Printable View
This is a pretty interesting approach...
Whole post on slashdot: http://slashdot.org/articles/03/05/1...tid=95&tid=172Quote:
'We have also postted a Fizzer cleaner to the actual URL that the bot downloads its updates from, as a self extracting and running executable.' The Fizzer-uninstaller posted there creates the file '%WinDir%\uninstall.pky', which then causes Fizzer to remove all of its registry keys. Looks like the Fizzer worm will soon come to an end."
Dan Hanson has posed a question on the Incidents@SecurityFocus mailing list regarding this.
Essentially, it seems like vigilantism that is no more or less legal than the worm it seeks to disable.
On the one hand you have an unauthorized 3rd-party making unauthorized changes to your system. On the other hand, if the infected party isn't going to detect and clean their own infection shouldn't the other members who share the Information Superhighway with that device have a right to handle it?
I wanted to link to the post in the web archive, but the message posted at 12:30 this morning and the archive isn't that up to date yet. Dan Hanson's post is called "A Question For The List..."
He makes reference to a presentation from the Blackhat Conference:
And he poses some interesting questions for discussion about this sort of strategy:Quote:
At last year's Blackhat conference in Las Vegas, Tim Mullen presented what turned out to be a very controversial proposal. Briefly, he questioned why it would be inappropriate to strike back and disable (if not remove) a worm from hosts that are clearly not being adequately managed.
Should make for interesting debate.Quote:
-What are the implications down the road?
-Are there concerns that organizations have with this trend? Legal? Precedure?
-Is this any different than a similar activity that installs malicious code on the target host?
-The approach that Tim advocated was significantly less intrusive than the approach taken with the Fizzer virus, Tim's approach made no significant changes on the targeted host, simply blocked the ability of Nimda to replicate (if I remember correctly), and notify the owner that they have been compromised and where to go to find help in removing the infection. The approach taken to actually modify the system to remove Fizzer seems to go significantly past that. Why was the reaction to Tim's advocacy of discussion so hostile, and to date, I have seen no negative criticism of the Fizzer removal.
-Is this a catalyst for a group (IETF?) of some kind to debate these issues to find a resolution? I think that most people would agree that the increasing risk that these distributed networks pose to every Internet connected host is grave, and a better method is required to deal with them. Are there other ideas that don't get us into "arms races" with malcode writers.
-If this becomes standard practice, will this force the communication and update channels underground/encrypted (the "arms race" that I mentioned)
-What are some of the strategies that organizations are implementing to control their exposure to these communication channels?
-If a command can be given in a channel to "shut down" the network of hosts, what is the view on the legality of doing this? If you had a host on your network that was suddenly shut down by a well meaning (or not so well meaning third party), what would your response be?
I am not advocating the validity of one side over another, I just find it curious how similar the idea of Tim's, and the actual attempt to remove the virus, are.
It has hit news.com
According to them the geocities site has been taken down again and they are questioning the legality of the thing.
Full story
It is indeed an interesting discussion.
Shouldn't there be an organization or organizations with the authority to police the Internet somehow or release virus "vaccines" and "anti-worms" into the wild to clean the machines of those too ignorant or too lazy to do so themselves?
Do the individual rights of the user outweight the rights of the Internet community at large to defend themselves?
I wrote an article on my site about this subject: Counter-Hacking: Savior or Vigilante
I also highly recommend Tim Mullen's articles on SecurityFocus and viewing Tim Mullen's presentation from the Blackhat conference regarding this topic:
The Right to Defend
Strikeback, Part Deux
BlackHat Conference PowerPoint Presentation
That would be interesting. It had to be an orginazation that knows what they are doing though.Quote:
Originally posted here by tonybradley
Even without a “police force” with the authority to enforce rules or guidelines on the Internet, should there be an organization or organizations with the authority to create counter-worms or virus vaccines that would proactively seek out infected computers and attempt to clean them? Ethically, would invading a computer with the intent to clean it be any better than the virus or worm that invaded the computer in the first place?
Like the spoofing of the email adresses, you don't want to 'fix' the wrong one.
Great reading material Tony.
As long as it isn't run by the US .gov... some group/organization might be able to make it work.Quote:
should there be an organization or organizations with the authority to create counter-worms or virus vaccines that would proactively seek out infected computers and attempt to clean them?
The .gov doen'st seem to know WTF they are doing when it comes to creating technology laws. They just turn around and break the same laws that they make. They just leave it up to the MPAA and RIAA... anyone with a major bucks in their pocket(s) seems to be able to make a tech law in the US.
Good examples... DMCA and SUPER DMCA.
But... thats a whole other story all together.... :rolleyes:
I don't see why antivirus companies couldn't make it work. They already create the "cures" for these viruses. If they can make the virus attack itself... I don't see the harm in that.
Not only had they put an uninstall program/commands at the location where the virus was supposed to update... but
IRC admins were finding these machines connected to their servers. Then the admins would send a command to the infected machines which would make the virus uninstall itself. Good idea if you ask me.
SourceQuote:
John McGarrigle of RealmNET started the project only a week ago, bringing in over a hundred IRC admins, and in that time the group has developed a way of uninstalling fizzer from infected hosts in large numbers. The group has "collected more information on the fizzer virus than one network and it's staff could ever manage on it's own,"
Too bad all of them aren't this easy to fight back against.
I agree with you phish, but if the antivirus companies, we're allowed to clean up a wild virus, who would fit the bill? You know as well as I do that these companies only exist because there is money involved. ****, it wouldn't suprise me if they wrote some of the things. I keep my machine clean, I even collect the little bugs so I may dissect them. I understand what they are. However, there are several people I know directly that don't have AV, let alone see the importance in it. This is a very good idea. I think it will be a long time before we have a true resolution.