[Full-disclosure] RE: Bening Worms (Cosmin Stejerean)

From: Stejerean, Cosmin (cstejere_at_cti.depaul.edu)
Date: 05/14/05

  • Next message: Bennett, Darren L.: "Out of Office AutoReply: [Full-disclosure] ZDNet UK: Microsoft On eCare gets a bashing"
    Date: Sat, 14 May 2005 11:42:18 -0500
    To: <full-disclosure@lists.grok.org.uk>
    
    
    
    

    I think you are going a little overboard with this kind of response. The guy
    had a couple of questions about "benign worms." If you are going to provide
    some useful feedback then go ahead and do it. If you are going to write an
    insulting email you should probably think twice about it.

    More comments about specific parts of your email. If you don't care for the
    comments you should read the last part of the email as it is a little more
    relevant to the topic.

    >k k wrote:

    >> I am an academic researcher. ...

    >One so well-versed in the area of which you enquire and with such a
    >relevant academic record that you hide behind a Hotmailaddress?

    >Yeah, right...

    I often write emails from my gmail address when posting to lists for various
    reasons. One, I don't want SPAM in my work inbox. Second, it makes it clear
    that my views are my views alone and it usually prevents questions such as

    > "Do these Purdue academics share your views of 'benign worms?' "

    >> ... I benefited a lot during my previous
    >> interaction at the full disclosure list on a different topic and now, I
    am
    >> here to get some input on benign worms.

    >There are no benign worms.

    >I'm not denying that it is not actually possible to design such, but
    >once you've put _all_ the safety checks and other requirements in place
    >to fulfill any vaguely sane and "widely acceptable" notion of benign
    >worm" you'll have designed something massively more complex and
    >convoluted than any existing patch management system.

    That was the only intelligent part of your email. Everything else you should
    have left out.

    >If you don't think that's the case then you are not much of
    >_researcher_, "academic" or not. If you don't believe that, please
    >sensibly refute (in the true academic sense) a few of the arguments
    >against the possibility of "good viruses" in Vesselin Bontchev's papers
    >on the topic.

    You would have looked a little more intelligent if instead of insulting him
    you would have wrote something like "Please read Vesselin Bontchev's papers
    on the topic of benign viruses"

    >> There is debate surrounding whether releasing benign worms such as Nachi
    >>or
    >>> Welcha, ...

    >You know, I've heard them called an awful lot of things but the word or
    >notion of "benign" was never one of them...

    >Are you _sure_ you're an academic?

    [...]

    >You must really hang out in very limited circles. The only folk in
    >favour of such releases are miscreants with severely impaired ethical
    >development. Most of them still get kicks pulling wings off flies.

    I don't think that was at all necessary.

    >> ... But network administrators can still
    >> create benign worms for their need (not necessarily Nachi or Welcha) and
    >> release them in their domain to patch systems.
    >>
    >> 1. Do people do that? Or at least, have you considered it?
    >>
        
       Please see the last part of this email for an answer to this question.

    >> 2. If yes, under what conditions would you do that?

       You would probably only do something like this in case of an emergency.
    In most cases there are a lot better ways to patch management than spreading
    a worm of your own.

    >> 3. If not, what prevents you from doing that?

       There is a lot of risk associated with this. Exploits can be unstable and
    crash production machines or have other undesirable side effects which in
    most organizations can cost you your job.

    >Do these Purdue academics share your views of "benign worms"? Might
    >their intellectual and academic achievements in their collective
    >decades of research in closely relevant areas more than slightly
    >outweigh your twenty minutes musing over a term paper topic?

    Like I mentioned before, this is why he probably used his hotmail address.
    If he thought he was 100% right he wouldn't have emailed the list. He was
    trying to get feedback on his idea without needing to be insulted.

    ...

    I would like to make a few comments about the topic. The idea to use
    "aggressive" techniques to "patch" computers is not new at all. This is
    usually only done to patch computers that are infected. It is one of the
    concepts of evil honey pots (http://cansecwest.com/csw04/csw04-Oudot.pdf) to
    attack attackers. If the attacker is a computer infected with a worm that
    you can write a program that will detect this attack and then attack back in
    order to remove the initial worm. This has been done in practice with Honeyd
    to fight the Blaster worm. You can read about it at

    http://www.securityfocus.com/infocus/1740

    You can also read more about active defense at
    http://staff.washington.edu/dittrich/ad/AD-workshop-091203.ppt

    If I recall properly Stanford also used similar techniques to get rid of MS
    Blast on their networks especially from laptop machines that were infected.
    They had no administrative control over those machines yet the machines
    posed a threat and the threat had to be eliminated.

    Perhaps the best example of how this was used and why it should be done this
    way unless it's an emergency is the problem with the Xerox researches in
    1978 that used worms to automate tasks on their network. The code was
    corrupted and over 200 machines crashed.

    Nachi can also crash machines and although it has a good intention it is not
    generally welcomed by anyone on their machines. If you are going to do such
    a thing make sure you limit the worm to only scan machines in your IP range
    and set a time/date when the worm will expire and remove itself. Make sure
    you test it well in a lab before you release it on your network.

    Cosmin Stejerean

    
    

    
    

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/



  • Next message: Bennett, Darren L.: "Out of Office AutoReply: [Full-disclosure] ZDNet UK: Microsoft On eCare gets a bashing"

    Relevant Pages

    • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
      ... > The worm is capable of retrieving filefrom a remote server - the ... > to data sent from infected machines. ... >> making the download executable available until the attack begins. ... >> has been added to our lists without your consent, ...
      (microsoft.public.security)
    • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
      ... > The worm is capable of retrieving filefrom a remote server - the ... > to data sent from infected machines. ... >> making the download executable available until the attack begins. ... >> has been added to our lists without your consent, ...
      (microsoft.public.inetserver.iis.security)
    • Re: ** Sobig.F attack expected 3:00pm to 6:00pm EST today [Friday 22]
      ... > The worm is capable of retrieving filefrom a remote server - the ... > to data sent from infected machines. ... >> making the download executable available until the attack begins. ... >> has been added to our lists without your consent, ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Vast Spy System Loots Computers in 103 Countries
      ... A Plan to Catch the Conficker Worm ... infected millions of machines worldwide, ... signs of infection. ... it presents itself to the wider network. ...
      (sci.military.naval)
    • CERT Advisory CA-2001-20
      ... in compromises of home user machines. ... to date with security patches and workarounds, ... worm after it has infected a victim system. ... used to initially compromise the machine may not be enough. ...
      (Cert)