Anti-worm?

2003-08-18 02:02 pm
mdlbear: blue fractal bear with text "since 2002" (Default)
[personal profile] mdlbear
The appearance today of an anti-worm that propagates using the same mechanism as the widely-reported Blaster worm (and which both removes Blaster, if present, and installs Microsoft's patches to prevent reinfection) raises some interesting questions:
  • Should the anti-worm be considered 'malware', like all other worms, or should it be considered simply as an interesting method of patch distribution?
  • Should the anti-worm's developer be hailed as a hero or reviled as yet another wild-eyed cracker?
  • Is it legal? Should it be?
  • Will this lead to copycat worm/anti-worm pairs whereby an enterprising individual or company launches (anonymously, of course) an innocuous but fast-spreading worm, followed a few days later by a widely-publicized antidote? Has this already happened?
  • Will a series of helpful anti-worms lead in turn to the obvious deception in which the purported anti-worm installs yet another and more insidious payload, which users fail to check for because they assume that the anti-worm is benign, like all the others?
  • Music: (in my head) "the worms crawl in and the worms crawl out..."
Flat | Top-Level Comments Only

Re: Ah, but...

Date: 2003-08-18 07:45 pm (UTC)
mdlbear: blue fractal bear with text "since 2002" (Default)
From: [personal profile] mdlbear
Vigilante system administration is pretty iffy in a country where this (putting a man in jail for sending e-mail warning about a security flaw) can happen. Come to think of it, that's probably a good argument for the worm approach.

The problem is not one that could be solved by "self-healing executables". Perhaps you're referring to buffer overflow attacks; these are prevented by using subroutine libraries and programming languages that don't allow buffers to overflow.

One major problem with Microsoft, though, is that Windows is designed to make it easy for third parties to install software on your computer. Any system that automatically installs patches, for example, can probably be subverted to install malware instead (not to mention the fact that Microsoft's "patches" are very large-grained and often contain as many new bugs as they fix -- that's why people are reluctant to install them in the first place).

Self-healing executables...

Date: 2003-08-19 08:41 am (UTC)
From: [identity profile] aerowolf.livejournal.com
I agree, don't get me wrong -- but self-healing executables would get away from the ability (unless subverted) for a program to modify executable files on-disk, thus requiring a continual updating to the payload when the original process stopped.

But what -I- want to know... why can't the RPC services just be -stopped-?
Flat | Top-Level Comments Only

Most Popular Tags

Links

Style Credit

Page generated 2026-01-14 01:22 pm
Powered by Dreamwidth Studios