigation concerns. They are right to do so, if there is no method to ensure your product does no harm, do not deploy it. period. unless you would like to spend time in court.

There have been dozens of anti-theft systems that would turn a car off after it's been stolen but due to concerns that it might do so while the car was traveling at speed on the highways, such products were never deployed.

Safety first. kill bad bots second. Sort of what the US police forces are supposed to do. Well, until someone gave them a taser gun. Now, shoot first is the rule because they won't get sued, and don't have to worry about it.

If you're going to write anti-worm software, safety is a major concern if you are acting without the owner/user's permission. There is NO way around that without incurring litigation risk.

important difference

[Tom]

(except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released)

That's not a small difference! Pushing an update to a known list of hosts is a vastly different thing from starting a self-replicating autonomous agent.

There is still the "messing with other people's computer" issue, of course.

Re:Had me up until the sensationalism

[mlwmohawk]

I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.

Well, maybe not the primary machine, that may be true, but there are monitor "stations" on the patient floor at the nurses desk area that run networked windows using monitor applications to display heart data.

The law needs to catch up

[Ice Tiger]

As with many changes in technology the law is far behind. In this case they would foul of the same laws that would convict the original criminals. The law needs to be adapted to allow legally sanctioned actions like the one proposed to happen to fix the problem.

Botnets also span more than one country so maybe this needs to be international law.

Barn door closed, horse left six months ago

[glindsey]

is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

I would suggest that if a mission-critical system like that is already infected with a bot, the damage is done -- might as well attempt to clean it at that point.

Re:Had me up until the sensationalism

[pipatron]

And what happens to the patient if one of these goes down because of a virus?

Nothing. Absolutely nothing.

Non Assistance to person in danger should apply

[mrboyd]

We have this law in my country where if you can help someone who is in danger without risking to harm yourself you may get legal trouble.

I am pretty sure that a good lawyer could twist it enough to sue those researcher because they DID not kill the botnet while they could. Instead they published a report explaining to the botnet creator how to plug the hole. Next time they should just ask for a subversion comiter account a fix it themselves.

I can almost see how the patriot act could apply here. I think those guy could be arrested for helping the terrorist(tm) by the friendly bunch at homeland security.

If you can kill the botnet please do it. Me million other will drop a donation in your paypal account to cover your legal fees.

No Moral crisis here.

[Forge]

A botnet cleansing worm would IMHO be a good thing and not in the least morally ambiguous.

Imagine a similar situation among humans. A Virus breaks out which ravages whole populations. You find a cure which can be distributed by spiking the watter supply or by pumping it into the air.

I can tell you, the CDC (No. Not the "Cult of the Dead Cow". The other CDC) would only hesitate long enough to verify the safety of the cure before dispatching it.

Or lets come to a more reasonable and commonplace situation. A man infected with Rabies is not allowed to chose weather he will be treated. His infection impairs his judgment and makes him a danger to other people, therefore he is a hazard to be cured against his will.

Doesn't the same apply to a botnet member oblivious to it's own condition spewing it's infection, Spam and lord knows what else onto other computers?

Kevin.

Sabotage the botnet

[CvD]

I say yes, sabotage the botnet with friendly worms/bots. The owners of the infected computers don't know about the problem, don't care or don't know how to fix it.

I say vigilante action is okay, to protect ourselves (the people in the know adminning the networks and computers being attacked).

Re:Simple Answers for Complex Problems

[MMC Monster]

If I got a pop-up like that, I would likely think that it was going to either install another virus or that it was a pop-up from a website, trying to sell me something.

There is no way I would think it was legit.

By analogy, it should be done

[azgard]

I would argue, by analogy, that it should be done, ie. the computer participating in a botnet should be patched.

Consider this example: You find that someone robbed your neighbor's apartment (who is on vacation), and left the door opened and broken. Should you fix the neighbor's door, or leave them open for anyone to enter?

The correct answer is: You should fix the door, but with the permission of the police. Therefore, I think, the computers should be patched, but with the approval of legal enforcement (if it's in the your country, patching computer in other country should be supervised by their legal enforcement).

Yes, it is justifiable in this case

[irenaeous]

Why?

Because there is no law enforcement for these matters on the net today. Sometimes, in frontier situations, a form of mob or vigilante type justice becomes necessary. In this case, it would be an expression of popular democracy when a group in a frontier setting decides that sometime of order enforcement is necessary in order for society to function. These spam bots qualify as a level of threat that would justify a defense of this kind because, in our current environment, these bots can't be stopped by other means.

There is also a discernible right to self-defense. Here is my analogy. If an ignorant neighbor has permitted some nut to put a machine gun on his front lawn that periodically shoots bullets at my front door, then taking action to disable that machine gun is a justifiable form of self-defense even though the form of the self-defensive act is an offensive act against the machine gun. Any collateral damage from the self-defensive act doesn't necessarily invalidate taking the action.

That means if the incredibly rare case that isn't going to happen of the disabling of a heart monitor does occur, the self defensive act is still justified.

Now, spam is not an imminent danger in the way bullets are, but they are a danger. For example, I do not want my 11 year old exposed to hard core porn often promoted in much of this spam. If there is no effective law enforcement, then self-defense and perhaps a group sanctioned vigilante enforcement, even if the means are offensive in some sense, is justifiable. Note, it is not justifiable if law enforcement is available to deal with the problems, but in this case no such remedies are available.

Now -- is it legal? IANAL, so I don't know, but I think a legal defense is possible -- and -- how many juries actually go after these guys anyway?