Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Operating Systems Software The Internet Windows

Slate On Worms That Plug Security Holes 417

Posted by timothy from the anti-missile-missile dept.
gwernol writes "Slate has a well-written article on 'white knight" worms like Nachi that attempt to automatically patch security holes; Nachi try to patch the hole that MyDoom exploits. The article calls for Google and others to incent White Hat programmers to create better White Knights. But are 'good viruses' really a good idea? Nachi created almost as much bandwidth congestion as MyDoom. Do we really want programs jumping onto our systems and 'fixing' them without permission? What about a socially engineered worm that claims to be doing good?"
This discussion has been archived. No new comments can be posted.

Slate On Worms That Plug Security Holes More

Slate On Worms That Plug Security Holes

Comments Filter:

  • No. (Score:2, Insightful)

    by mirko ( 198274 )
    But are 'good viruses' really a good idea?

    No.
    These could be Trojan.
    If I give you some worm that's supposed to cure another but which in fact is another one...
    No.

    • Re:No. (Score:2, Interesting)

      by munter ( 619803 )
      I agree. There's a fine line between a white worm and black worm. Before you know it, worms will be the next ICBM, with people seizing the transport to change the payload. Bad bad bad.

    • Re:No. (Score:2, Insightful)

      by mwvdlee ( 775178 )
      If it were a Trojan, it wouldn't be a "good virus" anymore :) It isn't about worms purporting to be good, it's about worms that are actually trying to do some good.

      I'd prefer that no worms existed at all but given the choice I'd much rather have my idiot neighbor to open a good virus then a bad one, there's going to be wasted bandwith either way but atleast the good virus could stop some waste in the future.

      • Re:No. (Score:2, Funny)

        by Anonymous Coward
        Remember, surf without rhythym and you won't attract the worm.

    • Re:No. (Score:3, Insightful)

      by tallman68 ( 586637 )
      Nachi was the last worm to actually have a noticible impact on our network. MyDoom hardly affected us at all. We don't care what your intentions are, worms are bad.

      Is a there such a thing as "good SPAM" or "good junk mail?" Aren't they just all an unneeded drain on our resources? Same goes with these worms. When are these kids going to get it? Breaking into our networks does not help us!

      And, yes, we need to have proactive security (for the most part we do) but just because we have an opening is not an inv

  • One bad idea (Score:5, Insightful)

    by gowen ( 141411 ) <gwowen@gmail.com> on Wednesday July 28, 2004 @06:49AM (#9820154) Homepage Journal
    It could even launch warnings on the user's screen for a few days ("Hey dummy! Click here to protect yourself!")
    Gee. Thats a fine way to train users to just click "OK" on every dialogue box they see. And we all know what a great idea that is....

  • There is no "good virus". (Score:3, Insightful)

    by JanMark ( 547992 ) on Wednesday July 28, 2004 @06:49AM (#9820156) Homepage
    Next thing in line: an automatic spyware remover. Followed by: an automatic licence checker. And in true 1984 style: an automatic open source software remover.

  • Here is a related article... (Score:5, Informative)

    by Sun Tzu ( 41522 ) on Wednesday July 28, 2004 @06:50AM (#9820160) Homepage Journal
    ...on the problems with beneficial computer viruses [librenix.com].

    • Re:Here is a related article... (Score:5, Insightful)

      by Tony-A ( 29931 ) on Wednesday July 28, 2004 @08:23AM (#9820556)
      "how would a good virus tell another good virus from a bad one?"

      Easy. They're all bad, including the good.

      It might be justified if "enough is enough!", but if you have to ask, it is never justified. It might be good at the moment, but once the moment is past, it is a bad virus.

    • Confusing situation - but use biology as a model (Score:5, Interesting)

      by Corpus_Callosum ( 617295 ) on Wednesday July 28, 2004 @08:55AM (#9820740) Homepage
      Think of the net as a big organism. We have invading viruses and worms [and other nasties], but no real immune system to speak of...

      While there are certain to be real dillemas and dragons here, it seems that exploring the idea of white worms and whatnot is a good idea, after all, is there any other solution for the systems that are not managed? However, white worms should have oversight (e.g. registered source code to some oversight body, managed release into the wilderness, etc..) somewhat akin to oversight for the immune system in an organism..

      When in doubt, consult how nature does it - the more complex our systems become, the more similar our solutions look to natures.. Very intriguing..

  • Nachi was in response to Blaster (Score:5, Informative)

    by asdavis ( 24671 ) on Wednesday July 28, 2004 @06:51AM (#9820161) Homepage
    Nachi took advantage of a RPC/DCOM vuln, a WEBDav vuln or a Blaster infected system. It had nothing to do with MyDoom.

    • Re:Nachi was in response to Blaster (Score:5, Informative)

      by dalamarian ( 741404 ) on Wednesday July 28, 2004 @07:09AM (#9820228)
      I am not sure if nachi was re-released but it did also try to take down older versions of mydoom (a and b) Not surprised if was released as a new version
      ******** From Symantec **********

      W32.Welchia.B.Worm is a variant of W32.Welchia.Worm. If the version of the operating system of the infected machine is Chinese (Simplified), Chinese (Traditional), Korean, or English, the worm will attempt to download the Microsoft Workstation Service Buffer Overrun and Microsoft Messenger Service Buffer Overrun patches from the Microsoft® Windows Update Web site, install it, and then restart the computer.

      The worm also attempts to remove the W32.Mydoom.A@mm and W32.Mydoom.B@mm worms.

      Also Known As: W32/Nachi.worm.b [McAfee], W32/Nachi-B [Sophos], Win32.Nachi.B [Computer Associates], WORM_NACHI.B [Trend],

  • Probably.. (Score:5, Interesting)

    by manavendra ( 688020 ) on Wednesday July 28, 2004 @06:51AM (#9820165) Homepage Journal
    for most users, who experience bewildering slowdown of the internect connectivity, or the intranet access, which mysteriously disappears after a few days - for them, such "White Knights" may probably be useful. For grannys, gramps and other naive users it would be a blessing.

    For others, who have mission critical application or other extensions on the target OS, such "White Knights" may send a shiver down the spine:

    What if it plugs a hole, but breaks something else?

    From what I have seen, such socialist stuff doesn't really go down well with corporations. They don't give away things for free, and they don't expect anything given to them for free.

    • Re:Probably.. (Score:2, Insightful)

      by iLEZ ( 594245 )
      Also, virus writers, black or white hatted, should never do the work that every experienced sysadmin should do.
      Kind of like having robbers in charge of security in a bank.

    • Re:Probably.. (Score:5, Interesting)

      by Mr.Cookieface ( 595791 ) on Wednesday July 28, 2004 @07:16AM (#9820255)
      It would be interesting to see some trusted repair networks emerge which deliver fixes to unpatched vulnerabilities for users who want them, similar to those who maintain spammer lists. The patches could be delivered over a trusted P2P network which has as its only purpose to deliver these files and of course would use hashes to verify the integrity of the files it delivered. That way, the white worms would only travel where they are wanted and could be tested a lot better than by the lone hacker.

      The only problem is that the users who would most benefit from this type of service aren't the type to be proactive in their fight against viruses and would probably never use something like that unless it came preloaded and turned on by default and Micro$oft would never let that happen.

      Perhaps the ISPs need to take more responsibility for identifying viral network activity and block it, while notifying the end users. Something like when they go to connect to the internet, they get a page notifying them that their machine is infected and they need to call a certain phone number before they are let back on.

    • What if it plugs a hole, but breaks something else?

      If a 'good' virus manages to get onto your system without you installing it, then you are already fucked and it really doesnt matter.

      Of course no one here is going to like this idea, but as you say - its for granny and gramps and others who aren't running firewall and antivirus software and blindly open every damn attachement they get.

      I think its a great idea - it can only 'cure' people who are at risk, and even if it does break their system, they

    • Re:Mission Critical (Score:2, Insightful)

      by 9Nails ( 634052 )
      If your system is a mission critical one, you should be running a firewall and anti-virus to begin with. You should also stay on top of software updates. This is standard computing in my book.

      There is no excuse for Corporate security exploits. Unless the corporation just doesn't care about it's computing.

      • There is no excuse for Corporate security exploits. Unless the corporation just doesn't care about it's computing

        I think the above statement was made in good faith and with good intentions. We all *know* that corporations should have the best resources - best admins, latest patches to all the workstations/hosts in the network, best firewalls, etc. We all *know* that these corporations should also have a well documented policy to watch out for new threats - viral or security.

        Now, how many times have

    • From what I have seen, such socialist stuff doesn't really go down well with corporations. They don't give away things for free, and they don't expect anything given to them for free.

      What is "socialist" about a worm (white knight or otherwise)? Tresspassing a computer system has nothing whatsoever to do with economic theory, be it capitalist, socialist, communist, corporatist, or what have you.

      Or are you one of these ignorant idealogues that equates socialism with "something bad" irrespective of the con

      • What is "socialist" about a worm (white knight or otherwise)?

        Plenty.

        Socialism [reference.com]

        So"cial*ism\, n. [Cf. F. socialisme.] A theory or system of social reform which contemplates a complete reconstruction of society, with a more just and equitable distribution of property and labor. In popular usage, the term is often employed to indicate any lawless, revolutionary social scheme. See Communism, Fourierism, Saint-Simonianism, forms of socialism.

        [Socialism] was first applied in England to Owen's theory of

  • Viruses to attack Viruses which patch Viruses (Score:5, Insightful)

    by singleantler ( 212067 ) on Wednesday July 28, 2004 @06:51AM (#9820166) Homepage Journal
    If White Knight viruses become common there will be viruses designed to attack them as well, it's just making an extra battleground. This has happened with anti-adware products - many of the new trojans and viruses try to stop software like Adaware working.

    The answer is to have a secure system, as that's not happening in the Windows world at the moment, then frequent patches to plug the holes and a way to encourage everyone who uses Windows on the net to download them is the way to go, as is installing more secure software (e.g. Firefox rather than Internet Explorer.)
    • The problem with patches (and this goes for the linux world as well) is that people who don't have DSL are stuffed - how am I going to convince my dad to download all 70 meg of WinXP-SP2 over his pay-per-minute 56k dialup?

      (and no, "White Knight" viruses are not the answer)

      If ISPs start taking a hard line against exploits instead of ignoring them then people might pay more attention - it's not rocket science for the ISP to detect the signatures of worms scanning the network and automatically pull the plug on anyone compromised. I favor a "internet rating" system in the same way you get a "credit rating" - if you're shown to repeatedly get compromised then it's clear you can't run a secure system and no ISP should allow you full unrestricted internet access.

      I'd also like network-connected software you pay for (e.g. Windows) come with free updates _on CD_ for a reasonable life of the product instead of requireing you to download it. If my car has a fault (e.g. the brakes don't work under some conditions) then the manufacturer writes to me and fixes it at their own expense - they don't quietly put a notice up somewhere out of the way saying that if I want to I can send off for the replacement part and then wait for the media to actually publicise it after a few people crash coz their brakes didn't work.

      Before anyone complains, the whole on-CD updates idea wouldn't apply to free linux downloads like Fedora since you're not paying for it in the first place, but quite rightly it should apply to stuff you do pay for like RedHat Enterprise, etc.
      • You know that whole dail-up patch thing is really annoying. if you pay per minute charges you are not going to be online long enough to for a trojan or DDOS to do much harm to you or anyone else from you.

        Dial-up users should patch, but they can wait, becaue the amount of damage they can cause is extremely limiting.

        It is those DSL, and Cable modem's from which the bulk of he probelms come from. Those people can and should download thoe 70-250 meg patches to update windows. The bulk of virus probelms wil
        • You know that whole dail-up patch thing is really annoying. if you pay per minute charges you are not going to be online long enough to for a trojan or DDOS to do much harm to you or anyone else from you.

          Wrong - admittedly I don't use Windows, but a few years ago my old RedHat 6 box got compromised over a pay-per-minute 33k6 dialup (ok, I admit it, I had been lazy and not kept it up to date). A few weeks ago one of my colleagues did a fresh XP install, forgot to enable the firewall and he was virussed wi
      • I favor a "internet rating" system in the same way you get a "credit rating"

        Nifty idea. Which billionaire ,who holds controlling market shares in major technology and communications companies, would you like your politicians to put in charge of this inherently incorruptible system?
        • Nifty idea. Which billionaire ,who holds controlling market shares in major technology and communications companies, would you like your politicians to put in charge of this inherently incorruptible system?

          I don't understand why this is any more of a problem and any more corruptible than the current "credit rating" system (and a bad credit rating could screw your life a lot more than a bad "internet rating").

          The ISPs can work together to form a single database, and in the long run this will save them mon

  • Like stealing your bike (Score:5, Insightful)

    by Anonymous Coward on Wednesday July 28, 2004 @06:52AM (#9820168)
    It's like somebody is stealing your bike just to take it for a service.

    Would you like that?
  • A "White Knight" worm can establish a positive compounded interest "pluggin" of potential holes... ie: for each system plugged it can, if coded correctly, decrement the number of systems it evaluates. A good system would be to create a temporary "white list" of plugged systems which a pro-worm could ignore as it had already visited that system and plugged it.

    Given this assumption, a white knight worm would have a heavy impact intially but after the first day would drop off dramatically in an exponential ma

  • Are they a good thing? (Score:5, Insightful)

    by rebeka thomas ( 673264 ) on Wednesday July 28, 2004 @06:52AM (#9820170)
    No. My reasoning is that a trojan, no matter how it modifies a system, has a chance of fucking it up.

    Even valid updates from manufacturers have the odd really bad messup. Making a service crash, modifying a config file so it doesn't work, causing unexpected behaviour.

    To give support to those writing such whiteknight worms gives support to any anonymous coder who might wish to fix a problem, with no concept of testing things on a system other than their own or a few others belonging to a "friend of a friend".
    • Sir, you system is was fucked in the first place, that's why it's being modified.

      It's a bit like the dentist giving you a filing because you teeth are fucked, and will get more and more fucked until the hole is patched.

      It would be nice if you could see the source code so that you know nothing else is going to be affected, but then it would also be nice if the dentist told you that the filling contained heavy-metals :-
      • Source code? Not relevant.

        If you can read and understand the source code, odds are you are closer to not needing it at all. Much like the heavy-metals in fillings. If you already know they are there, then you know they are an insignificant threat.

    • Push vs Pull (Score:5, Insightful)

      by gad_zuki! ( 70830 ) on Wednesday July 28, 2004 @07:55AM (#9820392)
      I dont want to see any "friendly trojans" but a while ago someone wrote a very neat java app which acted like an IIS server, listened for attacks, and used the exploit from the exploited to send the infected party a "net send localhost YOUVE GOT A VIRUS!!" message or something to that effect. What was that worm called? Red Alert? I think the software was called red alert vigilante or somesuch.

      Anyway, I should have the right to take attackers and use their own exploit to inform them about their situation. A real world comparision would be me finding a trespasser and instead of just kicking them out, telling them they are doing wrong and then kicking them out.

      Granted, this kind of vigilate action can be seen as, say, tracking down the trespasser and going on his property to yell at him. I guess this is where the analogy breaks down, but its a good concept and doesnt waste bandwidth like the "friendly trojan" shotgun approach.

      This would only work with worms with machines with open firewalls, but it sure beats nothing.

    • I DO think automatic, "valid" updates can be considered as viruses in the effect they may have. They can actually halt a production system. This is real life experience: I have seen network emulation updates, source code sontrol systems updates fucking up production. More than once. No kidding: even anti-viruses updates broke the prod for some dlls incompatible with XYZ. Isn't it a nightmare? The anti-virus stuff becomes a virus!

      The point is, in production you are assumed to know what's on your box. Anyth

    • Some trojans might not be written securely and might perhaps be prone to buffer overflows.

      So if the trojan tries to attack your machine and you subvert it and shutdown the server, wouldn't that be self-defense or "citizen's arrest"?
  • you mean like windows autoupdater???

    why do think alot of these don't outside a broadband connected home??? prob 'cos of change management within companies so they turn it off, but then they don't have a decent test/patch system to replace it...

    of course that assumes the patch doesn't break your favourite application.

    Again the problem isn't so much patching the holes (which is a problem with any piece of software) as the massive *monoculture* (sorry market dominance) of WIndows and it's security issues t
    • of course that assumes the patch doesn't break your favourite application.

      I think patching systems need a "rollback" ability so if a specific patch breaks something it should be easy to undo the fix (at least temporarilly until someone fixes the patch).
      • Most do and work well.

        Not sure about ones from Redmond..XP's got save points I guess, which helps.

        But given the amount of messing with your system a windows patch can do (registry mods etc) I guess it's non-trivial (like most things Windows admin), hence the many years before XP's save points arrived.
  • Anti-virus programs like Norton AV,McAfee etc would still block these intelligent programs.They are still viruses.are they not?

  • Illegal (Score:2, Informative)

    by vi (editor) ( 791442 )
    One should note that a "white kight" worm is illegal like "bad" worm and would fall under the same criminal charges. And the author would have to pay civil damages as the worm consumes bandwidth. The affected party might even argue that such a worm requires a complete security check-up with reinstalls etc. as the source of the worm can't be trusted.
    A white kight worm author would end up with the same civil damages to pay only gaining perhaps a small reduction of the criminal charges.

  • No, no, and no. (Score:2, Insightful)

    by mercan01 ( 458876 )
    "White Knights" are a horrible idea. They're a horrible idea for the very same reasons letting MS automatically push upadates onto your computer without your knowledge or permission are a bad idea.

    It's not for someone who "knows better" to decide for me how to "Secure" my computer. What happens if one of these virus-like apps(either from MS or a third part) "patches" my server with my multi-million dollar application system and somehow breaks it, as unintentional as it may be?

    If these hackers want to do g
  • So called "white worms" have the habbit of installing their own backdoors (e.g. like Nachi). In many cases, they only fix the vulnerability to gain a stronger foothold in the system and prevent others from taking them away.

    Other than that, the usual rule applies: The difference between a criminal and a security expert is written permission!
  • Whoever tries to muck around other people's computers should be prosecuted and punished. Not doing any damage? I don't care. What's next - random passers by jumping through my window to turn off the light I left on when I went out?

  • Wrong approach (Score:2, Insightful)

    by vandan ( 151516 )
    I really am sick of viruses.
    Being an IT professional, I get on average 1 request per week to remove viruses / spyware / browser hijacks etc from people's computers.

    Recently I started turning them down, but offer to install Linux on their computer instead of trying to fix their Window installation.

    If I were writing a worm, however, I'd take a different approach. I'd make it spread quietly, and then destroy the Windows install completely 1 day after infection. The whole fucking lot. People who get viruses a
    • Linux has it's fair share of worms to [google.com], and if you move the same 'stupid' windows users over to linux there still going to be stupid, and your still going to get worms and trojans and spyware, though more will be at user not system level, since it's harder to evevate priviilages on a Unix bos than a Windows one.
      • not only that, the OP will get requests from friends and family on how to use the system he's installed for them.
      • though more will be at user not system level, since it's harder to evevate priviilages on a Unix bos than a Windows one.

        "In order to install your FREE BonzaiCometCursorBuddyWeatherUpdatesTool, please enter your 'root' password in the box below and click 'next'. (Your 'root' password is the one you use to install programs and perform system configuration tasks)"

        That, or you'll simply see people running as root all the time, just as they run as admin under Windows. Since 2k at least it's been perfectly pos
    • redirect all web browser requests to this page [albinoblacksheep.com]

    • Re: "People who get viruses are asking for it" (Score:5, Insightful)

      by Photo_Nut ( 676334 ) on Wednesday July 28, 2004 @08:09AM (#9820464)
      The parent poster writes:
      "I really am sick of viruses. Being an IT professional, I get on average 1 request per week to remove viruses / spyware / browser hijacks etc from people's computers."

      Welcome to the IT club. So far, you aren't sounding special.

      "Recently I started turning them down, but offer to install Linux on their computer instead of trying to fix their Window installation."

      I hope you like supporting that Linux install... And like fielding questions like: "I just bought a brand new digital camera. How do I get my pictures and video into the computer? Oh, and I bought a new printer, too. I want to print my new pictures with my new printer. Oh, oh, and my cellphone has this cool service where I can download ringtones... I want to do that, too. I need to do XYZ with some application I use for XYZ. How do I get it on my Linux PC?" Face it. Linux is still a second-class citizen in the desktop market. Having one or two category apps isn't the same thing as having 99% of the market.

      "If I were writing a worm, ..."

      Then I would hope that you got caught and spent a few years in jail to think about it, and have it on your record for the rest of your life. Maybe you'll be branded as a terrorist! Talking about writing worms doesn't get you my respect. Even hypothetically. It has been done before. It has been discussed to death before. There were viruses that damaged your equipment. There were other viruses that repartitioned your hard drive. Plenty of worms can do these things.

      "ALL computer users should take reasonable steps to keep their computers secure. ALL computer users who don't take these steps should have their hard disks wiped clean."

      A) What are reasonable steps?

      B) What is secure? If I get an email from "you" telling me to run the attached security update to my computer, and don't know any better, and I run it, and it is an emailing worm, then I am now hosed. Worms do this all the time. Do I blame you because I thought I could trust you, or do I blame the worm author who masqueraded as you through their program.

      If some application I download to do X has a bug that's exploited and does Y, and I don't know it, is it my fault?

      C) Your statements are quite harsh. Have you ever had your hard disks wiped clean with all of your hard work on them? Your statement is akin to saying, "People who get diseases should be shot. That'll teach 'em to get sick!"

      I can't believe your post was modded insightful. Flaimbait, yes. Insightful, no.
      • > Being an IT professional, ... install linux

        I hope you like supporting that Linux install... And like fielding questions like: "I just bought a brand new digital camera.

        Er, I may be slow, but I fail to see how the grandparent poster's users, in a professional environment, couly justify the need of fancy stuff like digital cameras or downloading ringtones, or installing printers themselves. If there's an IT professional where he works, it is most probably in an environment big enough so that users
    • > Being an IT professional, I get on average 1 request per week
      > to remove viruses / spyware / browser hijacks etc from people's computers

      Well you're not a very good IT professional then are you because I don't get any. Ever.

      > Recently I started turning them down, but offer to install Linux
      > on their computer instead of trying to fix their Window installation.

      Most good IT professionals would have installed virus scanners and firewalls so their users couldn't get a virus! You've got to have a
      • "Well you're not a very good IT professional then are you because I don't get any. Ever."

        Maybe people are asking others for help instead of you?

        It seems inevitable that people will get viruses somehow. There are users who are so thick that they'd try to open an encrypted zip file, enter the password (an image) and _run_ the executable. Gack.

        I bet if Linux was dominant the same idiots would be doing tar ./configure, make...

        Worse- think of the damage obfuscated polymorphic perl scripts could do. I wonder
  • "What about a socially engineered worm that claims to be doing good?"

    That would be called a "Virus".

    Bleh. To be honest though, I don't see a whole lot of difference between a "good" worm and "good" bacteria. Your hands, skin, blood, etc, already have millions of bacteria feeding off your system. They assist in choking out the "bad" organisms. Eh... poor analogy, but what do you want for 6am?

  • Just because other people are too dumb to open attachments with the topic 'if you open this attachment, Bill Gates will send you a million bucks !', doesn't mean my connection should get bogged with worms trying to 'patch' my machine.

    I take care of that myself, thankyouverymuch...

  • Although they only hold 93% of the market last I checked (96% according to some sources), 99.999999999999999% of viruses only affect windows, and/or Microsoft applications. Between fingers and toes (haven't tried honestly) you might just manage to count all the viruses which have affected OTHER platforms combined throughout history... and you don't need any digits to count the number that affect other platforms NOW.

    So obvious answer, rape, pillage and murder anywhere you see a windows box. You will see a d

  • The road to hell is paved with good intentions (Score:5, Insightful)

    by minus9 ( 106327 ) on Wednesday July 28, 2004 @07:03AM (#9820216) Homepage

    Blaster had very little impact on our network. Nachi on the other hand caused absolute bloody chaos.
    There is absolutely nothing "white hat" about running code on someone elses machine without their permission.

    • I'd have no problem if the worm was reactive and not proactive.

      In other words, the author puts the worm on his machine and waits to be attacked... his good worm detects an intrusion attempt by the bad worm, and spreads to the attacking machine - both disabling the bad worm and installing itself in place, waiting for another intrusion attempt.

      In this way, you don't get madly multiplying traffic - you get a response to every attack.

      As far as I'm concerned, anybody who's computer tries to subvert mine is fa
  • The white worm needs to be passive; a compromised system will try and attack other systems - all the "good" virus has to do is wait for an attack. When an attack occurs, our "good" virus has the IP of a compromised machine on which to mount a counterattack/patch.

    The white worm should also uninstall itself after a predetermined length of time, say 10 days.

    I understand the concern people have about auto-patching, however I am certain that none of those people would put themselves into a situation where t

  • they stuff up networks (Score:5, Informative)

    by sejanus ( 18670 ) on Wednesday July 28, 2004 @07:07AM (#9820224) Homepage
    I'm a network engineer at a reasonable size isp.

    These bloody worms caused us so much bother, our customer terminating (ethernet) routers (Cisco 7206 NPE300 VXR's) really suffered CPU wise against these because the ethernet based services are procssed switch unlike ATM/POS etc unfortunately. And the netflow accounting tables were just out of control.

    AND the old legacy routers we have that still ran snmp based ip accounting, the cpu on them went ballistic. It was a big pain in the butt and took a lot of stuffing around to fix/block etc.

    Unfortunately just blocking the traffic doesn't help as you have to recieve the traffic in order to block it, so I was dumping netflow tables and getting the support guys to call infected customers. Many hours of work just because some little shit script kiddie/newbie programmer thought it'd be funny.

    On the bright side though, it promped management to give me a lot of money to get some more grunty gear so we are now better prepared for the next time it happens, and I'm sure it will.

  • ... if Windows had an "update required" icon as used by Red Hat Linux/Fedora Core (and others). To me, this seems to be the optimum solution. It's not updating files without your knowledge (Windows Update), and you are informed at every stage of the process as to what changes are taking place.

    The only way this could be made any simpler is if you had a happy face for a system with all updates installed, an unhappy face when there were new updates available, and an angry face when no updates had been made
  • What about a worm that points out that the computer has been infected and tells the user where to find a cure for the infection?
  • I do not want anything going around the network trying to do automatic patching, thank you very much. I'd much rather see ISPs mandated to remove machines from the network which are originating virus-laden emails, and a more aggressive approach to denying all access to ISPs that don't control the problem.

    In the physical world, you may be a common carrier but you are not exempt from all control over the things you carry. The US post office is not _allowed_ to carry letters full of anthrax without regard to t

  • As a programmer responsible for production systems I don't want ANY untested programs on my (our) systems. We even (especially) test MS security patches to make sure that they don't break any functioning software systems.

  • Jesus Christ! (Score:2, Informative)

    by Slur ( 61510 )
    Dump Microsoft and be done with it. Linux, Unix, and Mac are all viable now, and far more modern than anything Microsoft has going. There is no compelling reason to stick with MS for any reason any more. Seriously, they're really stuck, and they have only themselves to blame.

    Don't get me wrong. I like the drama of a vulnerable platform as much as anyone. But I prefer to enjoy it from afar. That's why
    I stick with Mac and Unix.

    On the other hand, there is the cynical satisfaction of watching stupid people bu
    • How would that help? Linux isn't significantly more secure than Windows.

      Remember- there were tons of worms which required victims to type in passwords to open encrypted zip files and then run the executables. AND tons of DUMMIES did, I even recall a columnist saying he was tempted to do it even though he knew he shouldn't.

      They were exploiting vulnerabilities and security issues in HUMANS not Windows.

      The same HUMANS would run an obfuscated polymorphic perl script from a stranger that did indeterminable th

  • Subscription system (Score:4, Insightful)

    by Lord Grey ( 463613 ) * on Wednesday July 28, 2004 @07:21AM (#9820272)
    There are pros and cons to having 'good worms' patch systems. For most Slashdot readers, it's probably not a good thing. We tend to pay attention to patches, what our systems are doing (so as to detect strange activity), etc.. But as others have pointed out, such a worm might not be a bad thing for the non-tech computer users.

    What about a subscription-type system for such a service? I can imagine a variant of the virus definitions auto-update that does this. It wouldn't be kicked off by the user's computer, as it could be disabled by the Blaster-style worm, but would rather be initiated by a remote server. Next time a 'bad worm' spreads across the Internet, the service releases the 'good worm' to patch its customers' systems. My mom would probably appreciate something like that.

  • Of course we want control of our machines and would object to anything running on them. Thats why WE protect and patch them regularly, RIGHT?

    NO... this is for those Joe Sixpacks, grandmas and - worse of all - the selfish dumbasses who dont know OR CARE if their machine on their spanking new broadband connection is fouling the net for the rest of us.

    If ISPs dont employ some kind of active blocking, then the combination of the worlds most used OS (STILL having gaping holes) + users who'll open any attachmen

  • Paper by Vesselin Bontchev (Score:3, Informative)

    by sheriff_p ( 138609 ) on Wednesday July 28, 2004 @07:30AM (#9820301)
    The definitive (and about ten-year-old) paper on this is:

    http://www.virusbtn.com/old/OtherPapers/GoodVir/ [virusbtn.com]

    Well worth a read if you've not seen it before
  • Installing something on someone's computer without their consent is wrong and there are no exceptions to that rule.

    My computer is my property. You have no right to modify or tamper with my property in any way, even if you think it's for a good cause. Just like you have no right to bust in the windows on my house and install properly working smoke detectors.

    Not only that, I've seen a few posters point out the obvious bandwidth suckage issues associated with "good" worms.

  • But (Score:2)

    by mukund ( 163654 )
    Will it install Linux?
  • Comment removed based on user account deletion
  • 1989 called. They want their topic back.

    Long ago, long before the World Wide Web existed, people were debating the pros and cons of a "good virus". Is there such a thing a s a good virsus? Is it a good idea to even try to write a good virus?

    Ultimately the answer is no. People don't want programs running on their computers, multiplying and speading thru a network without their knowledge or consent, even if it supposedly doing something "good".

  • TMBG said it best (Score:3, Funny)

    by I don't want to spen ( 638810 ) on Wednesday July 28, 2004 @08:01AM (#9820420) Journal
    From Dr. Worm [lyricsdepot.com]

    I'm not a real doctor but I am a real worm

  • I agree with Schneier (Score:5, Insightful)

    by stromthurman ( 588355 ) on Wednesday July 28, 2004 @08:06AM (#9820446)
    Bruce Schneier touched on this very subject in his September 2003 cryptogram in response to Nachi (or Blast.D), you can find his original article in the cryptogram archives [schneier.com].

    Automatically installing code on a user's system without their consent is never a good idea. Virally propegated code, no matter the intent, still generates network traffic, just because the payload is different doesn't mean the virus/worm/whathaveyou isn't adding to the problem of conjested networks. And as someone else pointed out, even if the 'white hat' programmer has good intentions, that doesn't mean they won't make mistakes in their code which could have adverse effects on the systems they are attempting to patch.

    While I don't think users should have to directly interface with security protocols/techniques, I do think they should be aware of them. If they are made fully aware of the damages that can be done to them, they're more likely to patch, or back away from the internet in fear, either way, there is a reduction in exploitable hosts.
  • no matter how you slice it, its still code executing on your computer without your permission and That's a virus.

    As a usually security minded person, I do what I can to keep my system up to date and to keep any non-requested traffic off my network. So.. most of these "white knight" viruses wont even get to my computer. Im sure most /. readers fall into this category as well.

    As for the general public, These could be used for good.. but there is much more potential for evil, as is usual with situations
  • We live in real world, where most users won't patch their systems even if there Armageddon will depend on that. They are just clueless. And it is social problem. But let's leave that. In reality, we would like to have less exploited Windows boxes in Internet, right? Even if you are Linux/BSD/Mac user/admin, you should wish that, because less exploited Windows boxes => less DoS attacks, less spam (certanly), less talking about dying e-mail, etc. So it overall, if they made properly, "white knight" virus

  • The biology analogy (Score:3, Insightful)

    by Organic_Info ( 208739 ) on Wednesday July 28, 2004 @08:22AM (#9820544)
    Well we keep seeing the "white virus" explained as a computer/network immune system. Well ok lets consider this for a second or two my immune system is restricted to my body, my phagocytes don't go invading other people in a bid to help them out.

    So the same should be applied to the software immune system, after all nature knows its shit better than we do.

  • user edumacation (Score:3, Informative)

    by Mickey Jameson ( 3209 ) on Wednesday July 28, 2004 @08:23AM (#9820555)
    This crap will be around forever, and the main problem is user education. I tell all 150 of my users twice a month to make sure their systems are up to date, and nearly 300 times a month I get the proverbial "yeah, yeah." It is not my job to do patch their systems. That's another guy's job, who doesn't do his job. I put out reminders because of this.

    So when we got hit by Nachi, I tracked down the weak link. It was our Netware admin, who deliberately went around my firewall so he could peruse porn, logged into his dialup ISP, checked his personal POP mail at said dialup ISP, and within minutes, bam. Nachi in the house. Of course, this wouldn't have been a problem if he (and the 2 dozen other users that got hit because of him) had kept their systems up to date.

    I was found to be the blame of this, despite the fact that there was absolutely nothing I could do about it, since he bypassed my security. After a week of TRYING to explain to management why it happened, that nobody should bypass security and so on, I took a long hard look at the incident.

    While Nachi was good in concept, it had fatal programming errors in it that caused it to be more harmful than Blaster. We all know this. I chalk it up to a learning experience - whoever wrote Nachi definitely learned from this. Too bad there weren't any real variants of Nachi. Yes, I'm serious. However, people actually learned from Nachi. Three weeks after Nachi infections slammed into my firewall, it stopped. Nachi just went away.

    Yet I still get pounded by Codered and Nimda YEARS after information, patches, and global press about it were made highly available and easily accessible.

    Everybody bitches about spam and viruses and worms and popups, yet so few people actually do anything about it. Don't complain to me about pop-ups. Use a different browser. Refuse to "learn" a new browser, fine. Get Google toolbar. Don't know how check for viruses? Get AVG. Sick of spam? Fine, I'll adjust your SpamAssassin threshold.

    But people don't want to do these things. In their minds, everything should just work, and work the way they want it to work. Everybody at my company knows that we have AVG, AdAware, Spybot S&D and so on. When new software is made available, I pass it on to my users. A user came up to me last week and asked why AdAware never has any updates anymore, for like the last year. Because she disregarded my notice about the new AdAware and kept using the old.

    I have strict rules about email, and my SpamAssassin 50_scores.cf file is very, very harsh. My users have been told that some of their email contacts may be tagged as spam, and if that happens, let me know and I'll whitelist them. Not one person has asked me to whitelist anyone, yet everyone bitches behind my back that I'm a lousy admin because *I* somehow personally tagged their email as spam. Even the president asked me to remove all graphic/audio/video attachments, so I complied. Yet he complains that he can no longer get pictures and other non-work-related material through email.

    It's an endless cycle. No appreciation for jobs well done. This is why I actually welcome such attempts to clean up the filth on the 'net. I originally despised Nachi. I now praise it.

    As long as the end user refuses to heed educational advice about how dangerous the Internet is, the Internet needs vigilanteism.

    Bring it on.
  • Spread, change the desktop background to "Infected" then do a shutdown.

    If it keeps happening maybe the admins/users might just figure out that something is wrong eh?

    There are people who are still running codered and nimda on their machines and are totally clueless. At least this will reduce the amount of wasted bandwidth.
  • This is not a "well written" article at all - it completely confuses network based worms like Blaster and Nachi and email viruses like MyDoom. They are not the same thing at all. A virus like MyDoom doesn't need to find a Windows security vulnerability because it targets the user rather than the computer. What's the author suggesting? Write a virus to give the users a clue?

    This is how we got hit my MyDoom - a ZIP file turns up with a message to entice the users to open it - this is just social engineering

  • Regardless of wether or not we want them to do this for us, the government in other areas has seen fit to play parent to us. Motorcyclists must wear a helmet (in some states) S.S.I. for retirement.

    With the estimated number of zombies out there, I think the bandwidth loss would be a small price to pay to secure the net even one iota.
  • Do we really want programs jumping onto our systems and 'fixing' them without permission?

    Isn't this exactly what Microsoft (and others) are proposing with integrated DRM? They already offer automated download and installation of patches without user intervention; it is a logical next step to integrate this with DRM.

    DRM seems like a big ugly hairball waiting to be compromised.
  • If the hypothetical "white knight" comes with a proper EULA for the user to click on then it's fine, even if it creates ten security holes for every one that it fixes.

    If it doesn't have an EULA then the legal industry will have a field day hanging the author from a tree and subjecting him to all sorts of cruel and unusual punishment which doesn't fit the crime.

    The key is the EULA.
  • that you can choose to run on your subnet, and choose to reboot now, not reboot, or wait until a specific time.

    Isp's should require the ability to patch systems or disconnect them from the net in the event of a virus/trojan/compromised system.

    -- Tim
  • For the love of God, somebody write a Windows virus that destroys EVERY email address harvested by Outlook so that the next round of viruses stops emailing me! :)

  • They couldn't say "if everyone stopped using Internet Explorer and Outlook Express worms and viruses would be a fraction of the problem they are", now could they?

    Sometimes I think the whole antivirus industry mostly serves as a diversionary tactic that lets companies keep shipping software with deep, fundamental security problems.

Slashdot Top Deals

Math is like love -- a simple idea but it can get complicated. -- R. Drabek

Close