Disinfecting Without Informed Consent

 
 
By Larry Seltzer  |  Posted 2003-05-19
 
 
 

I once was technical director at a computer magazine for which sci-fi writer Orson Scott Card wrote a regular column, prompting me to read the "Enders" series of novels. (Bad column; great novels.) I was reminded this week of an event from one of these books, in which (if I recall correctly) an advanced civilization turns a threatening virus into a beneficial source of gene therapy.

What does this scenario have to do with computer security? It all began with Fizzer, a hot Windows-based worm and the subject of my last column. Its still spreading, if at a decelerating rate.

One of the interesting "advances" in Fizzer is that it has a facility for updating itself, just like antivirus programs and other security software use. This primitive facility looked at a particular Web site for updates, and from the earliest analyses of Fizzer, it was noted that this site contained no updates. Then someone got clever.

The authors of Fizzer made the mistake of provoking IRC (Internet Relay Chat, the original chat facility of the Internet) administrators by using IRC as a backdoor mechanism. Some of these admins formed an ad-hoc "Fizzer Task Force/IRC Unity" group to tackle the Fizzer problem. This group announced last week that it had taken over control of the update site and that it intended to place a Fizzer remover there, the idea being that the worm would update itself off the infected systems.

Its a really cool idea, although the group has had to retreat in the last few days. First, nobody in the group appears to have the specialized programming skills to write a hot uninstaller for a program for which they have no source code. Its definitely a tough job. But the administrators also became concerned about legal problems, and that definitely put the kibosh on the effort for now.

So back to "Enders Game" and gene therapy in the wild: I love what these guys tried to do, and they could go a lot further. I think theres an opening to take it to the next level with white-hat virus writing. As I wrote last week, Ive often thought that the same people must be getting all the same mass-mailer worms because they havent applied any of the Microsoft patches from the past few years. So why not write some mass-mailer worms that check for and remove the most common infections, such as Klez.h? For extra credit, get the system to download and install patches to prevent them in the future. (That would be really hard to do, by the way.)

Of course, Im not the first to think of this. Its under discussion on SecurityFocuss Incidents mailing list. And at the July 2002 Blackhat Las Vegas conference, Timothy Mullen of AnchorIS.Com, Inc. gave a presentation (MS PowerPoint file) raising the prospect of "automated strike-back systems."

Mullen is bothered by the same stuff that gets under my skin: There are a lot of badly mismanaged systems out there, and they are responsible for a large number of attacks on the Net. He asks: Would it be right to engage systems to remove the infections from them without the owners or administrators permission? The point of Mullens piece is more to ask questions—the same ones Im asking—than to make concrete proposals.

Its such a tempting idea, but its probably illegal; so if it happens I had nothing to do with it. (Got that?) I do think you could make a moral self-defense argument for doing something like this, assuming sufficient testing were done to prove safety and efficacy. Alas, life is not a science-fiction novel, and the lawyers will win this one.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Rocket Fuel