Forgot your password?
typodupeerror
Linux Software

"Cheese Worm" Fixes Broken Linux Systems? 240

Posted by michael
from the also-orders-pizza,-pepperoni,-thin-crust dept.
Wakko Warner writes: "According to this article, a new Linux worm named "Cheese worm" has been spreading lately. The difference between this and other Linux worms is that Cheese worm attempts to fix backdoors added by other worms, removing malicious code and user accounts and scanning for other infected systems on the network. Now if someone would only release something like this for Outlook that turns off VBScript..."
This discussion has been archived. No new comments can be posted.

"Cheese Worm" Fixes Broken Linux Systems?

Comments Filter:
  • by Anonymous Coward
    If you have any savvy at all, this worm will not hit you since you have patched your system yourself. This is designed for those without savvy. A protective angel. Protecting you while you don't realize.

    The idea is brilliant.
  • by Anonymous Coward
    I'd rather have fixer worms running amuck then hacked drones flooding things. If you're clean, it'll pass right by you, if you're dirty, it will attempt to cleanse you. If you were dirty and it fucked up your box cleaning you, then fix your holes quicker next time and you won't have to worry. This might sound cold but if admins were more aware, worms like this wouldnt spring to life.
  • by Anonymous Coward on Thursday May 17, 2001 @04:14AM (#217654)
    You compare this to the Outlook worms, which is hardly a correct comparison. Those scripts that stupid users run in Outlook typically deliver a piddly payload (i.e. they don't r00t the box.) So they delete .JPGs and .MP3s, big deal. They still run within the context of security provided by the current user. Their real cause of damage is that they then access Outlook's address book and forward themselves to everybody, which in a corporate setting, can eventually cause the email server (any email server) to be overwhelmed and die.

    How exactly does that compare to a worm that will enter the system through faults in daemons without user intervention or knowledge, r00t the box, and deliver literally any payload they want, good or bad? Certainly there are some similar vulnerabilities in Microsoft daemons, i.e. everyone's favorite IIS. But I guess I shouldn't expect that many people here to be able to make such a distinction.

    Microsoft has long since released a patch to prevent COM automation of the address book, and future versions of Office prevent it by default. Should a worm of sorts be released to automatically download this patch and install it for the less-than-capable enduser? Hah! You know as well as I how quickly the slashdot crowd would interpret that as an invasion of privacy by the most evil and loathsome entity in the history of the world.
  • Now all they need to do is get it to overwrite a sendmail.cf of all these open relays we keep putting on the RSS, and we have it made.

    And finally China is secure...

    --
    WolfSkunks for a better Linux Kernel
    $Stalag99{"URL"}="http://stalag99.keenspace.com";

  • It's nice to see something like this out in the wild. Honestly I think I get a probe from a wormed machine at least once a day now, if not more. Good to see someone taking advantage of the situation to spread something good. Now if they'd distribute those Anna Kornukova pictures and the animation of Snow White and the Seven Dwarfs that the outlook viruses promised, I think the writers of this worm would be sainted. :)
  • or it could be some odd sort of new Antivirus software prototype (laugh!)

    Naw, if the antivirus folks were behind it, it would also look for credit card numbers so they could charge you for the priveledge of having your system secured.

  • by jafac (1449) on Thursday May 17, 2001 @08:02AM (#217660) Homepage
    Yes, to go out and automatically tweak others machines without their consent is definately wrong.

    I can think of one silly example why it would be a bad thing; What if somebody was testing network security software, thinking that this hole was unpatched on a target machine, and now, all of a sudden it isn't, then there's a bug in his security software that potentially goes undetected, and that security software gets sold and widely distributed. Can the dumb 'ol worm guarantee that all systems on the net from that point in time onward will be patched?

    That's just a silly example of an unrealistic situation - but for every one of those I can think up in the 5 minutes it took to read this /. article, real life probably has several good examples nobody's thought of.

    The basis of testing, or even just running a computer, is having a known-good system state to run from. If some unknown element is being changed, for whatever reason, that's a variable that the operator is not aware of. And that's a bad thing.
  • by mikl (2371) on Wednesday May 16, 2001 @08:40PM (#217663)
    The only question raised here is, am I really going to trust this "helpful" worm or others like it to fully patch up my box properly?

    Further, it is still using my system resources (bandwidth, etc.) to spread itself without my permission, which amounts to trespassing in my book, even if it is supposed to "help".

    If we start allowing worms such as this one back on our systems, just because, "Well, it might help", it won't be long before somebody combines one that fixes one hole while making a new, bigger one.
  • The problem is that it won't just affect previously compromised boxes - it will affect bandwidth. Bandwidth is not free - in fact, it can be quite expensive. All those portscans, successful or not, are still going to chew into the bandwidth of everyone on the subnet.

    Now, if someone AGREES to become a scanning node, that's another matter. They're consenting to allowing their machine to portscan others. They're consenting to allowing the benevolent worm to use their bandwidth to propagate itself and help others. They're accepting responsibility.

    If they didn't agree, then the worm has NO RIGHT to use their bandwidth, even if it is to help others, or clean up after malicious hackers. Unless someone has agreed to allow you to use their resources, it's stealing.

    I think the concept is a good one, however. I think if the worm were "sterilized", so that it simply went in, innoculated, patched the hole, then quietly deleted itself - noone would have an issue. If the same worm emailed root@whatever.host with a url to download the propagation software, that would be cool too.

    The problem with that last part is that the malicious worms could do the same thing, masquerading as "fixes".

  • Hmm...taking that example out of context...

    If a burglar has already broken a jewelry store window, gone in, stolen some stuff, and left, it's OK to enter through the same broken window, as long as you are just picking up the broken glass.

    I'm sure the cops would just LOVE to hear that explanation ;P

    Either way, it's still an intrusion, whether it's benign or not.

    If it propagates itself in the same way (portscanning, etc...) then it's still using bandwidth without permission, even if it is for a good cause.

    Cool concept, Poorly thought-out execution.

  • Simple solution. Sterilize the worm. Make it non-replicating. That way, it goes in, innoculates, patches the hole, and then deletes itself, possibly sending an email to root saying "Hey, I noticed you were previously hacked, and undid the damage - logs attached - if you want to become a scanning node for this innoculator, contact [blah]"

    That way, it still does the "nice" stuff, and leaves it up to the sysadmin as to whether or not to become a redistribution point for the fix.
  • Right - Windows Update just tells you what M$ says the patch is supposed to do. It doesn't actually let you read the patch.

    So the linux collary would basically be an extention to apt that allows you to grab some information (changelogs) about the updates it's about to do?

    That's a *nice* idea.

  • Hmmm...sounds a lot like Windows Update (*shudder*)

    In *theory* Windows Update isn't such a bad idea. The main underlying issue is that it isn't full disclosure, and the patches themselves are closed - so you can't verify that they actually WILL do what they SAY they will do.

    Windows Update reads from the registry to find out what you have installed, and what you don't. Considering how much information is stored in the registry, and the fact that it's closed, there's no way of knowing exactly what information it does send back to M$ about your system, besides the contents and their update status.

    What would be cool would be to simply portscan (the same method the crackers use to get in) the machine in question, then act on those vulnerabilities only, reporting to the user exactly what is being done, and any holes that have been found/closed.

    Basically Windows Update done right.

    In *theory* it's a great idea. In practice, it may suck. Some people open things intentionally. Some people NEED (for whatever reason) to use an insecure version of [certain program].

    There's also the possibility of infecting the base site, or it's mirrors - and having the infection spread exponentially.

  • by Genom (3868) on Thursday May 17, 2001 @04:45AM (#217670)
    ...so what harm can it do?

    Well, I'm no expert...one of my boxes was hit by Ramen shortly after installation of RH6.2, before I could finish downloading the update rpms from RedHat's site - seems someone on my local cable node had already been infected, so as soon as I got it installed BLAMMO! there it was. Did the cleanup/innoculation myself, and learned quite a bit in the process. (switched to Debian later that week)

    The thing that tipped me off to the worm's presence? My eth0 activity was sky-high, and I wasn't (to my knowledge) transferring anything.

    Now, I'm not saying a "good" worm is a bad thing - but I'm not entirely sure that it would be easy to tell the good from the bad at first glance. If these things propagate in the same way as the bad worms do, then people are still going to see their network card's usage jump up VERY high. People are still going to be portscanning other people's boxes, without knowing, and without other people's permission. It's still suspicious activity, regardless of the purpose.

    I can see an alternative though. Set up a website (or better yet, a voluntary series of mirrored sites) where users can go, and ASK to have their computer portscanned, and fixed if necessary. Make the "good" worms "sterile" (IE: unable to reproduce) so if the machine is infected, it can be automatically innoculated and patched against further infection.

    Want to know if you're infected? Just go to the site, and have it scan you, fix any problems it finds, and email you the results (or alternatively display them on the webpage). Have the same set of pages offer a tar.gz/deb/rpm of their site, including the scan/vaccination tools, so people can set up their own mirrors. Have the mirrors periodically checksum each other (say, weekly/monthly), to make sure they're all updated correctly, and that their payloads haven't changed.

    By making the process voluntary, and the worms sterile, you're only providing the innoculation service, not another (benign) infection.

    By allowing users with the disk space/bandwidth to set up their own mirrors, you eliminate the single-point-of-failure.

    By periodically checksumming known mirrors' copies of the patches, you make sure people don't abuse the system to deliver malicious worms, rather than distribute the benign ones.

    The trick is making sure users actually go to these sites, and scan their machines every once in a while. A few conspicuous links on security sites, and major *nix hubs would help there.

    Possibly even a "reactive" script that would detect worm activity, and email root@source.ip.of.scan, suggesting they go get scanned...hrmm...on second thought, that one could be exploited by the "dark side" as well - send a false email to root@whatever saying "I think you're infected, go scan yourself here" where "here" actually points at a delivery system for a malicious worm...ok, so that part's not a good idea.

    I'm just thinking here - second cup of coffee stuff ;P

  • "If a burglar has already broken a jewelry store window, gone in, stolen some stuff, and left, it's OK to enter through the same broken window, as long as you are just picking up the broken glass.

    I'm sure the cops would just LOVE to hear that explanation ;P "

    I think a better meta-for might be a robot wandering around a badly policed town and bording up broken store windows. It would leave a note explaining how it did it, when it did it, and what it did. This could prevent further looting. A robot is different than a human in that you don't have to trust it. If it's specs are sane and it dosn't malfuntion it does exactly what it is told.

    And sanity checks in the wild are what signatures and checksums are for... right? If we trust them for other things, why not this?

  • Actually, the invention of the virus was done to help systems. They were meant to be autonomous mobile agents, examining the computer and tweaking it.
  • FWIW, Redhat do still release Sparc patches; I saw an announcement on BUGTRAQ today where they were releasing a GNUPG patch for RH5.2 for sparc.

    With regards to automatic patching, how would you feel about updating patches on 100 machines? How about 1000? Fact is, admins don't want to have to manually log in to hundreds of machines to apply patches, so an automatic roll-out is the way to go.
    --

  • If we start allowing worms such as this one back on our systems, just because, "Well, it might help", it won't be long before somebody combines one that fixes one hole while making a new, bigger one.

    Bingo. I mean,it would be very easy to create a worm that looked a lot like this one. People might just say, "Oh, it's just the Cheese worm. It's OK."

    I do have to admit that the idea of a beneficial worm is pretty neat, however.

  • The only question raised here is, am I really going to trust this "helpful" worm or others like it to fully patch up my box properly?

    So what are you going to do? Put your unpatched antique box on the net and hope Cheese finds it before Ramen? Ahuk, ahuk, ahuk...

    The bottom line is: if your security sucks, you default to trusting every Tom, Dick and Harry out there with your box. The usual term for this is ``data suicide''.

  • by IntlHarvester (11985) on Thursday May 17, 2001 @06:58AM (#217679) Journal
    Considering this might break login and other admin scripts, be extra sure you want to do this. If you administrate a large number of Windows machines you've just made your life potentially much more difficult.

    Besides, it would be trivial to convert your typical Outlook virus into JavaScript, PerlScript, or even an VB EXE file. NOTAFIX.

    Microsoft has had a security patch out which mitigates the problem for many months. Have you tried it?

    --
  • by mr_burns (13129) on Wednesday May 16, 2001 @10:11PM (#217680)
    This is valuable not because it fixes a hole. It's valuable because it makes the community look cool.

    Think about it. In the 'doze world, there's MS, the sheep...er..users, the Vendors and the hackers on a bad day. There is no sense of community...if you help your friend....you're likely breaking some kind of law.

    On the other hand, with Open Source, here's an instance where some lone hacker takes a paradigm and smacks it upside the head for our mutual benefit. This is wonderful PR!!!

    Just when MS gave a speech about how Open Source OS's are insecure, and the community aspects are negligible at best, this guy kills both birds with one stone. And it didn't cost any of us a "beer" dime.

    You just can't buy publicity like that. I think I'll start preaching "Random acts of kind InfoWar". Really....this whole thing is a head scratcher we could use to our advantage.

    oh.....check /var/log/messages NOW!!!

  • . . . to see people complaining about this worm, even as harmless as it is. "How dare they patch our systems! We want to be used as catspaws in denial of service attacks!" If they find out who wrote it and try to prosecute him for damages, will they have to make it a negative amount since it essentially fixed a broken system, instead of the other way around?

    Sure, the idea of a worm in general might not be a good idea. But then, the only people who will be affected in a nontrivial way by this worm will be those who've been infected by another, malevolent worm anyway. Two wrongs may not make a right, but I would think in this case they would at least be somewhat better than just the one wrong, if the one wrong meant there were all those compromised computers out there that could be used in Denial of Service attacks, and the second wrong took those out of the equation.
    --

  • by Zico (14255) on Thursday May 17, 2001 @12:11AM (#217683)

    And how long before someone modifies the Cheese worm so that it still patches the system from 1i0n, leaves that exact same message, and then goes and deliberately opens up a brand new hole for exploitation? I'd say seven days is a conservative estimate. If it appears that your system has been "patched" by the Cheese worm, you're best off wiping your system and restoring from backups.


    Cheers,

  • However, if you did not KNOW you were compromised, it might be nice to have the "white" virus remove the holes before more malice comes to your box.
    Furthermore, if you are worried about other people's badly-administered systems being used as launching points for attacks against your machine, it might be nice to have the "white" virus compensating in part for the other systems' lazy administration.
    --
  • Could you imagine how wonderful something like this could be for all the rookies out there? Especially if it was configured to constantly look for updates from a known-safe location managed by a group of white hats, constantly updating the system and patching necessary software?

    What a great deal of sand in the face for Microsoft to learn of the open-source community banding together to secure the systems of the untrained, locking them down against participation in DDoS attacks and such. As if they don't already need a bulldozer to get the sand out of their faces with all the high-publicity IIS compromises of late. =)

    Sure, some of us don't want something like this getting onto our systems as it demonstrates that we've not locked it down well enough to begin with. But for those who truly *can* stop it from exploiting known vulnerabilities, we obviously don't need it. However, I'd wager that well over 90% of the people using Linux don't know what to do to lock their systems down.

    Bravo!

    (that is, until someone finds out that this worm is actually doing something malicious while pretending to patch the system)

  • by delmoi (26744) on Thursday May 17, 2001 @03:44PM (#217689) Homepage
    Would be like a Unix worm turning off FTP or disabling mod_perl. It could potentialy improve security... but the people running the systems might not be so happy...
  • OK, color me clueless, but what does a port 111 scan indicate?
  • It's rather sad to see a worm do the work for clueless sysadmins. I'm not a sysadmin in the least, yet somehow I do a fairly decent job keeping my DeadRat 7 box updated and locked down as much as I can.

    A while back, I noticed a port 111 scan from what appeared to be a company's mailserver, setting off "worm" alarms in my head. Though I normally ignore such things, I was in a rather giving mood, and decided to alert the company of their potentially compromised box. Several bounces and lack of replies later, I gave up. The company just didn't seem interested in making it possible to report potential security holes or server problems - no addresses on their website, several possible leads gathered through bounces failed, and the whois lookup revealed a Hotmail address for the technical contact. I wonder how many other companies are as difficult to warn, and may not even care that their boxes are insecure.

    Maybe I just don't understand how hard it is to be a sysadmin, but can it be that difficult to at least glance at your operating system vendor's updates site once a week to check for patches and warnings? Is it that hard to do a simple system lockdown after the initial install and reopen services as necessary? Or am I just clueless?

    <Blatant flame>
    Worms like this wouldn't exist or be news if more sysadmins would do their job instead of playing Quake, looking at pr0n, or IRC'ing all day...
    </Blatant flame>

    Sorry if I insulted anyone with that short rant, just thoroughly unimpressed by the number of port 111 scans I see coming from what should be very carefully watched boxes all over.
  • by rarose (36450) <rob.robamy@com> on Wednesday May 16, 2001 @08:52PM (#217699)
    You forget: This worm is no skin off you a55 as long as your system is secure. I don't see anything but goodness here...
    If you don't like worms, keep your system secure before you get hit.
  • Something like this already exists. It's called 'apt-get'. Very useful tool. I'm sure you've heard of it.

    -------
    CAIMLAS

  • hmm, I know this kind of worm is really a virus in itself and not a good idea or something to welcome, but I have to admit I kind of like the idea myself. it's nice to think of a benevolent force propagating itself out amongst the web. there are enough malevolent ones to go around.

    sean
  • by seanw (45548) on Wednesday May 16, 2001 @09:02PM (#217708)
    and, thinking more about it, this has possibilities. this could be used as a distribution system for almost instant bug fixes, via "worming" the systems together. participation in the chain would be voluntary, of course. but, like another poster already suggested, it resembles the human immune system. and using this kind of "swarming" bug fix/patch distribution system would result in exponentially faster bug fixes. the admin doesn't even need to be awake.

    and new systems would be patched immediately, no more hunting down and downloading a bunch of old fixes every fresh install.

    imagine bands of roving web worm maintaining and managing the security of the net. am I just tired, or does this sounds really cool?

    sean
  • by seanw (45548) on Wednesday May 16, 2001 @08:38PM (#217709)
    oh I get it, kind of like the "earth worm" of the computer virus world. it's a bug, yes, but you want it in your garden; it's good for the soil.

    just don't believe people when they tell you that you can cut it in half and both halves live

    sean
  • by Hard_Code (49548) on Thursday May 17, 2001 @06:15AM (#217710)
    ...right on the heels of Open Source's unified shot back at Microsoft, we have evidence that in the Open Source world, even the *viruses/worms* are beneficial! :) What next, Open Source code that mows your lawn, increases your sex life, and automatically sends presents and cards to your friends and relatives on their birthdays?

    Too funny...

    But seriously...maybe this'll nudge those black-hatters to actually compete with each other to *fix* holes.
  • If you read the article you would know that the worm enters your computer through the backdoor left behind by a malicious worm. Obviously if your machine is already backdoored you have no right to dis anyone who disables the it for you. No-one is suggesting that we all write hack-patch worms and propogate them constantly, they're simply saying, that if you machine is insecure enough to be actively penetrated by a malicious worm then you wont mind if we clean the worm off your machine and fix the bugs that it used to get into the machine in the first place. And if you do have a problem with that, I'm sure the 20 people who had their machine penetrated by someone using the worm's backdoor on your machine would have something to say about it. When your lame box is open to attack, you place me open to attack, even if it is just DDOS attacks.
  • The worm installs itself on the macine, checks for the instalation version, logs into the bug report homepage for that distribution, and updates all of your packages or binaries from a set list of servers...

    It'll need to detect I've rebuilt Sendmail with regular expressions, and connect with some machine out on the net that has the same version of gcc, libraries, et cetra as I used on the build machine to create the binaries.

    It'll do the same for SSH, turning on the ability to invoke it from inetd, and without opening the hole closed by turning off X forwarding.

    It will need perhaps the skill to rebuild Apache properly to include mod_perl and OpenSSL.

    Somehow it will know which of my two Perl binaries it will update.

    I think I know what to name it.
  • If a version of this appeared that installed itself on old, insecurely configured versions of Norton PcAnywhere and similar software, as well as sticking itself up BackOrifaces, and closed the security hole involved?

    Would they update to new software (for the desired installs, of course) or would most want to just reinstall the open barn door?
  • The bottem line is: only idiots get infected by cheese, but it's better than what they had before. And it's certainly better for the rest of us.

    Granted. Though I would prefer the proposed version that didn't scan but only defensively spread itself to other probing systems, its attackers. My post was addressing this part of what I replied to:

    The worm installs itself on the macine, checks for the instalation version, logs into the bug report homepage for that distribution, and updates all of your packages or binaries from a set list of servers...

    Someone using an RPM distribution, to name one package manager, soon learns that if they update the original software themselves (configure, make, make test, install) that it is better to leave the system thinking the old packages you are replacing are still installed. otherwise you are going to have to force the package manager to ignore what it thinks are dependency problems. Sometimes what is updated is only one important part of a package. Grabbing new versions and blindly installing them over what is already there would actually penalize those who update their software before official updates are available, should they miss the one hole the worm might use.

    The bottom line is that this addition would downgrade the software on a system which does not restrict itself to the official packages. In other words, about all servers that do anything interesting. The software is modified to perform functions. Security is essential, but worthless if it keeps the server from functioning. Or overloads the update sites it uses.

    Lion worm is fixable. The proposed trashing of the installed software base is less likely to be.
  • If you're making a conscious decision you would of course lock your door while on vacation. But if you didn't, it sure would be nice if the first stranger who discovered it locked it for you, and checked the gas and watered the plants while he was at it.

    It's a bit like someone turning in a wallet he found instead of keeping the money for himself.
  • Kudos to the person who made this one, although I'd still be leary about with even this one "worm" especially when groups like s0ftproject [antioffline.com] keep creating these sometimes outrageous backdoors.

    Someone should set out to write an informative document which isn't so bloated with too many tech terms for the newbie Linux admin [antioffline.com] that shows them how to lock down their Linux systems on an install. I wrote a lame one about 2 1/2 years ago, but never bothered following up on it.

    Education, education, and more education. I wonder how come many complain about security, when so little take a few hours to actually inform themselves of the risks/fixes for typically easy problems.

    2600 is being run by Peter Pan [antioffline.com]

  • by The-Pheon (65392) on Wednesday May 16, 2001 @08:41PM (#217720) Homepage
    # removes rootshells running from /etc/inetd.conf
    # after a l10n infection... (to stop pesky haqz0rs
    # messing up your box even worse than it is already)
    # This code was not written with malicious intent.
    # Infact, it was written to try and do some good.

  • Hey my company Dancris Telecom already made a anti worm for the netowrk VB Virus. It scans for machines with this virus, replaces the virus in the startup menu with it self then continues to scan for infected machines. On reboot in removes it self and leaves a message on the desk top that tells the end user that they need to not leave open file shares on their computer. i will make a follow up post later with a link to the source code so you can download it.
  • Probe for a rpc.statd attack.
    Redhat Linux 6.x boxen have protmap runing by default, and rpc.statd has a hole in the defult install. Exploited by Lion, and adore (IIRC).
  • He was just referring to Netscape.
  • If you actually have a honeypot, wouldn't you be keeping an eye on it? Wouldn't you already have a quick and easy way to reset it? In this case Cheese is no different than any other intrusion, easily monitored and fixed for a true honeypot.

    As for your 'I've put other devices in place to avoid exposure', what a load of crock. If you've avoided exposure, Cheese shouldn't spot it or your amelioration devices should catch cheese as well. It's a crock.

    The box is yours, and cheese is by no means the best way to solve problems but for those who can't be bothered to secure their box right, Cheese is the best way to fix these typhoid marys.

    DB
  • There was a worm back then that was spread by data disks and tapes called animal. Now animals like to eat. They also store food for the winter. So animal would slowly grab any and all available memory *of any kind* it could find. Until the mainframe choked due to insificiant memory. The cure was a worm called hunter. Now hunters, hunt animals and kill them. What hunter would do is replicate itself onto disks and tapes and first look for animals. If it found one it killed the animal and then would lie in wait until it saw anouther one. I also would like to report that within a few weeks the animals were all extinct.
  • The posts I'm reading seem to be divided into two camps: those who thing it's a good thing, and those who think it's a bad thing.

    Put the ethics of the situation aside for a moment. The fact is, creating this type of exploit is possible. No amount of preaching will make this type of exploit go away. Like nuclear power, the cat's out of the bag.

    So shouldn't the discussion be more along the lines of "what do we do now?", rather than "I like, I don't like."? If you /really/ wanted this problem to go away, you'd advocate outlawing networked computing. How likely is that?

    With that in mind, I have to come down on the side of favoring this particular worm. If we're going to have an evolutionary arms race, I'd like the good guys to win, after all. Ethics matter, but it's too late to go back.

  • I wouldn't trust this would secure my system. The only way to do it is to go through the security bulletins, patch, patch, patch and conf like mad.

    Obviously. If you KNEW you were compromised, you would reinstall if you had half a brain.

    However, if you did not KNOW you were compromised, it might be nice to have the "white" virus remove the holes before more malice comes to your box.

    I think that is the entire point.
  • Why not make a worm that installs OpenBSD on other machines? It would save time. I don't think a worm would be 'smart' enough to patch all 200+ exploits in the latest RedHat distro. Oh well....Security isn't magical or mystical. All you have to do is stay current with exploit advisories and patches.

    On the flip side. This worm is still using other machines unauthorized and I am sure the author could get in considerable trouble with the law. Shit...what about all those nice honeypot networks that are supposed to be all messy and bad. (redhat full istall..boom honeypot)

    Nevertheless, this will probably get negative spin:

    "Linux Users are so mindless about security, that vendors have to release worms against their users to protect them from hackers."

    You shouldn't try to force people to be interested in security, especially against their will. It's like using the ATM in the worst part of town at 3 AM. Not a good idea. Once you get mugged, you will start worrying about security.

  • Sorry, I wouldn't say that Debian is more secure than Win2k. Find a Win2k admin that thinks security is an important issue and compare him with a debian admin who doesn't. The results will show up. It works both ways. Look at OpenBSD. 4 Years without a remote exploit in the default install. This comes from 2 things: a source audit for bugs (any bugs. since exploits can appear from places previously thought unexploitable.) and they don't have a base install that turns *everything* on by default. I seriously think linux security would jump a few notches if they just didn't turn all that crap on by default. I've seen people install RedHat and have DNS, Web, Mars, Samba, nntp, ntpd, nfsd, ftpd, telnetd, and countless other services and they couldn't even tell me what 4 of them did. "why not, I might need them later." is the usual response. what the fuck? Learn what it is, then learn how to turn it on. Maybe in that step, you'll realize that you don't need DNS running from every box on the network (especially that nasty, bug-filled bind 8.) I've said it many times: There is no absolute security. The only thing you can do limit access, run only what is necessary, and keep up with patches and the like. I figure your comment was just for humor, but Debian ain't a uber-secure system either. Shit, it responds to pings sent to the broadcast addy by default. Just what we need.

  • by niekze (96793) on Wednesday May 16, 2001 @09:56PM (#217747) Homepage
    I agree with most of your points except one, which I *really* disagree with.

    Automatic (or even semi-automatic) patching is the *dumbest* idea on Earth.

    Just look at primary network time servers. Imagine if *everyone* had ntp get the time from a pool of ntp servers. Now, imagine someone hacking these servers and changing their time. Boom, everyone's time is now incorrect. But that doesn't even come close to automatic 'fixes' for buggy code. Imagine someone hacking the Patch Server, then inserting a 'patch' that contains malicious code. *BOOM* Every motherfucking machine that uses that server is then 0wned. It sounds great on paper, but isn't a good idea. Plus, you shouldn't make security that brainless. I was baffled by OpenBSD only releasing source code patches. Then I realized that if you want to patch the binaries, you have to learn how to patch the source and then you've learned a bit more about how the system works. Plus, you don't have to worry about finding a binary patch when the distro supports a bajillion architectures. If I remember correctly, RedHat dropped Sparc suppport...do they release patches for Sparc anymore? If not. You'll need the source. Good thing you learned how to do it in OpenBSD. (sidenote: the patches usually have the instructions in them, so they are relatively easy to use) But I realize you probably aren't suggesting auto patching. But if you aren't, then your idea is lost. People will realize security is an important issue, either the hard way or the easy way.

  • This is not a morality issue, this worm ( and idea) is now in the wild, worring about the morality of it is pointless waste of energy.

    We need to harness this idea to the benefit of all.

  • by rediguana (104664) on Thursday May 17, 2001 @02:59AM (#217754)

    I'm sorry, it sounds cool but it has many problems in my mind.

    1. Lack of Transparancy. I don't like the idea of something that runs at a priviledged level or modifies my system without my permission. Do I get a chance to view the source code before it patches to ensure its good intent?

    2. MAD. This will start a war of attrition. Worms scanning and invading systems. How long before a worm says 'if I can't have it - neither can you!' and wipes the hard drive.

    3. Evolution. This will cause mutation in the malignant worms that will make it harder for patches to be created. Think anti-bacterial resistance.

    4. Automation. People say this is great and automated and the admin doesn't have to even wake up. What would happen to the Internet if Windows automatically installed patches without your permission? Just think of all those IIS sites disappearing when the service pack screws up and no-ones there to monitor it! Hang on, perhaps thats not such a bad idea :)

    The risks in my mind really outweigh the potential rewards. The only people who see this as cool are those who are too lazy to have some form of management process to maintain their security.

    I do like a system similar to the MSFT update whereby my installed software is audited, and I am notified of any patches available, and then given the options to read, and install the patch - if I chose.

    Cheers RedIguana

  • It's certainly a nice idea, but rather misguided. It's generating traffic that people who do maintain and check firewall logs would rather not deal with, and doesn't fix the core problem -- machines that aren't kept up-to-date with security fixes. You'd think that with all the press these self-replicating worms are getting that people'd be more vigilant about updating their systems. Hell, I was gone for a week and was nervous about not having the systems constantly up-to-date.
  • I wouldn't trust this would secure my system.

    Well, this cheesy virus can "infect" only boxen that got the virus and stay unpatched for a long, long time. These are likely to be unattended or purely adminned boxes. They can become a breeding ground for a new wave of DoS attacks, but now they are fixed as easily as they were br0ken into.

    This is a totally new, proactive approach to Internet security. As soon as new virus is found it gets rev-engineered and an "antibody" is released (officially, from very official Web site, cryptographically signed if you like). This can be permitted by laws.

    This antibody then may check certain file in certain place, like /etc/please_no_antibodies, and if this file does not contain a valid gpg-signed request to bug off then it proceeds, cleans up the virus, creates log of changes and mails it to the box owner.

    Thinking commercially, this can be even a subscription service. You register IPs of your boxen on the Net, and the service scans your boxes (from a central server) from time to time; if the box is r00ted with known virus then it will inform you.

    Even if you don't like this "commercial" approach, I hereby transfer this business plan into public domain. Logs of /. and Google will preserve it forever. Patent this! :-)

  • by Trinition (114758) on Thursday May 17, 2001 @02:38AM (#217760) Homepage
    so let me get this straight. First there were computer systems. Then there were parasites (trojans/viruses/etc.). Like biological systems, these parasites were mostly specific to one species (platform).

    Now we some new parasites (unhacking worm) coming out that have a symbiotic relationship with their host (linux machine).

  • Now if someone would only release something like this for Outlook that turns off VBScript...
    How about a worm that automatically detects insecure installations (Win2K, say) and automatically patches them with the recommended patches (Debian, say)?

    --
  • This is stupid. Of course you shouldn't trust it. You should fix the holes yourself, and not allow the worm on your system.

    However, for those who are less security-conscious, this is a Good Thing. Not infallible, and not the best alternative, but perhaps (and only perhaps; I don't know enough to judge) better than leaving the system wide open.

  • Doesn't Microsoft have something like this already? Isn't there a Trojan horse in Windows 98 that periodically contacts Microsoft HQ and downloads patches?
  • by legLess (127550) on Wednesday May 16, 2001 @09:01PM (#217769) Journal
    On the lighter side, this must really tweak the folks at the Honeypot Project [honeynet.org]. "Dammit - just when we got the network nice and insecure, those cheese bastards fixed it! Where's that RH6.0 CD?" They'll be in the unenviable position of having to protect their systems against worms just so that they can be 0wn3d by script kiddies.

    On the darker side, this reminds me of the "toner wars" in Diamond Age [slashdot.org] , where good and evil nanites ("mites") battled in the air, and the carnage was horrific. Going outside during a toner war was like breathing straight graphite powder. Is this the future of security? The future battleground for white hats and black hats?

    It's a cute idea, really, but it has to stop. All property rights aside, we cannot afford to fight this war in this arena. The point of having an army (if I may carry the analogy a little farther) is to keep the enemy away from civilization. But in some ways the battleground already is the property we need to protect; worms are in a real way terrorist rather than military. What's to be done? Education, and lots of it. Hope it's enough.

    question: is control controlled by its need to control?
    answer: yes
  • Actually many earth worms in North America are invasive exotics. They were brought to the continent for bait, but they have devistating effects on the ecosystem of forrest floors.
  • Now if someone would only release something like this for Outlook that turns off VBScript...

    Already done. Paste this into a .inf file and run it. It's not a worm, but it fixes the problems (not completely, but enough to stop the current virii:
    [Version]

    Signature = "$CHICAGO$"
    Class = MEDIA

    [SourceDisksFiles]
    devbs.inf=1

    [DefaultInstall]
    DelReg = DeVBS.RemoveVBS

    [DeVBS.RemoveVBS]
    HKCR,VBSFile
    HKCR,.VBS
  • I wouldn't trust this would secure my system. The only way to do it is to go through the security bulletins, patch, patch, patch and conf like mad.

    I really dont like the idea of worms like thi. I sure as hell dont like the idea of ANY worm or any mutant program trying to do something to my systems without me knowing. Whatever reason it was done for, thanks, but no thanks. I'd rather secure my system the old fashioned way.

  • We actually figured out how to solve this problem at one company I worked for. It consists of a single one-line VBScript:

    MsgBox "You're Fired. Clean out your desk and leave within thirty minutes."

    We didn't actually implement it, but we feel that if we had, we could count on people learning not to click on random VBScripts.

  • Well, it sounds like this worm only affects you if you've already been compromised by the other one- it enters through the same backdoor.

    I mean, yeah, I agree with you- not a good idea to rely on benevolent virii to have a secure system, lol, but this "benevolent worm" is only gonna affect those who couldn't or didn't secure their own systems "the old-fashioned way" :-P

    http://www.bootyproject.org [bootyproject.org]
  • Well, I see about 12 +n, Insightful posts saying, "Well, even though it tries to do good, it's not a good idea/it's a bad precedent/I wouldn't let it on my system/etc." This thing doesn't need your approval or disapproval any more than a malicious worm. Of course you don't trust someone else to anonymously fix your system. Only a complete idiot would infect themselves on purpose. But saying "I don't think it's good" on Slashdot doesn't secure your computer.

    The real good I see in it: if this shows up on your computer, you know that you haven't been taking appropriate safety precautions. Count yourself lucky that nothing bad happened, and fix it.

  • Hey, I've got a thought. Let's write a security patch for IIS. Wait a sec, am I supposed to rewrite a dll? To do this, I would need the api for the dll. have you seen the MS SDK? There are so many partially documented functions, not to mention evidence of undocumented functions as far back as Windows 3.1, possibly farther. You can't rewrite the dll since you don't know what the undocumented functions are doing. Believe me, there have been many _many_ times I wish I could fix NT's inability to kill a crashed service. A service that crashes when a thread tosses the ms equivalent of a SIGSEGV. I would also do my best to add a POSIX.1 pid_t fork (). I am in no way proseltyzing, just presenting facts.
  • As best I can figure, it is the SIGSEGV causing the problem. The only reason why I know this is that I catch the signal, report the error to eventvwr (another wonderous idea.. i know, let's map i/o for ALL running services while the evenvwr is open--seems silly since the SDK purports to have sub-file level locking for NTFS). After the thread causing the problem dies and reports its death (turns out it was a double destruction causing the problem--damn pointers), the service thread can no longer find the dead thread but is quite certain that it is running. Without a SIGHUP (why oh why they left this out, I will never know), all I can do is stop the service and restart. The reason I have to do this is the service thread will no longer spawn more threads (neat, huh?). Mind you these problems are on both NT and 2000, though I develop on NT for 2000 (the reason--sysadmins do not want to purchase a 2000 server 300 user license. So, we have a 2000 box on a 10 network behind a linux router that makes sure 2000 doesn't try to hold elections. The mind boggles..) SERVICE_STOPPED never comes and a SERVICE_CONTROL_INTERROGATE returns pending stop (don't have the SDK up in front of me). Under what circumstances is this considered acceptable OS behavior? While I realize that no OS has an acceptable implementation of pthreads, the least MS could do is not expect developers to rely on theirs. However, SIGKILL should mean just that: die now.

    As for the SDK documentation, it is almost adequate, not execellant, and I use the one on msdn.microsoft.com, I assume that will always be the most recent. If you want an example of an excellently documented SDK, check out man. You will never, ever, never run across stuff like: "this variable is undocumented," which exists in the SDK.

    As for fixing problems in MS, turning off VBScript isn't the solution. Seems to me that perl, tcl, python, and other equivalents do not have the same security problems as VBS. I think the main problem lies in vbrun*.dll.

  • that's my point. VBScript isn't the problem, vbrun*.dll is. The only beef I have with VBS itself is the 'B,' not that it is inherently evil. The evil is in the implementation not the language.
  • Does anyone know of something like this in Windows? This is a great example why I recomend Linux to people. Community. People willing to help. Logon to IRC and ask, someone will help, search google for your problem and you'll find a answer or at least a clue.

    Try to search "Windows NT unknown error" on google!
  • "if someone would only release something like this for Outlook that turns off VBScript..."

    Hey, wait just a minute there. I get paid good money to do that. Don't go replacin' me with no worm.

  • by tvon (169105) on Wednesday May 16, 2001 @09:44PM (#217791) Homepage
    I dont think anyone would "let" any worm into thier system on a voluntary basis, but if you read the story I believe it will tell you that the Cheese worm enters via a port that the 1ion worm leaves open. So, if you get the Cheese worm you have already been attacked and most likely didnt know about it.

    The fact is, if you are security concious and have all the latest patches and follow the proper regime for maintaining your system, it is fairly unlikely that your system will ever get compromised......and if you "let" any worm into your system you should be shot without any hesitation.....though in this case if the Cheese worm _can_ get into your system it seams to mean that you have already been attacked and your sysem is not trustable...so what harm could it do?

    # Tom von S.
    # -------------
    # "Nuclear weapons can destroy all life on earth,
  • I should not be posting, as I am quite drunk on Yagermeister. BUT -- being a Linux/Windows sysadmin (is that bi?) I find this article particularly hilarious/intriguing/hopeful. So there are alot of script kiddies out there just prone to doing damage and otherwise very fscked up shiite. Why not work for the right side of the force? I happen to work for a company (name withheld - faux humility) whose product, although profitable for us, is a noble and useful thing. Companies that are wise enough to use it often save half a million and up -- Mainly helping geeks like ourselves as well as others to be gainfully employed in a fraction of the time it might normally take. All the fluff aside - we are a mixed linux/windoze environment and to be frank, ILOVEYOU seriously kicked our asses for at least 3 hours. Just the thought that someone would write an anti-worm gives me great hope, even FAITH in the human condition. Some folks deserve massive downtime, I agree, but some definitely do not. More power to this digital angel I say! Linux renewed my faith in computing - but I have found that the ones today who really have huevos are those who are truly platform independent. And that does mean Windoze. And VBS. And Activex.(excuse my vomit).
    I feel like a geek Rodney King here - but the goddamn salespeople have got to use something they can somewhat understand! Lusers or not. Am I not right?
    I'm getting off subject - great post though. Got me fired up.
  • Yeah, I've heard of Lion, that is the damage that this work is attemting to fix.


    Enigma
  • If your system has been infected by the 1iOn worm, it was insecure. Most admins with infected systems who didn't notice the intrusion right away probably only become aware of the situation when their system is used in some other attack. Now here comes the Cheese worm, plugs the hole and leaves a message. You read the message. Should you trust your system after that? Not at all. It has been compromised by one worm and then another one. There is no reason to believe that the first one was successfully removed, the second one was really white hat or that these were the only intrusions, since anyone could have used the same backdoor through which the Cheese worm came in and have his own additional backdoor in place. If you see the message, wipe the system and install a clean and hopefully safer system. The message already implies that the purpose of the Cheese worm isn't repairing systems and saving the admins some work. It's purpose is to take the systems with undetected intrusions out of the skript kiddies' hands. It fights fire with fire only where water is unavailable. There is only one thing I don't like about this worm: It looks and feels exactly like an attack. In consequence, admins spend time pursuing the (automatic) offenders and systems might get overloaded with scans if the worm gets out of "control".
  • - Internet Anti-Bodies
  • This makes me think of the recent stream of Hybris virii for Windows. What if this supposedly beneficial worm had jazzy code to update itself from a newsgroup or freenet, and eventually morphed into a weapon of pure evil ? We all know that for every intelligent foreward-thinking geek there are hundreds of idiots, and those idiots would be just the type to leave such a thing on their systems because "It's not doing any damage so it's not a priority"... and then.. BAM! the worm goes postal! A scary thought, is it not ?
  • by Jason Levine (196982) on Thursday May 17, 2001 @04:21AM (#217810)
    Actually, there have been many problems with that patch. Besides, it doesn't address the core issue, the scripting features (while possibly very useful) can be used to easily make viruses.

    Excuse the blantent plug, but instead of telling users to hack into their Windows registry (not soemthing most users are capable of), I devised a program, Script Sentry, that seizes control of the VBS extension (as well as quite a few others, but only after you approve it of course). This way, when the script is run, Script Sentry opens up, scans the script for possibly malicious code, and then alerts the user.

    For example, in a momentary lapse of judgement, I open that "Love Letter" attachment I recieved. Instead of being infected though, Script Sentry alerts me that the "Love Letter" would have deleted files, edited my registry, and accessed Outlook. I tell Script Sentry not to run the script and crisis averted.

    Oh, and the program is 100% free (although I have a means for people to "donate" if they feel it's worth the $$$).

    In case anyone's interested, the URL is http://www.jasons-toolbox.com/scriptsentry.asp [jasons-toolbox.com]
  • by phaze3000 (204500) on Wednesday May 16, 2001 @11:02PM (#217812) Homepage
    It may use your CPU cycles, but if you were remise enough to fail to patch well-known security holes then you should be grateful someone is using your CPU time to stop your PC from being used in malicous ways. This worm will help deplete the number of boxes which script kiddies are able to use to crack other systems - which can only be a good thing.

    --
  • Antibiotics usually aren't effective against viruses. Innoculation as the result of vaccination can protect one against them, but not antibiotics. (The over prescription of antibiotics against viruses is part of the cause of drug resistant bacteria and viruses, according to this story on NPR [npr.org], about 2/3 of the way down, "Antibiotics use")
  • I just checked my logs, and I've only had three hits on 10008. One from Canada, another from Korea, and the third from Sweden. That was three days ago, in a six hour period. So at least it doesn't look like this thing is going to melt down the internet.
  • Those people who object to it purely because it is a worm are idiots.

    I think it's a great idea. Perhaps, if instead of modifying your system for you, it sent an email to postmaster, webmaster or root with a detailed explanation of what it found and how it could be fixed, this would take care of many of the complaints I see here.

    The neat thing that I see here is that this is a step closer to a "self-healing" system. If this worm were updated and released by a serious security organization which keeps track of the latest cracks with drop-dead dates to ensure that only the latest version is spreading, then this is a step closer to a more secure internet for all of us. Maybe trying to actually fix the system was a bit too ambitious because nobody will (should) trust it.

  • When Autostart worms were going around sneaking their way onto CD's and spreading across networks a mysterious variant showed up on a MacAddict cd that did pretty much all that execpt it removed all the others and protected you against them. It also removed it self on Christmas day.
  • by hillct (230132) on Wednesday May 16, 2001 @10:26PM (#217829) Homepage Journal
    So, someone actually did it. They wrote a worm that did good rather than bad. Cool, but it still trespasses onto my box, uses my CPU cycles and bandwidth to propogate itself.

    This may be a white hat release, or it could be some odd sort of new Antivirus software prototype (laugh!) but in reality it's just a virus/worm like any other. The payload is just some wierd combination of benign and melignant (but not militious per se). I still object to any software that modifies my system configuration for me, regardless of it's moralistic approach.

    --CTH

    --
  • Surprised nobody noticed some of the glaring holes
    in the technical quality of this article. Its really sad that tech writers on average have such a lousy grasp of what they're talking about and/or that they end up garbling facts trying to talk-down to the level of the average joe public.

    Its also sad that so many of these articles end up on /. Example from the above article:

    "Web browsers wait for data on port 80 and 8080"

    Maybe I'm just being persnickity - but I've never had mozilla running from my inetd.
  • If we start allowing worms such as this one back on our systems, just because, "Well, it might help", it won't be long before somebody combines one that fixes one hole while making a new, bigger one.

    I agree completely and would probably reload an infected machine from backup just to be safe...

    That being said, I have thought about makign similar programs with limited spreading abilities (i.e. only able to transverse private IP networks, not cross the internet, etc.) as a self-policing action within a network.

  • by iomud (241310) on Wednesday May 16, 2001 @09:10PM (#217833) Homepage Journal
    Is this the first form of distributed security?
  • I can imagine a win32 version of this thing myself. Think if its nice enough to actually output what its doing to a window.

    Cheeseworm Win32 Version...
    Scanning hard disk...
    Possible Trojan (VNC.exe) found, removing now...
    Possible Virus (Filemon.exe) found, removing now...

    Argh!

    (Btw, I selected these 2 examples since some anti-virus programs have a huge problem with both of them, since VNC opens a "port" on your computer to remotely access the desktop, and Filemon embeds itself into the system and checks what files are accessing other files.)

  • This worm is welcomed just like 'PingPong' virus. I still remember everybody in our lab got one of this harmless virus just to watch a 'O' bouncing on screen when doing DOS homework.

    "Virus? You mean it's a virus?"
  • "I would rather not have anything that comes in uninvited and messes with my computers," he said.

    Said by an idiot who has his boxes infected with The tHing, SubSeven, NetSphere, Deep Throat,Master Paradise, Silencer, Millenium, Devil, NetMonitor, Streaming Audio Trojan, Socket23, Gatecrasher, Net Control, Telecommando, Gjamer, IcqTrojen, Priotrity, Vodoo, Netspy, ShockRave, Stealth Spy, Pass Ripper, Attack FTP, GirlFriend, Fore, Schwindler, Tiny Telnet Server, Kuang, Senna Spy Trojans, WhackJob, Phase0, BladeRunner, IcqTrojan, InIkiller, PortalOfDoom, ProgenicTrojan, Prosiak 0.47, RoboHack, Silencer, Striker, TheSpy, TrojanCow, UglyFtp, WebEx, Backdoor, Phineas, Psyber Streaming Server, Indoctrination, Hackers Paradise, Doly Trojan, FTP99CMP, Shiva Burka, BigGluck, NetSpy, Hack?9 KeyLogger, iNi-Killer, ICQKiller, Portal of Doom, Firehotcker, Master Paradise, BO jammerkillahV, AOLTrojan1.1, Hack'a'tack, The Invasor, SpySender, The Unexplained, Bla, FileNail, ShitHeep, Coma, Bla1.1, HVL Rat5, BackConstruction1.2, Kuang2 theVirus, Xtcp 2.00 + 2.01, Schwindler 1.82, Doly trojan v1.35, Doly trojan v1.5, Vampire, DeltaSource, Trojan Spirit 2001, Maverick's Matrix 1.2 - 2.0, Total Eclypse 1.0, OOTLT + OOTLT Cart, Eclipse 2000, NetMetro 1.0, Illusion Mailer, InCommand 1.0 + 1.3 + 1.4, NeTadmin, Logged!, Shitheep, Schoolbus 1.6, Schoolbus 2.0, Chupacabra, TheThing 1.6, AimSpy, NetMetropolitan 1.04, Transcout 1.1 + 1.2, SoftWar, Ambush, Der Spaeher 3, Insane Network, The Prayer 1.2 + 1.3, Host Control 1.0, Yet Another Trojan, NetRaider, TCPShell.c, PC Crasher, Mini Command 1.2, Mosucker, Rat 1.2, FakeFTP, Intruse Pack 1.27b, Snid X2, Freak 88, Asylium 0.1&0.11&0.12&0.13, Prosiak, Traitor 2.1, Connection, Host Control 2.6, BIONET, Rux.PSW, CrazyNet, Rux.Backdoor, Infector 1.x.

    *phew*
  • imagine bands of roving web worm maintaining and managing the security of the net. am I just tired, or does this sounds really cool?

    You're just tired, and yet your idea is really cool. :)
    The problem is how to distinguish good worms from bad worms? I mean, the security worms have root privilege, one bad worm will screw up whole network!

    It reminds me of a seminar featuring a security package(on NT) which centralized security maintainance and recovery. Just like your distributed model, the security program have all the administrative power on all workstations. I asked the speaker what if the crackers hacked the centralized facility...
  • Troll Catcher and you has good points. It may work
    At least it'll work for inhouse network. We might face legal issue putting it to Internet anyway.
    Let's start a project in sourceforge. What do you think? :)
  • a friend of mine got hired to do that with VBScript actually, because an entire company had melissa or one of those nasty outlook ones.
    ---
  • or Lion? or Adore?

    those are Linux worms. destructive worms.

    You think one can use those to express the advantages of open source? (i may be stupid, or maybe it's because i haven't slept at all, but i fail to see your point..)

  • by Some call me...Tim (307785) on Wednesday May 16, 2001 @09:03PM (#217851)
    Sure, it starts with the cheese worm. But then another group comes up with the mouse worm that breaks in through security holes left unpatched by the cheese worm, removing the cheese worm and installing itself. Then comes the morphing cat worm, that not only breaks in on mouse patched sites, but also downloads updated patches from servers that further increase security...

    The war of the patch-virii.

    A friend of mine suggested to me that whatever you look for on the Internet, it will seemingly spring into being simply by the fact of you looking for it. That same friend came up with this idea of patch viruses that break into and repair security holes. And **Poof**, it exists.

    Be careful what you look for...

  • Remember back in September, when Slashdot was hacked [slashdot.org]? The guys that did it apparently just wanted the experience of hacking Slashdot; they posted a victory story and emailed Taco will full details about how they did it.

    But Taco & company decided to rebuild the entire system as though they had maliciously took over.

    Similarly, even if this "good" worm hits me, I'll treat it like a bad one. You never know, it would be ingenious for some l4m3 (or whatever the numeric abbreviation is) hackers to release a version that looks like "Cheese" but actually does a "rm -rf /".

    --------------------------------
  • by sleeper0 (319432) on Wednesday May 16, 2001 @09:24PM (#217862)
    I see a lot of tacid support for this worm here. Really, it's not surprising to see. Earlier linux worms have started the practice of patching the holes, if for no other reason than to make sure they have full reign on the box and won't be stepped on by the next leet worm to come along.

    I know the author had semi-good intents, but the effort is really mis-guided. Worm proliferation has become significant in the last year (really, six months). A number of effective worms are out there that target both linux and windows. Watching my firewall logs on a variety of hosts (cable, and several colo ISPs) show that the number of intrusion attempts (or at leasts scans, but 90+% of this has to be worm traffic) has increased for me by a factor of 10 since the 1st of the year.

    This kind of traffic, whether good or bad intentioned, adds to network congestion, makes running an IDS challenging at best, and has made the ISP's effectively throw their hands up at having any kind of enforcement about hacking attempts. I don't know if anyone has tried reporting the sources of intrusions to their ISP's, but such reports now fall on dead ears almost all the time. Plus, it decreses the S/N ratio on the network security wise considerably. It is much harder to back-track or IDS post-mortum a REAL threat/attack with all of these other attacks going on at the same time. While worms may pose a minimal threat as far as their attack sophistication, a skillfill hacker can use all this worm traffic as an effective cloak.

    Even though you can argue that it's all relatively low traffic, that you need a good firewall, and that IDS should only be run inside those firewalls, you still have the possibility of serious network problems of the horizon. It's not un-thinkable that in the near future a large percentage of linux boxes will have multiple worms, exploiting multiple vulnerabilities all running and infecting other boxes. The fallout from this could be severe. Throw in a few anti-worms, and a few bugs caused by the interactions of it all, and could have a real hellstorm, quietly building now. Surely people remember the morris worm in '89? While bandwidth was more easily swampable at that point, we are perhaps only a few years away from waking up to that kind of destruction one morning.

    The only real answer is for us to forceably demand that OS vendors become much more diligent about security. If I was a national government I would truly consider this a serious threat to my infrastructure. While OS vendors have become more responsible across the board, we need to shoot for a higher bar. OS vendors need to provide very paranoid installations as default, with software firewalls enabled. The user should have to be asked for each service to be enabled. 100% available services such as ICMP echo should be required to be sandboxed or stack protected. OS's need to provide as a default security update monitoring, and easy, semi-automatic processes for installing new security related patches quickly, even if the admin is prone to do nothing. Nag the hell out of them to update. I would even argue that services with secuiryt holes should be automatically disabled by the OS, forcing the user to either update the service or manually restart the service essentially accepting the liability fo acting like a moron.

    I'm sure a lot of you will think I have an overly extreme opinion, and that things are mostly fine. I can't argue that I think the situation is out of control now. But with our infrastructure as vulnerable as it is right now, it will only take one or two really good worms to show everyone how it should be done. The only thing that has really saved us so far is the fact that no one has done it... It is easily accomplishable.

  • by sleeper0 (319432) on Wednesday May 16, 2001 @09:29PM (#217863)
    I really can't stand behind the release of that kind of worm... While it's entertaining, and certainly well-intentioned... I just can't condone worm proliferation.

    You know what would be great though, and be essentially the same code? Something that listened to your firewall logs, detected worms that scanned you, and then went out to their hosts and basically ran it's course, disabling the other worm and closing security holes. But not leaving code to proliferate itself.

    I know this would be no different legally, but I would sure feel 100% better about it. How poetic is it to detect a scan and then hack in to shut it down to keep it from scanning anymore. Without any scanning yourself.

    Any takers on a modified cheese worm?

  • by Bakajin (323365) on Wednesday May 16, 2001 @08:38PM (#217864) Homepage Journal
    the ethics are debateable, but its incredible to think someone actually did take the time to make a 'good' virus.
  • by LesFerg (452838) on Thursday May 17, 2001 @04:09AM (#217884) Homepage
    I wrote one of these last week, after reading the homepage source.

    Its just a vbs script that essentially changes the default Windows action for a number of script file types to be 'edit' instead of 'open'. This mostly stops all those email-attachment clickers from running code indiscriminately.

    I contemplated adding the next step, of accessing the address book and forwarding itself onwards, in the hopes that anybody still silly enough to execute script files via email will commit the final necessary act to stop this from happening again.

    In the end, I decided not to distribute this because of its potential for jamming up mail servers and generally causing a nuisance for people who already know better and dont allow outlook to execute such code in the first place.

    Les

I find you lack of faith in the forth dithturbing. - Darse ("Darth") Vader

Working...