Kraken Infiltration Revives "Friendly Worm" Debate

Anonymous Stallion writes "Two security researchers from TippingPoint (sponsor of the recent CanSecWest hacking contest) were able to infiltrate the Kraken botnet, which surpasses its predecessors in size. The researchers have published a pair of blog entries: Owning Kraken Zombies and Kraken Botnet Infiltration. They dissect the botnet and go so far as to suggest that they could cleanse it by sending an update to infected hosts. However, they stopped short of doing so. This raises the old moral dilemma about a hypothetical 'friendly worm' that issues software fixes (except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released). What do you think — is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

Had me up until the sensationalism

[dreamchaser]

" is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.

Re:Had me up until the sensationalism

[somersault]

Cleary you have never been to Singapore.

Oh wait, wrong movie

Re:Had me up until the sensationalism

[morgan_greywolf]

I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection.

Would that be a 'heartworm'?

Re:

[mlwmohawk]

I challenge the submitter to find one instance where a computer controlling a heart monitor has a worm infection. They are not even networked and they do not run Windows.

Well, maybe not the primary machine, that may be true, but there are monitor "stations" on the patient floor at the nurses desk area that run networked windows using monitor applications to display heart data.

Re:

[dreamchaser]

Yes, but those are not the same thing, and the primary machine still has alerts that sound (quite loudly) if something goes amiss.

Re:

[mgblst]

What an idiotic statement. I hope that you don't do any important software development. You may looks at statements above as sensationalist, but if you have ever worked in an environment where peoples lives are at risk, or even money is at risk, you will now that these are serious considerations.

Just because there are backup plans do not mean that you can wipe out the normal mechanism for nurses to monitor patients. I would suggest to you that the spam you get is a small inconvenience compared to the ehtica

Re:

[TapeCutter]

"This is beside the point that critical operations should not be run on a Windows machine at all."

I agree, critical operations should be run by a qualified surgical team.

Seriously worms bringing down heart monitors? - I agree with the OP, the hyperbole detracts from an otherwise reasonably interesting question. (To which my answer is: There is no such thing as a good worm)

Sure anything is possible and accidents do happen but AFAIK the worst incident involving computers in medicine was this famous e [vt.edu]

Re:

[seramar]

I have two things to add, one in response to your comment about the monitoring stations and the other just in general on this topic, but they tie together: 1. If a hospital is running a machine that is vulnerable to any worm, including a friendly worm, then I question their entire network/security structure in the first place and it is only a matter of time until the monitoring station goes down, anyway. 2. Friendly worms? Definitely. I am a technician/manager of a small shop and see people whose machines a

Re:

[Gerzel]

You'd be surprised I'm guessing.

Think of it this way a company probably could save a lot of money if they could run a heart monitor through a generic machine rather than a dedicated machine. Also a program running on a more generic machine setup may also be able to collect other information and send it over the net to say, a doctor's pager automatically. So there are good reasons as to why a generic machine which might be infect-able would be used.

This is not to mention the other similarly critical uses a

Vulnerable Monitoring Systems

[AioKits]

I used to work in a hospital on the IT side and the only 'monitoring' systems I can think of where this would be a problem aren't so much the ones that keep track of vitals but the ones used as the primary method of observation (think cath labs). Even then the vulnerable workstations/machines are used more for archiving and cataloging of imagery and procedure. Any real work is done on an embedded system with that particular piece of equipment. So if you have to get your heart cathed, don't worry as that

Re:

[MozeeToby]

Speaking of Windows, why not give the patch (and that's what it is really, not a worm) to Microsoft. They can code review it and adapt it to be included in the latest Windows update. They are already granted access to everyone's computer, including any mission critical ones, so that's not such an issue. And I would hope they have the expertise to update Windows machines without killing anyone.

Re:

[eyrieowl]

b/c these computers *aren't* getting updates from windows. if they had firewalls turned on and all the latest security updates, they probably wouldn't be part of the botnet to begin with. the problem is so many computers which don't have auto-update turned on *AND* don't have anyone actively managing their patch level. so...odds are microsoft already has the 'patch', but even if they didn't, it wouldn't shut down the botnet if they added it to windows update because the botnet wouldn't be updating from w

Re:

[db32]

I challenge the parent to prove any of his claims about windows and networking. Go look at medical imaging systems for example. Tons of these beasts are being controlled by things as old as Win95. They are frequently unmaintained and unpatched due to the vendor not supporting pretty much anything but their narrow little world of things. And they are most certainly networked so they can send images from place to place.

Seriously have you been sleeping? There have been numerous cases of ancient computers

Re:

[tha_mink]

They are not even networked and they do not run Windows.

Um....yes they are and yes they do. Here you go. [windowsfordevices.com] Also, here [networkworld.com] and here to a lesser degree. [microsoft.com]

Re:

[canajin56]

There was an instance where a nuclear reactor had its saftey systems disabled by the Slammer worm (or was it Code Red?) because their saftey and monitoring systems all operated on an NT4 system. And while they were not on the Internet, they had a secure T1 to a contractor, which itself was still on a secure network, but that secure network had a laptop some employee brought from HOME plugged into it! It wasn't too big of a deal since the saftey systems of course have electric and mechanical backup systems

Re:

[eonlabs]

Next, you're going to say oscilloscopes don't run windows, and that human beings only do things with the best intent for humanity in mind.

http://www.pcworld.com/article/id,143496-pg,1/article.html [pcworld.com]
http://www.programurl.com/software/heart-monitor.htm [programurl.com]

It doesn't necessarily matter that the heart monitor doesn't run windows, although there's nothing stopping someone from trying that, if a machine with that problem is in the loop. It's especially problematic if the devices themselves are at risk of hacking. Wi

Re:

[Isao]

They are not even networked and they do not run Windows.

Wow. Wrong [livedata.com] and wrong [medicompinc.com].

Re:Had me up until the sensationalism

[pipatron]

And what happens to the patient if one of these goes down because of a virus?

Nothing. Absolutely nothing.

Re:

[KlaymenDK]

And what happens to the patient if one of these goes down because of a virus?

Nothing. Absolutely nothing.

And what happens when the patient subsequently crashes (ie. fatally worsened condition)?
Nothing. Absolutely nothing.

(What should have happened is that a nurse somewhere would be made immediately aware of the problem, and would be able to call a doctor and a crash cart...)

Your turn. ;-)

Re:

[JCSoRocks]

The sort of people in danger of crashing are in the ICU. In the myriad of hospitals I've been to there's always been a nurse assigned to watch over two people at a time. She sits between their rooms, has a window into each one and can clearly hear any alarms. Not all ICUs may be like that but all of the ones I've seen have been.

What kind of idiot...

[llamalad]

What kind of idiot would have a windows box controlling a heart monitor?

Re:

[Tim C]

I wouldn't have a problem with the machine running Windows; I'd have a problem with it being on the network at all.

Re:

[value_added]

I wouldn't have a problem with the machine running Windows; I'd have a problem with it being on the network at all.

Brave soul.

heart.exe application error
the instruction at 0x6a9210e5 referenced memory
at 0x6a9210e5 the required data was not placed
into memory because of an I/O error status of
0xc0000185.
To continue, type an administrator password, and then click OK.

These kinds...

[haeger]

http://www.schiller.com.au/?cat=73 [schiller.com.au]

Feel free to ask them. From my experience they build their ECG's on Windows.

.haeger

Re:

[mgblst]

The kind of idiots that work in Hospitals and IT all around the world. The kind of idiots that represent about 90% of the IT world that you and I work in. The kind of idiots who get into management positions , and feel ok with making these kind of decisions.

Re:

[rtb61]

These people really are crazy, especially when you consider the warranty/EULA that accompanies the windows OS. A warranty that basically stipulates that it is wildly unsafe for that kind of use.

Hence if there is a software failure that results in a death the full liability falls back on the hospital and the staff responsible for that software purchase and their criminally negligent willingness to use software the is clearly unfit for the purpose based upon the warranty/EULA supplied with the software.

It

Well, if you ARE going to do something like that.

[AltGrendel]

For goodness sakes.

Don't tell anyone!!!

All the lawyers in the world will converge on you if you do.

Re:Well, if you ARE going to do something like tha

[jandrese]

If only they would do the same thing to the guys writing these worms.

Re:Well, if you ARE going to do something like tha

[Arslan ibn Da'ud]

Well, if I planned to seed a worm in a botnet that would patch machines against said botnet (or crash them spectacularly, requiring reboot/patch), my reputation is on the line. I'd probably announce "This is possible", not "I'm gonna do it".

Which is precisely what they did. Hmmmmmmm...where's my tinfoil hat?

Yes, they should do it.

[LaminatorX]

This is one of those moments where something ruthless should be done for the greater good. Then ends do not always justify the means, but in this case they would.

Re:

[Tim C]

It would be illegal in many (if not all) countries. Specifically here in the UK it would almost certainly fall foul of the Computer Misuse Act.

Re:

[jimbolauski]

There's an easy work around to this, just add a popup window saying "YOUR COMPUTER HAS WORMS PRESS OK TO FIX!" The majority of the people with worms on their computers would not think twice about pressing it.

Re:

[Sique]

I am not sure about that. In this case the computer-botnetslave asks your computer-botnetinfiltrator for a specified file (the new botware), and your computer just sends the requested file. I don't know if that actually falls under the "Computer Misuse Act".

Friendly botnets would be sued.

[PMBjornerud]

As someone said last time this topic was up. White-hats deploying "friendly" botnets will never see any benefit, but potentially be sued into oblivion. In the end, you're infiltrating someone elses computer, that is illegal even if you do it for a good cause.

The people deploying "evil" botnets do so for profit. And they earn enough to cover the risks.

In short, we're not going to see many friendly botnets.

Re:

[Constantine XVI]

Simple.
Find some script kiddie, and pay him huge sums of cash to spread it for you. Works for the evil botnets

Kraken infiltration

[Daimanta]

OMG, It's a giant squid! Run for you [CARRIER LOST]

Re:

[Farmer Tim]

If I'm not mistaken, his face is a haddock [weebls-stuff.com]

Re:

[timftbf]

http://www.weebls-stuff.com/toons/magical%20trevor%204/ [weebls-stuff.com]

That is all.

risk crashing a computer

[wiredog]

controlling a heart monitor somewhere?

For FSM's sake, who thinks that heart monitors are both networked to the outside world and running Windows XP? Any manufacturer that did so would be open to all sorts of legal trouble, assuming they could get any hospital to risk using such a thing.

Re:

[vtcodger]

***Any manufacturer that did so would be open to all sorts of legal trouble, assuming they could get any hospital to risk using such a thing.***

Windows hasn't been suitable for much of anything since about 1997. Does that keep people from not only using it, but paying good money to finance their descent into hell? Of course not.

Have you ever tried to explain to a dentist how to move a newly popped-up window off from on top of the window he is actually interested in while your mouth is anesthesized a

This Kraken 'bot

[smittyoneeach]

This Kraken 'bot
Oh, fear it not
The zombie slave
Needs just
Burma Shave

Re:

[Dr. Eggman]

One of the best ones I've heard yet! Thank you.

Re:

[will_die]

Nice one.
Probably the best one I have yet to see.

DUH!

[zappepcs]

If you are going to write friendly software worms, why not take a moment to figure out what the hell kind of computer you are on, and make some decisions about whether to risk it, or simply report to someone that the computer is infected?

Am I the only one that thinks this is too simple to be questioned? Friendly.... it's a word that suggests something that does no harm. If the software can't figure out if there is no risk, then it should take no action other than reporting.

Safety, it's a big issue. VW will not be sending their high tech stuff to the states next year because of litigation concerns. They are right to do so, if there is no method to ensure your product does no harm, do not deploy it. period. unless you would like to spend time in court.

There have been dozens of anti-theft systems that would turn a car off after it's been stolen but due to concerns that it might do so while the car was traveling at speed on the highways, such products were never deployed.

Safety first. kill bad bots second. Sort of what the US police forces are supposed to do. Well, until someone gave them a taser gun. Now, shoot first is the rule because they won't get sued, and don't have to worry about it.

If you're going to write anti-worm software, safety is a major concern if you are acting without the owner/user's permission. There is NO way around that without incurring litigation risk.

Re:

[couchslug]

"There have been dozens of anti-theft systems that would turn a car off after it's been stolen but due to concerns that it might do so while the car was traveling at speed on the highways, such products were never deployed."

Having the horse drop dead after its out of the barn may be nice for recovering the body, so to speak, but systems that prevent drive-away theft in the first place make much more sense, along with tracking systems to facilitate recovery.

As a mechanic, I see car after car burdened with fe

Re:

[zappepcs]

IMO the large number of recalls reflects the excessive complexity of modern vehicles. I wouldn't want remote disable on any of my vehicles.

Actually, paging networks are perfectly positioned (as are satellite networks) to send a signal to a device in your car that tells it to never start again once it is turned off. When you report your car stolen, activate that signal and it will remain (short of towing) where it is until the police find it.

The safety issues scare insurance companies and without their blessing the systems could not make anyone money. Tracking systems are good to a point, but you're right. The best is to prevent drive-away in

Re:

[Thundersnatch]

Well, until someone gave them a taser gun. Now, shoot first is the rule because they won't get sued, and don't have to worry about it.

Not true. Here in Chicago, the police get sued all the time - almost daily. Multi-million dollar judgements are commonplace, and the cops in question are invariably sacked (and sometimes financially ruined).

Here are some examples [chicagotribune.com].

Re:

[kent_eh]

are you going to look to see if the pop up is telling the truth, or assume it's a virus itself and squash it? Be honest now.

It'd certainly tell me that the computer is doing something that I didn't ask it to, which implies that something isn't right.

Even if it wasn't a popup. Ferinstance, what would you do if you discovered that your desktop wallpaper had been changed to red text on a black background saying "This computer is infected with one or more virusses. Disconnect it from the internet and seek professional help"
Or if your screen saver became scrolling text of the same message.

If I saw those messages, I certainly w

Re:

[Sancho]

Though in this case, we're not really talking about creating a worm, are we? We're talking about using an infection to clean that same infection on a local machine. This specific use case is not clearly abuse. Doing anything else to the machine at all would be way out of line.

important difference

[Tom]

(except that the researchers' vector is a server that can be turned off, not an autonomous worm that can't be recalled once released)

That's not a small difference! Pushing an update to a known list of hosts is a vastly different thing from starting a self-replicating autonomous agent.

There is still the "messing with other people's computer" issue, of course.

Re:

[MMC Monster]

If I got a pop-up like that, I would likely think that it was going to either install another virus or that it was a pop-up from a website, trying to sell me something.

There is no way I would think it was legit.

Re:

[JCSoRocks]

You wouldn't... but the same people that get infected with every bot known to man would probably think it was legit and click on it. I've seen these people; I've seen their computers... if there's a buttons - they will click it.

Re:

[Tom]

Been there, done that.

There was an anti-exploit for one of the early windos worms, I forgot which one. My website was running it for several years. Essentially, it was a perl script that hid behind the well-known URL that the exploit was targetting, hit the machine back with said exploit (after all, it had already proven to be not only vulnerable, but actually infected) and shut it down with a log message that should tell the sysadmin after reboot that his machine is infected.

Worked fairly well. Few hosts t

No dilemma

[Tom]

This raises the old moral dilemma about a hypothetical 'friendly worm'

No, it doesn't.

It raises the old moral dilemma about messing with other people's computers, for a good purpose.

But the "friendly worm" issue is a different one. The main problem is control. I've done the math and published a paper on this. You do not want to be the author of an out-of-control autonomous, self-replicating entity, no matter what it does.

So, like a dog, can you guarantee that it will listen to you, instantly, in all situations especially unfamiliar ones?

Re:

[Constantine XVI]

You do not want to be the author of an out-of-control autonomous, self-replicating entity, no matter what it does.

I'm sure Cyberdyne Systems wishes you were on their payroll.

Re:

[Yetihehe]

In this case, yes. They would not make "friendly worm", only update those worms which connect to them. So no autonomous spreading, only uploading to a list of kown hosts.

Ways of Terminating botnets.

[Zombie Ryushu]

I'm, all in favor of terminating botnet infestations even if it means terminating the OS of the computer infected. I've wondered why the computer security feild has not had more people working hard of find ways of rendering these insecure machines useless. Seriously. If its infected, terminate it.

Re:

[dave420]

Because it's illegal, and I doubt you'd want your machine being turned off by others. It would make more sense to tell the ISPs that their customers are infected, and even tell the customer directly. Being all dickish and holier-than-thou about it isn't going to help anyone, as it just puts folks off listening.

Re:

[lastchance_000]

I can see you aren't familiar with the smog inspection [ca.gov]/vehicle retirement process [ca.gov] in California.

The law needs to catch up

[Ice Tiger]

As with many changes in technology the law is far behind. In this case they would foul of the same laws that would convict the original criminals. The law needs to be adapted to allow legally sanctioned actions like the one proposed to happen to fix the problem.

Botnets also span more than one country so maybe this needs to be international law.

Re:

[jc42]

The law needs to be adapted to allow legally sanctioned actions like the one proposed to happen to fix the problem.

Actually, "the law" doesn't "need" anything. Laws don't need; they just are. They are often written by clueless legislative assistants. And they very often outlive their original intended function.

Here in the US, we still have laws on the books from a century ago that impose speed limits of 5 or 10 mph for motor vehicles, and supposedly one state still has a law on the books requiring that a

I've said it before:

[0100010001010011]

I guess I've got my Evil bit set because if I had the know how I would send a low level format command out. The bot net would collapse, people profiting from it would stop and maybe people would start putting pressure on Microsoft to actually do something. Maybe install a boot loader that puts up a "error" message:

"Your version of Microsoft XP has expired. Please buy a version of Microsoft Vista at your nearest authorized Microsoft dealer. If your computer does not support Vista you will be required to upgrade your computer.

Thank you for supporting Microsoft and not Linux or Apple. We appreciate your business.".

Sure it's not nice, but if it gets people to actually take action then I'm all for it. There will always be more companies trying to profit, new botnets, etc, but if you can actually stop the bot

Re:

[dave420]

So... FUD much? :) You'd also get your ass handed to you by lawyers, many times over. Heck, even Apple might sue you for using their name in such an unscrupulous ploy. That's hardly educating people, but bullshitting them into doing what you want them to.

Barn door closed, horse left six months ago

[glindsey]

is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

I would suggest that if a mission-critical system like that is already infected with a bot, the damage is done -- might as well attempt to clean it at that point.

Re:

[johannesg]

is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

I would suggest that if a mission-critical system like that is already infected with a bot, the damage is done -- might as well attempt to clean it at that point.

The botnet itself is not harmless, and could just as easily overload or crash the computers in a hospital or powerplant. In other words, doing nothing could potentially be far more harmful than trying to wipe out the botnet.

In light of this, and the tremendous resources being wasted by these botnets, I am strongly in favor of eliminating them entirely.

I wouldn't boast about it on slashdot (or anywhere else) though...

Re:

[Sancho]

Botnet authors have a strong desire to avoid disrupting the machine. They want to be able to use the machine's excess resources, and nothing more. If they get noticed, they (likely) get deleted, and that's one less computer to make money from.

Someone trying to distribute code to clean the infected computer has much less of an impetus to avoid utterly destroying the system. Sure, they don't want to, but there's no direct hardship if they do. Might they be a little less careful? Maybe.

Worse, a botnet aut

Re:

[johannesg]

I wasn't talking about risk to the infected computer. When that computer is used in a DoS attack, or a mass mailing, the victim is not the owner of that computer. The owner has already been negligent in not cleaning up the mess, and in doing so it is causing harm to others.

While I don't think this merits harsh punishments, the *possibility* of having to reinstall his system is a fair trade off against the *certainty* of the botnet being used to cause harm to others.

Re:

[Junior J. Junior III]

is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

I would suggest that if a mission-critical system like that is already infected with a bot, the damage is done -- might as well attempt to clean it at that point.

While you're at it, you might as well modify the system in other ways that will be useful, such as changing the user's default keyboard layout to the more efficient Dvorak, and making the system internationally accessible by setting the default language localization to Esperanto and SI metric units. Also, I humbly suggest replacing the bug-laden, security hole riddled Windows OS with a nice Linux distro. Whoever the user is, they'll appreciate these improvements once they get used to the changes and see

Re:

[zippthorne]

What if the bot's next update causes the computer to reboot or even crash?

The other questions are tougher

[postbigbang]

Liability for 'curing' the problem is a great question. I don't want to see the 'cure' become another infection vector. Do we know that the cure is going to disable this network, but not enable a subsequent one?

It's a lead-pipe cinch that law enforcement people will and can do nothing to disable the network, and it-- like others-- represents a huge security hole and a big problem in terms of potential misuses of the existing botnet.

The 'authority' to even legally disable botnets is onerous. What's a botnet-

Which surpasses its predecessors in size

[AHuxley]

What it has an OS independent Mac and Linux payload too?

Non Assistance to person in danger should apply

[mrboyd]

We have this law in my country where if you can help someone who is in danger without risking to harm yourself you may get legal trouble.

I am pretty sure that a good lawyer could twist it enough to sue those researcher because they DID not kill the botnet while they could. Instead they published a report explaining to the botnet creator how to plug the hole. Next time they should just ask for a subversion comiter account a fix it themselves.

I can almost see how the patriot act could apply here. I thin

Cleansing a Botnet is Murder.

[Lassiethebrave]

I do not eat meat, nor do i clean infected boxes; all life is holy...

Goodness Gracious Me

[pjt33]

Why am I reminded of the Buddhist pest controller from Goodness Gracious Me?

No Moral crisis here.

[Forge]

A botnet cleansing worm would IMHO be a good thing and not in the least morally ambiguous.

Imagine a similar situation among humans. A Virus breaks out which ravages whole populations. You find a cure which can be distributed by spiking the watter supply or by pumping it into the air.

I can tell you, the CDC (No. Not the "Cult of the Dead Cow". The other CDC) would only hesitate long enough to verify the safety of the cure before dispatching it.

Or lets come to a more reasonable and commonplace situation. A man infected with Rabies is not allowed to chose weather he will be treated. His infection impairs his judgment and makes him a danger to other people, therefore he is a hazard to be cured against his will.

Doesn't the same apply to a botnet member oblivious to it's own condition spewing it's infection, Spam and lord knows what else onto other computers?

Kevin.

Re:

[CheeseTroll]

But what if that rabies-infected man was controlling someone's heart monitor?

Re:

[orielbean]

CDC is authorized to contain and treat outbreaks. Doctors and hospitals are legally tasked to heal people and be limited in thier liability for damages when something goes wrong. People seek out doctors and hospitals when they find out they are sick. It's a bad analogy. The infected machine users have no idea that they are infected. They have not sought out healing. And there's no agency currently tasked to handle an infection and be shielded from liability when something goes wrong in treatment. I'm less

Re:

[mgblst]

That is an idiotic analogy.

What is the initial virus didn't kill anyone or make them sick, but the cure did?? What if it only gave them the shits. Should it really get released??

Re:

[canajin56]

For those who may be unaware, the "cure" for rabies that has progressed far enough to present any symptoms at all, let alone far enough to drive the victim mad, is death. There is no cure, there is no treatment. So if an animal bites you, you get that shot ASAP even if it probably didn't have rabies. Note that this doesn't mean you should go around shooting people you think might have rabies...

Re:

[NereusRen]

There are a number of replies already pointing out various reasons why releasing a cleansing worm is not a good idea. In addition I just want to relate a story of an actual virus infection.

One year when I returned from summer vacation to my college campus, internet connectivity was very spotty. It got worse as more people came back, and we eventually learned it was entirely due to virus traffic. Anyone who plugged in a computer to the network found that it would get infected and spontaneously reboot in a fe

Sabotage the botnet

[CvD]

I say yes, sabotage the botnet with friendly worms/bots. The owners of the infected computers don't know about the problem, don't care or don't know how to fix it.

I say vigilante action is okay, to protect ourselves (the people in the know adminning the networks and computers being attacked).

Re:

[Abcd1234]

I say vigilante action is okay, to protect ourselves

I said the same thing to the cops as I was vburning down the house of some local drug dealers. Oddly, they didn't buy it, either.

Re:

[An ominous Cow art]

It's the responsibility of the police to deal with the drug dealers. Sadly, it's nobody's responsibility to deal with the botnets and their operators, so at the moment, the only recourse is vigilante action.

I'm not sure that releasing friendly counter-worms is the best solution, though.

with great power comes great responsibility

[lophophore]

I think there are ways they can proactively use their control over the botnet relatively safely.

They can update the infected computer with a program that causes an annoying popup to occur until the machine is sanitized by the owner. Then update the machine's firewall (if it has one) to block the controlling UDP port.

That solution should be fairly low risk.

I get so much spam of late, that I have no problem if they deliberately break the entire IP stack on the infected computers. Serves the owners right.

I did this back in the code red worm days.

[Lumpy]

I had all my servers issue a reverse "attack" to shutoff the IIS service and then put a winpopup up that their computer was infected with CodeRed virus and they need to take cleaning steps.

Buddies of mine were a bit less nice. They put the machines into spontaneous 3 minute reboot cycles. They figured that would get the users to get a clue and fix it. I though that was a bad idea.

What if the FBI is watching?

[Maximum Prophet]

No, don't try to fix the machines. If the authorities are watching this worm, they may be tracking down the owners. If you mess with things, they'll come after you for obstructing justice.

I did this once...

[el_flynn]

...and nearly paid for it.

We were on the verge of fall break, and someone on campus had found out a 'catch-all' email address which was aliased to _all_ the university email addresses. So some dickwad started sending a weird email saying something like "Hey joe, where are you?", which everyone got, and everyone replied "Hey, I'm not joe -- who are you?" Which was then sent to everyone else.

The thing basically kept feeding back to itself and was threatening to get out of hand. Literally hundreds of emails started popping up. Of course, this was waaay back then, before the days of spam, so it was 'abnormal', 'weird' and annoying all at once. Since it was a friday evening, and knowing that at the rate it was going everyone's inbox would be flooded when they returned from the week-long holidays, I -- perhaps naively -- thought I'd put a stop to it.

I attached a large binary file to an email and sent it to that catch-all address, hoping that it would jam up the works enough that the network admins would notice.

Notice they did, and eventually I got called up to see the ombudsman -- who promptly said he was considering kicking me out of campus.

So yeah, one can have good intentions -- like what I did -- but the means to achieve that end may not be acceptable to everyone, even though it did get the job done.

My 2 cents anyway.

By analogy, it should be done

[azgard]

I would argue, by analogy, that it should be done, ie. the computer participating in a botnet should be patched.

Consider this example: You find that someone robbed your neighbor's apartment (who is on vacation), and left the door opened and broken. Should you fix the neighbor's door, or leave them open for anyone to enter?

The correct answer is: You should fix the door, but with the permission of the police. Therefore, I think, the computers should be patched, but with the approval of legal enforcement (if i

There's a Difference...

[Bilbo]

There is a big difference, I think, between releasing something like a worm to patch un-patched boxes -- i.e., computers that haven't been "broken" yet, but potentially could be, and hijacking an EXISTING botnet to inject a "self destruct" update into it. I have some problems with doinking with other people's computers if they aren't infected yet (there are a lot of critical things that you could break, and there may be other reasons why they haven't updated some particular part of the OS which you don't

Self-defence?

[lysse]

If one constructed a program which detected incoming infection attempts and counter-infected the attacking machine with a "friendly" worm - one might call it a "vaccine", even - couldn't that be classed as simple self-defence?

If you see someone breaking into a store...

[Arancaytar]

Are you allowed to go after them?

Really, if they have a way to safely remove the infection, they should go right ahead. Preventing harm from someone without risking any other harm should not require informed consent.

If their cure involves a potential risk to the infected computer, then it's more questionable. But allowing the bot to continue to thrive is to convenience an irresponsible user whose computer got compromised at the cost of a responsible user whose secure computer is still vulnerable to DoS atta

Should we?

[jon3k]

"What do you think - is it better to allow the botnet to continue unabated, or perhaps to risk crashing a computer controlling a heart monitor somewhere?"

Absolutely. Quickly before the worm itself crashes the machine.

Plausible deniability?

[martyb]

For those who are advocating that an anti-bot be released (or whatever you want to call it) so as to disable this pest, I have a question for you: how is someone going to be able to tell the difference between these:

1.) A user who creates and releases an anti-bot, but through an error (design, programming, whatever) inadvertently causes "harm" to the system.

2.) A user who creates and releases an anti-bot that appears to try to block the worm, but is in fact designed to cause "harm" to the system.

Recall that the Morris worm [wikipedia.org] was not intended to bring down the internet:

According to its creator, the Morris worm was not written to cause damage, but to gauge the size of the Internet. An unintended consequence of the code, however, caused it to be more damaging: a computer could be infected multiple times and each additional process would slow the machine down, eventually to the point of being unusable.

AND

The critical error that transformed the worm from a potentially harmless intellectual exercise into a virulent denial of service attack was in the spreading mechanism. The worm could have determined whether or not to invade a new computer by asking if there was already a copy running. But just doing this would have made it trivially easy to kill; everyone could just run a process that would answer "yes" when asked if there was already a copy, and the worm would stay away. The defense against this was inspired by Michael Rabin's mantra, "Randomization." To compensate for this possibility, Morris directed the worm to copy itself even if the response is "yes", 1 out of 7 times [3]. This level of replication proved excessive and the worm spread rapidly, infecting some computers multiple times. Rabin remarked when he heard of the mistake, that he "should have tried it on a simulator first."

See also A Tour of the Worm [std.com] for a more detailed account of how it unfolded.

The intention may have been good, but the implementation had an unintended consequence that led to a major disruption of the internet. I remember full well the confusion at the time as the details unfolded. I was working at a major computer manufacturer that dropped its connection to the net to protect itself. Ultimately, none of our systems were hit (wrong OS), but the sheer volume of packets on the net led, effectively, to a DDOS'ing of the uninfected systems, too.

So, in a nutshell, how can one objectively tell the difference between an attempt to kill the worm that causes problems, and an attempt to cause problems that looks like it is trying to kill the worm? In a non-static environment. With our limited ability to write bullet-proof, error-free code. Besides, someone else could capture and re-purpose the good code to cause more problems.

KILL THEM ALL

[brassman]

"Kill them all. God will know His own."

Infestation Notification

[hAckz0r]

All they need to do is have each machine create a popup message on each host telling the owner they are infected, but nothing any more invasive than simple notification. They should _not_ be changing any binaries or updating/patching the machine, but the owner of the machine does need to be made aware of the problem. Of course making the machine beep every ten seconds until it is fixed might help annoy them into fixing it sooner rather than later, or at least turning the machine off.

Yes, it is justifiable in this case

[irenaeous]

Why?

Because there is no law enforcement for these matters on the net today. Sometimes, in frontier situations, a form of mob or vigilante type justice becomes necessary. In this case, it would be an expression of popular democracy when a group in a frontier setting decides that sometime of order enforcement is necessary in order for society to function. These spam bots qualify as a level of threat that would justify a defense of this kind because, in our current environment, these bots can't be stopped by other means.

There is also a discernible right to self-defense. Here is my analogy. If an ignorant neighbor has permitted some nut to put a machine gun on his front lawn that periodically shoots bullets at my front door, then taking action to disable that machine gun is a justifiable form of self-defense even though the form of the self-defensive act is an offensive act against the machine gun. Any collateral damage from the self-defensive act doesn't necessarily invalidate taking the action.

That means if the incredibly rare case that isn't going to happen of the disabling of a heart monitor does occur, the self defensive act is still justified.

Now, spam is not an imminent danger in the way bullets are, but they are a danger. For example, I do not want my 11 year old exposed to hard core porn often promoted in much of this spam. If there is no effective law enforcement, then self-defense and perhaps a group sanctioned vigilante enforcement, even if the means are offensive in some sense, is justifiable. Note, it is not justifiable if law enforcement is available to deal with the problems, but in this case no such remedies are available.

Now -- is it legal? IANAL, so I don't know, but I think a legal defense is possible -- and -- how many juries actually go after these guys anyway?

Re:

[lastchance_000]

I see very little spam in my inbox. That doesn't mean that the spam problem is solved. Filtering at the destination is better than nothing, but it is not a solution.

Re:

[NatasRevol]

This may be a cheap shot, but it's true. They already consented by using Windows.

Re:

[jonwil]

A bot is more like someone breaking into your house and stealing your stuff. If someone was walking past your house and saw someone breaking in and stealing stuff, would you want that person to enter your house to try and stop the burglar (and to return all your stuff to you)?

Same thing applies here, would you want some random software program infesting your PC regardless of what it actually does?

Re:

[brassman]

Where are my 10 mod points when I need them? Bravo, sir! Bravo!