Interesting thought...fight virus with virus?

[konichiwa]

Just reading up on my daily SlashDot and I noticed that in the Ask Slashdot column, someone said this:

<< &quot;I am not an expert with internet worms like Code Red. However, I am curious if it would be possible to create a friendly worm/virus/whatever that would fight the original by using the same security holes. For instance, I read that Code Red II opens a back door. Why not have another virus that exploited the back door, closed it, then started sending itself to other servers for a certain period of time?&quot; >>

What do you think of this? By the time I finished reading the article, the number of comments on /. went from 50 to around 240, so I stopped reading. I like the AT community more than the /. community anyway.

So what do you think?

 

[zippy]

Wow, that's a damn cool idea actually.

Only thing is, it would be kinda big wouldn't it?

 

[Davegod75]

interesting..sounds very plausible too. someone write it

 

[konichiwa]

No, it wouldn't be big at all. Perhaps only marginally more than the size of Code Red (depending on what language it was written in, but since it's going to be on windows platforms I would think it'd have to be C/C++ or Assembly, etc, but I doubt it could be done in Perl)

 

[MrCodeDude]

That's a pretty interesting idea.
-- mrcodedude

 

[NJArtist]

Yeah it's called a patch...dl one today!

 

[konichiwa]

No, it's not really a patch. A patch fixes the vulnerability, a &quot;counterworm&quot; fixes the worm itself.

 

[AMDJunkie]

But how would you identify it from malicious viruses? And then there would be trojans posing as these &quot;helpful&quot; viruses. It's best to update your protection from trusted sources manually than to allow a worm to fix your security issues.

 

[NJArtist]

u said it goes thru the backdoor, than closes it...even better, patch doesn't have to go through the back door, it just makes it go away.

 

[konichiwa]

Yes but there are still many people who are NOT patched. What's proposed in my message is that the worm will SEND ITSELF to other infected servers (IE, sysadmins who do not have the patch) and clean them.

 

[Pretender]

the problem is it would be a one-time fix. The next person who writes a worm designes it to kill the good worm on site (terminate the thread running the good worm, delete the file). Then they'd need to come out with another good virus to kill the recently released bad virus, and this cycle just gets annoying and by that time the servers should be patched already anyway.

 

[zippy]

That will create a whole new host of problems.

Heh, if too many of those worms got out, there would be so much friggin traffic going to servers- I mean, you should see the log from my router, it has to cut itself off after about an hour or two because it gets too long! :Q

 

[ViRGE]

You could avoid the traffic altogether if the good worm is allways on the defensive. Instead of finding targets itself, it just &quot;attacks&quot; any computer that trys to infect it; which while a tad slower in terms of getting rid of the damn thing, it will conserv bandwidth, and still accomplish the goal. Really, the only thing to worry about is getting rid of the good worm, which would be somewhat easy, since doing something like having it remove itself after X days since the last attack will keep it around long enough to be effective, but not so long it becomes a problem.

PS For those that worry about worm wars, the good worm would patch the server so that bad worms couldn't use the same exploit to get it