Quote:
At last year's Blackhat conference in Las Vegas, Tim Mullen presented what turned out to be a very controversial proposal. Briefly, he questioned why it would be inappropriate to strike back and disable (if not remove) a worm from hosts that are clearly not being adequately managed.
And he poses some interesting questions for discussion about this sort of strategy:
Quote:
-What are the implications down the road?
-Are there concerns that organizations have with this trend? Legal? Precedure?
-Is this any different than a similar activity that installs malicious code on the target host?
-The approach that Tim advocated was significantly less intrusive than the approach taken with the Fizzer virus, Tim's approach made no significant changes on the targeted host, simply blocked the ability of Nimda to replicate (if I remember correctly), and notify the owner that they have been compromised and where to go to find help in removing the infection. The approach taken to actually modify the system to remove Fizzer seems to go significantly past that. Why was the reaction to Tim's advocacy of discussion so hostile, and to date, I have seen no negative criticism of the Fizzer removal.
-Is this a catalyst for a group (IETF?) of some kind to debate these issues to find a resolution? I think that most people would agree that the increasing risk that these distributed networks pose to every Internet connected host is grave, and a better method is required to deal with them. Are there other ideas that don't get us into "arms races" with malcode writers.
-If this becomes standard practice, will this force the communication and update channels underground/encrypted (the "arms race" that I mentioned)
-What are some of the strategies that organizations are implementing to control their exposure to these communication channels?
-If a command can be given in a channel to "shut down" the network of hosts, what is the view on the legality of doing this? If you had a host on your network that was suddenly shut down by a well meaning (or not so well meaning third party), what would your response be?
I am not advocating the validity of one side over another, I just find it curious how similar the idea of Tim's, and the actual attempt to remove the virus, are.
Should make for interesting debate.