View Poll Results: Is it o.k. to remove malware remotely without informing the infected machines owner?

Voters
32. You may not vote on this poll
  • Yes

    11 34.38%
  • No

    21 65.63%
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Ethics and computer security

  1. #1

    Question Ethics and computer security

    The highly succesfull bagle worm was capable of being removed remotely.

    From f-secure http://www.f-secure.com/v-descs/bagle.shtml

    "Remote Removal
    F-Secure can confirm that the remote removal method found by Joe Stewart of Lurhq does indeed work.
    Sending a specific byte sequence to port 6777 on the infected computers causes the worm to delete itself from the System Directory and terminate its process. The registry values are not removed but since the file does not exist Windows will ignore those.
    The byte sequence to be sent:
    0x43 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x04 0x31 0x32 0x00
    Please note that the usage of this method agains someone else's computers might be legally questionable."

    F-Secure notes above that using this method is legally questionable when run against someone elses computer. Putting aside the legality of this method (although anyone who has worked in "cyber" law please comment) I am curious if the community thinks the method is morally acceptable.
    Last edited by stevel; October 25th, 2006 at 09:33 PM.

  2. #2
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    Location
    cali forn i a
    Posts
    333
    i could see going in remotely and removing the worm being questionable, because you would be gaining access.
    but how is sending a specific 'byte sequence' to a certain port questionable or "gaining access"? its basically no different than pinging another machine, you're just doing it with a certain byte sequence, or at least thats what i understood from readin that.
    maybe i'm missing something.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Basically you should not use a remote tool against a computer that you do not own or administer.

    There have been one or two of these that were badly written and caused more problems than they solved

    If you wrote something like that you would be in big trouble no matter how honourable your intentions.

    I don't think that it is worth the risk.

  4. #4
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    F-Secure notes above that using this method is legally questionable when run against someone elses computer
    By aknowledging that what they are doing can and could be considered illegal, then why are they doing it? what's the point, and the reverse is true, if they can remove remotely then they can also add remotely which is the principle of the idea, so they shouldn't do it without the owners approval.JMO
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    It depends... What protocol does it use? UDP? You're not establishing a connection, so technically you're not gaining access. If it is TCP, then you'd be establishing a connection and thus unauthorized access.

    If it was UDP, the tool could simply "spoof" the src address so there would be no "proof" of who sent the sequence. (well, depending on how the ISPs routers are setup)

    It's not like you're installing a tool to uninstall it. You're executing a built in command but doing so in a way that you don't connect to it?
    Last edited by phishphreek; October 25th, 2006 at 09:36 PM.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hmmmm,

    I think we need to be a bit careful in our definitions. I would guess that such an action was not strictly "immoral" or "unethical" as the intentions are not malicious.

    However, as the activity is not authorised, it could well be technically illegal, depending on your local legislation.

  7. #7
    dalek,

    The above information taken from F-Secure was their analysis of the worm. F-Secure was not remotely removing the virus. I've edited the post adding a link to the page I quoted.

  8. #8
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Quote Originally Posted by stevel
    dalek,

    The above information taken from F-Secure was their analysis of the worm. F-Secure was not remotely removing the virus. I've edited the post adding a link to the page I quoted.
    Tks for clearing that up...

    Okay, after reading this, I would assume it's on private networks we are talking about, and if so, then admins can certainly go ahead and use it to catch any of the infected PC's on a network. Is that how it plays out, if so then the legalities are moot?


    Good morning.
    The following forwarded message is from Joe Stewart to TH-Research (The Trojan Horses Research Mailing List).
    In it Joe explains of a way for admins (or anybody really) to easily and massively remove Bagle infections from their networks.
    There are other ways to do this, but this is the most simple that I saw thus far.

    Thanks again to Joe for all his work.
    Drop him a thank-you note if this helps you, he's a good guy!
    Gadi Evron

    The Trojan Horses Research Mailing List - http://ecompute.org/th-list


    From: Joe Stewart <jstewart@lurhq.com>
    To: TH-Research
    Subject: [TH-research] Bagle remote uninstall
    Date: Tue, 20 Jan 2004 17:19:41 -0500
    Mail from Joe Stewart <jstewart@lurhq.com>

    If you can't wait till January 28, Bagle has a remote uninstall command
    which can be sent over port 6777, the port also used to upload the
    second stage.
    For instance, using perl and netcat, you could send the uninstall
    command with the one-liner below:
    perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \
    | nc infected_host_IP 6777
    When the command bytes above are received by an infected host, the virus
    will exit and delete its executable (using a batch script after the
    fact). The registry keys are not removed.
    -Joe
    http://archive.cert.uni-stuttgart.de.../msg00197.html
    Last edited by dalek; October 25th, 2006 at 09:59 PM.
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  9. #9
    I was thinking more along the lines of using this against a machine outside your network. For instance if your users were getting spammed with email virus from an infected machine outside of your network and the infected machine is not behind a firewall, is it acceptable to use this remote removal technique?

    It is an open port with a "service" running on it. You would not be manipulating the software to function outside of its intended purpose... I'm thinking it is acceptable.

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Yeah, someone else's port, service and hardware.

    Check out the nachi/welachia worm if you want to see what happens when people meddle where they should not.

    If it is not your equipment and your network you really don't know what on Earth is going on on it, and you would not have tested your "solution" on it. I am sure all the sysadmins here would really love someone doing that

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •