Anti-worm?

[mdlbear]

The appearance today of an anti-worm that propagates using the same mechanism as the widely-reported Blaster worm (and which both removes Blaster, if present, and installs Microsoft's patches to prevent reinfection) raises some interesting questions:

• Should the anti-worm be considered 'malware', like all other worms, or should it be considered simply as an interesting method of patch distribution?
• Should the anti-worm's developer be hailed as a hero or reviled as yet another wild-eyed cracker?
• Is it legal? Should it be?
• Will this lead to copycat worm/anti-worm pairs whereby an enterprising individual or company launches (anonymously, of course) an innocuous but fast-spreading worm, followed a few days later by a widely-publicized antidote? Has this already happened?
• Will a series of helpful anti-worms lead in turn to the obvious deception in which the purported anti-worm installs yet another and more insidious payload, which users fail to check for because they assume that the anti-worm is benign, like all the others?

Comments

[mithriltabby]

It’s vigilante system administration! I expect the body of law that should be consulted in this matter be the same one as provides for “citizen’s arrest”.

Ah, but...

[aerowolf.livejournal.com]

The law needs to provide for legal means to punish and be compensated by people who put unwanted and undesired traffic onto my network, and -enforce- it. If the law doesn't enforce it (and believe me, it's REALLY difficult to get the FBI to take interest in your case unless you're a multi-billion-dollar company)... then I'm going to do whatever it takes to a) not remove access that I need to my own network, and b) remove the threat to my network.

Do people not recognize that these malworms cost REAL MONEY -- money for bandwidth, money for systems administrators, and money for cleanup? Why should I have to spend my money to put up with an attack?

So, yes -- vigilante system administration. Personally, I think that Windows (and various other OS's) have the capability of producing self-healing executables... and I believe that Microsoft needs to be held accountable for every dime that their products have cause to be misspent. They're interested in patching holes... well, why not make the underlying operating system less like a sponge in any case?

Re: Ah, but...

[mdlbear]

Vigilante system administration is pretty iffy in a country where this (putting a man in jail for sending e-mail warning about a security flaw) can happen. Come to think of it, that's probably a good argument for the worm approach.

The problem is not one that could be solved by "self-healing executables". Perhaps you're referring to buffer overflow attacks; these are prevented by using subroutine libraries and programming languages that don't allow buffers to overflow.

One major problem with Microsoft, though, is that Windows is designed to make it easy for third parties to install software on your computer. Any system that automatically installs patches, for example, can probably be subverted to install malware instead (not to mention the fact that Microsoft's "patches" are very large-grained and often contain as many new bugs as they fix -- that's why people are reluctant to install them in the first place).

Self-healing executables...

[aerowolf.livejournal.com]

I agree, don't get me wrong -- but self-healing executables would get away from the ability (unless subverted) for a program to modify executable files on-disk, thus requiring a continual updating to the payload when the original process stopped.

But what -I- want to know... why can't the RPC services just be -stopped-?