View Poll Results: Is it o.k. to remove malware remotely without informing the infected machines owner?
- Voters
- 32. You may not vote on this poll
-
October 25th, 2006, 09:07 PM
#1
Ethics and computer security
The highly succesfull bagle worm was capable of being removed remotely.
From f-secure http://www.f-secure.com/v-descs/bagle.shtml
"Remote Removal
F-Secure can confirm that the remote removal method found by Joe Stewart of Lurhq does indeed work.
Sending a specific byte sequence to port 6777 on the infected computers causes the worm to delete itself from the System Directory and terminate its process. The registry values are not removed but since the file does not exist Windows will ignore those.
The byte sequence to be sent:
0x43 0xff 0xff 0xff 0x00 0x00 0x00 0x00 0x04 0x31 0x32 0x00
Please note that the usage of this method agains someone else's computers might be legally questionable."
F-Secure notes above that using this method is legally questionable when run against someone elses computer. Putting aside the legality of this method (although anyone who has worked in "cyber" law please comment) I am curious if the community thinks the method is morally acceptable.
Last edited by stevel; October 25th, 2006 at 09:33 PM.
-
October 25th, 2006, 09:15 PM
#2
i could see going in remotely and removing the worm being questionable, because you would be gaining access.
but how is sending a specific 'byte sequence' to a certain port questionable or "gaining access"? its basically no different than pinging another machine, you're just doing it with a certain byte sequence, or at least thats what i understood from readin that.
maybe i'm missing something.
-
October 25th, 2006, 09:20 PM
#3
Basically you should not use a remote tool against a computer that you do not own or administer.
There have been one or two of these that were badly written and caused more problems than they solved
If you wrote something like that you would be in big trouble no matter how honourable your intentions.
I don't think that it is worth the risk.
-
October 25th, 2006, 09:21 PM
#4
F-Secure notes above that using this method is legally questionable when run against someone elses computer
By aknowledging that what they are doing can and could be considered illegal, then why are they doing it? what's the point, and the reverse is true, if they can remove remotely then they can also add remotely which is the principle of the idea, so they shouldn't do it without the owners approval.JMO
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
October 25th, 2006, 09:33 PM
#5
It depends... What protocol does it use? UDP? You're not establishing a connection, so technically you're not gaining access. If it is TCP, then you'd be establishing a connection and thus unauthorized access.
If it was UDP, the tool could simply "spoof" the src address so there would be no "proof" of who sent the sequence. (well, depending on how the ISPs routers are setup)
It's not like you're installing a tool to uninstall it. You're executing a built in command but doing so in a way that you don't connect to it?
Last edited by phishphreek; October 25th, 2006 at 09:36 PM.
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
October 25th, 2006, 09:38 PM
#6
Hmmmm,
I think we need to be a bit careful in our definitions. I would guess that such an action was not strictly "immoral" or "unethical" as the intentions are not malicious.
However, as the activity is not authorised, it could well be technically illegal, depending on your local legislation.
-
October 25th, 2006, 09:39 PM
#7
dalek,
The above information taken from F-Secure was their analysis of the worm. F-Secure was not remotely removing the virus. I've edited the post adding a link to the page I quoted.
-
October 25th, 2006, 09:51 PM
#8
Originally Posted by stevel
dalek,
The above information taken from F-Secure was their analysis of the worm. F-Secure was not remotely removing the virus. I've edited the post adding a link to the page I quoted.
Tks for clearing that up...
Okay, after reading this, I would assume it's on private networks we are talking about, and if so, then admins can certainly go ahead and use it to catch any of the infected PC's on a network. Is that how it plays out, if so then the legalities are moot?
Good morning.
The following forwarded message is from Joe Stewart to TH-Research (The Trojan Horses Research Mailing List).
In it Joe explains of a way for admins (or anybody really) to easily and massively remove Bagle infections from their networks.
There are other ways to do this, but this is the most simple that I saw thus far.
Thanks again to Joe for all his work.
Drop him a thank-you note if this helps you, he's a good guy!
Gadi Evron
The Trojan Horses Research Mailing List - http://ecompute.org/th-list
From: Joe Stewart <jstewart@lurhq.com>
To: TH-Research
Subject: [TH-research] Bagle remote uninstall
Date: Tue, 20 Jan 2004 17:19:41 -0500
Mail from Joe Stewart <jstewart@lurhq.com>
If you can't wait till January 28, Bagle has a remote uninstall command
which can be sent over port 6777, the port also used to upload the
second stage.
For instance, using perl and netcat, you could send the uninstall
command with the one-liner below:
perl -e 'print "\x43\xff\xff\xff\x00\x00\x00\x00\x0412\x00"' \
| nc infected_host_IP 6777
When the command bytes above are received by an infected host, the virus
will exit and delete its executable (using a batch script after the
fact). The registry keys are not removed.
-Joe
http://archive.cert.uni-stuttgart.de.../msg00197.html
Last edited by dalek; October 25th, 2006 at 09:59 PM.
PC Registered user # 2,336,789,457...
"When the water reaches the upper level, follow the rats."
Claude Swanson
-
October 25th, 2006, 10:19 PM
#9
I was thinking more along the lines of using this against a machine outside your network. For instance if your users were getting spammed with email virus from an infected machine outside of your network and the infected machine is not behind a firewall, is it acceptable to use this remote removal technique?
It is an open port with a "service" running on it. You would not be manipulating the software to function outside of its intended purpose... I'm thinking it is acceptable.
-
October 26th, 2006, 07:04 AM
#10
Yeah, someone else's port, service and hardware.
Check out the nachi/welachia worm if you want to see what happens when people meddle where they should not.
If it is not your equipment and your network you really don't know what on Earth is going on on it, and you would not have tested your "solution" on it. I am sure all the sysadmins here would really love someone doing that
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|