Ethics and computer security

View Poll Results: Is it o.k. to remove malware remotely without informing the infected machines owner?

Voters
32. You may not vote on this poll
  • Yes

    11 34.38%
  • No

    21 65.63%
Results 1 to 10 of 16

Thread: Ethics and computer security

Hybrid View

  1. #1
    Member
    Join Date
    Feb 2005
    Posts
    45

    Question Ethics and computer security

    The highly succesfull bagle worm was capable of being removed remotely.

    From f-secure http://www.f-secure.com/v-descs/bagle.shtml

    "Remote Removal
    F-Secure can confirm that the remote removal method found by Joe Stewart of Lurhq does indeed work.
    Sending a specific byte sequence to port 6777 on the infected computers causes the worm to delete itself from the System Directory and terminate its process. The registry values are not removed but since the file does not exist Windows will ignore those.
    The byte sequence to be sent:
    0x43 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x04 0x31 0x32 0x00
    Please note that the usage of this method agains someone else's computers might be legally questionable."

    F-Secure notes above that using this method is legally questionable when run against someone elses computer. Putting aside the legality of this method (although anyone who has worked in "cyber" law please comment) I am curious if the community thinks the method is morally acceptable.
    Last edited by stevel; October 25th, 2006 at 09:33 PM.

  2. #2
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    i could see going in remotely and removing the worm being questionable, because you would be gaining access.
    but how is sending a specific 'byte sequence' to a certain port questionable or "gaining access"? its basically no different than pinging another machine, you're just doing it with a certain byte sequence, or at least thats what i understood from readin that.
    maybe i'm missing something.

  3. #3
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    F-Secure notes above that using this method is legally questionable when run against someone elses computer
    By aknowledging that what they are doing can and could be considered illegal, then why are they doing it? what's the point, and the reverse is true, if they can remove remotely then they can also add remotely which is the principle of the idea, so they shouldn't do it without the owners approval.JMO
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  4. #4
    Member
    Join Date
    Feb 2005
    Posts
    45
    dalek,

    The above information taken from F-Secure was their analysis of the worm. F-Secure was not remotely removing the virus. I've edited the post adding a link to the page I quoted.

  5. #5
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Quote Originally Posted by stevel
    dalek,

    The above information taken from F-Secure was their analysis of the worm. F-Secure was not remotely removing the virus. I've edited the post adding a link to the page I quoted.
    Tks for clearing that up...

    Okay, after reading this, I would assume it's on private networks we are talking about, and if so, then admins can certainly go ahead and use it to catch any of the infected PC's on a network. Is that how it plays out, if so then the legalities are moot?


    Good morning.
    The following forwarded message is from Joe Stewart to TH-Research (The Trojan Horses Research Mailing List).
    In it Joe explains of a way for admins (or anybody really) to easily and massively remove Bagle infections from their networks.
    There are other ways to do this, but this is the most simple that I saw thus far.

    Thanks again to Joe for all his work.
    Drop him a thank-you note if this helps you, he's a good guy!
    Gadi Evron

    The Trojan Horses Research Mailing List - http://ecompute.org/th-list


    From: Joe Stewart <jstewart@lurhq.com>
    To: TH-Research
    Subject: [TH-research] Bagle remote uninstall
    Date: Tue, 20 Jan 2004 17:19:41 -0500
    Mail from Joe Stewart <jstewart@lurhq.com>

    If you can't wait till January 28, Bagle has a remote uninstall command
    which can be sent over port 6777, the port also used to upload the
    second stage.
    For instance, using perl and netcat, you could send the uninstall
    command with the one-liner below:
    perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \
    | nc infected_host_IP 6777
    When the command bytes above are received by an infected host, the virus
    will exit and delete its executable (using a batch script after the
    fact). The registry keys are not removed.
    -Joe
    http://archive.cert.uni-stuttgart.de.../msg00197.html
    Last edited by dalek; October 25th, 2006 at 09:59 PM.
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  6. #6
    Member
    Join Date
    Feb 2005
    Posts
    45
    I was thinking more along the lines of using this against a machine outside your network. For instance if your users were getting spammed with email virus from an infected machine outside of your network and the infected machine is not behind a firewall, is it acceptable to use this remote removal technique?

    It is an open port with a "service" running on it. You would not be manipulating the software to function outside of its intended purpose... I'm thinking it is acceptable.

  7. #7
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Basically you should not use a remote tool against a computer that you do not own or administer.

    There have been one or two of these that were badly written and caused more problems than they solved

    If you wrote something like that you would be in big trouble no matter how honourable your intentions.

    I don't think that it is worth the risk.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    It depends... What protocol does it use? UDP? You're not establishing a connection, so technically you're not gaining access. If it is TCP, then you'd be establishing a connection and thus unauthorized access.

    If it was UDP, the tool could simply "spoof" the src address so there would be no "proof" of who sent the sequence. (well, depending on how the ISPs routers are setup)

    It's not like you're installing a tool to uninstall it. You're executing a built in command but doing so in a way that you don't connect to it?
    Last edited by phishphreek; October 25th, 2006 at 09:36 PM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Hmmmm,

    I think we need to be a bit careful in our definitions. I would guess that such an action was not strictly "immoral" or "unethical" as the intentions are not malicious.

    However, as the activity is not authorised, it could well be technically illegal, depending on your local legislation.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    Location
    paris
    Posts
    1,003
    For me the answer is a bit simpler. Removing an infection without telling the owner of the machine wont really do much to help you as if they got infected once they will more than likely get infected again. Where possiable you should inform the owner of the machine.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides