View Poll Results: Is it o.k. to remove malware remotely without informing the infected machines owner?

32. You may not vote on this poll
  • Yes

    11 34.38%
  • No

    21 65.63%
Page 2 of 2 FirstFirst 12
Results 11 to 16 of 16
  1. #11
    Join Date
    Feb 2005
    I don't think the sysadms here would have an infected machine sending email worms outside their network at least not for an extended period of time. ;D

    I think doing this individually and manually is perfectly acceptable. You connect to others hardware, ports and services constantly while using your PC. The worm itself was written with remote removal capabilities. You are using the software within the range of its intended purpose.

    Now if you automate this process such as nachia, which also installed malware to scan for infected machines, you've gone to far.

  2. #12
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    I am sorry to have to disappoint you but it doesn't work like that. I am afraid you will just have to trust me but when an incident like that happens the stuff comes flying at you thick and fast. You honestly do not have the time or resources to do things individually and manually.

    At least NOT for third parties...............you are too busy looking after those who pay your salary

    The tool/technique cited was designed for network admins to do bulk/remote clean-ups on their own domains.

    Which brings me to another point: even if it were legal where you live, you still wouldn't do it. You see you would still be liable under civil law for any damage you might cause, and, as you don't know other people's systems that would be quite possible.

    You only have to look around the AV vendor's and security sites at the free tools that are on offer. They all come heavily festooned with legal disclaimers.

    Anyone going out and doing things without permission would have no such protection whatsoever.

  3. #13
    Join Date
    Feb 2005
    My intentions for this thread seem to have gone askew in part because of the scenario I chose as an example but more so because I was to vague. Let me pose another similar scenario.

    A machine OUTSIDE of your network is aggresively scanning your network for a well known vulnerability in IIS. This is causing your log files to be more difficult to parse, perhaps setting off a large number of ids alerts or just generally being a nuisance.

    You know that this scanning is typically caused by a machine that is infected with a specific worm. You also know that along with scanning for vulnerable hosts this worm connects the infected machine to an irc botnet channel.

    If given the ability you could join this irc botnet channel and excecute a command that would uninstall the worm from the infected hosts, would you do it?

    Nihil, I think your definition of authorized access is to narrow. If someone has a wide open ftp server with no authentication and no banner stating it is for authorized use only and I upload a large file that crashed the server, am I legally and morally responsible for the crash for using the service as it was intended?

  4. #14
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    If given the ability you could join this irc botnet channel and excecute a command that would uninstall the worm from the infected hosts, would you do it?

    Nihil, I think your definition of authorized access is to[o] narrow.
    You asked for opinions, but Nihil's opinion, your opinion, and my opinion are not what really counts, but the opinion of the courts in the respective jurisdictions are what really matters. Nihil is just giving you what you asked for based on his understanding about how generally the laws are written and how the courts interpret those laws.
    I think Nihil's definition is based on years of study and quite possibly personal experience dealing with attorneys!

    Since you restructured your question, let me try to keep it simple by posting part of a legal definition of "Authorized Access" ( taken from N.J.S.2C:20-23 )
    "... An actor has authorization if a reasonable person would believe that the act was authorized.

    Naturally, if there is a banner or warning posted upon accessing a system it is clear who is and is not authorized. ( A tool such as described probably would not even locate such a banner as it is using other, non-standard ports and/or protocols to access the systems. )
    But just because the is no banner does not mean that someone can assume ( or reasonable believe ) they are authorized to access a system, or access a system in a why not normally intended.
    Example: just because you are authorized to access google to perform searches on the Internet does not give you authorization to ssh into the server and search through their code, even if you don't disturb anything. And just because a computer is connected to the Internet does not automatically mean you can access it in any way, even to stop it from doing something that in itself is illegal ( this I believe is called vigilantism. )

    You do have other recourses, including contacting the ISP of the offending computer or blocking the computer from any and all access to yours ( even if you have to create a separate rule to just drop everything from that offending computer and/or network block, and either cause your system to reduce the number of logs per attempt or not log it at all. )

    This discussion has been going on for years, and the answer is always the same; you do not have the authority to attempt to clean a computer of a virus unless you are properly authorized to do so.

    A more relevant question for todays state of the InternetI believe would be:
    How much liability is there on the ISP of a computer that is spreading worms, virus, and/or spyware once that ISP has been notified of the illegal activity?
    What time frame would be considered reasonable for the ISP to react before they could be considered at least partially liable for damages caused by continued connection of an infected computer?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  5. #15
    Join Date
    Oct 2003
    "However, as the activity is not authorised, it could well be technically illegal, depending on your local legislation"

    Nihil perhaps u looking for the term contra bonus mores? against the moral standard of the day.

    The issue raised here, is at what time is it acceptable to open the door to a strangers house, because you have a master key. You not necessarily going inside, but hey there is a problem with the lock on the door and you want to help point that out. So legally at which stage are u a burgular/intruder/professional?

    SO hey, isnt that what some real haxors are out to do? "test the realms of security of companies?"

    Where is the differentiation between what security professionals are doing and haxors? i need permission to do a pen test dont i no matter what type of test? this would be the same as me tresspassing/perhaps even grey hatting, i should lose my license or quali if caught in that situation.

    i thus agree with nihil, taking it further, in my case, vigilantiasm, which i akin this to, should not be permitted
    HO$H Pagamisa. Pro Amour Ludi....

  6. #16
    AO Guinness Monster MURACU's Avatar
    Join Date
    Jan 2004
    For me the answer is a bit simpler. Removing an infection without telling the owner of the machine wont really do much to help you as if they got infected once they will more than likely get infected again. Where possiable you should inform the owner of the machine.
    \"America is the only country that went from barbarism to decadence without civilization in between.\"
    \"The reason we are so pleased to find other people\'s secrets is that it distracts public attention from our own.\"
    Oscar Wilde(1854-1900)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.