What is being done with respect to Fizzer is rather different from
"engaging
the attacker" or even scanning large sections of the internet to find
compromised hosts in pursuit of fixing them. The method being used is
neither active nor aggressive, and here is the key difference. I
think the
likelihood of harming others is far less in this scenario, and I doubt
that
there is even a potential legal issue either, for that matter. As the
virus
reaches out for an update from a known location, here there was the
opportunity to cause the virus to elegantly commit suicide; there is
no way
that the code would accidentally be run on an uninfected machine
except with
the direct participation of that machine's owner.
-----Original Message-----
From: Dan Hanson [mailto:dhanson () securityfocus com]
Sent: Saturday, May 17, 2003 12:28 AM
To: incidents () securityfocus com
Subject: A question for the list...
As part of incident handling and response, most of us have had to
respond to
virus infections that have affected networks and hosts. Reports are
circulating that members of the IRC operator community have
distributed code
through the update mechanism of the Fizzer virus. The code reportedly
attempts to remove the virus from the host. The latest information
seems to
indicate that the "update" code was removed until further testing can
be
done and more discussion regarding the legalities of this are had.
At last year's Blackhat conference in Las Vegas, Tim Mullen presented
what
turned out to be a very controversial proposal. Briefly, he questioned
why
it would be inappropriate to strike back and disable (if not remove) a
worm
from hosts that are clearly not being adequately managed.
The discussion, both in the session, and after, included those who
felt that
this was simply vigilanteism that has no place in the current world,
and
those who feel that there is a responsibility for someone to do
something to
try to maintain, if not improve, the security situation for those
connected
to the Internet.
http://online.securityfocus.com/columnists/98
http://www.blackhat.com/html/bh-usa-02/bh-usa-02-
speakers.html#Timothy%20Mul
len
http://www.securityfocus.com/columnists/134
It seems to me that a group finally took it upon themselves to do
exactly
what Tim was suggesting the community consider. But it appears that
they
have done it without any consultation of the community in general, and
if I
have read the reports correctly, with no authorization.
Here is a link for a report on News.com and it contains some opinions
by
legal folk. http://news.com.com/2100-1002_3-1003894.html?tag=lh
A bunch of ideas for discussion pop-up to me... some of these may not
be
totally on-topic for this forum, if you can tie something back into
incident
response, I'll likely allow it through.
-What are the implications down the road?
-Are there concerns that organizations have with this trend? Legal?
Precedure?
-Is this any different than a similar activity that installs malicious
code
on the target host?
-The approach that Tim advocated was significantly less intrusive than
the
approach taken with the Fizzer virus, Tim's approach made no
significant
changes on the targeted host, simply blocked the ability of Nimda to
replicate (if I remember correctly), and notify the owner that they
have
been compromised and where to go to find help in removing the
infection. The
approach taken to actually modify the system to remove Fizzer seems to
go
significantly past that. Why was the reaction to Tim's advocacy of
discussion so hostile, and to date, I have seen no negative criticism
of the
Fizzer removal.
-Is this a catalyst for a group (IETF?) of some kind to debate these
issues
to find a resolution? I think that most people would agree that the
increasing risk that these distributed networks pose to every Internet
connected host is grave, and a better method is required to deal with
them.
Are there other ideas that don't get us into "arms races" with malcode
writers.
-If this becomes standard practice, will this force the communication
and
update channels underground/encrypted (the "arms race" that I
mentioned)
-What are some of the strategies that organizations are implementing to
control their exposure to these communication channels?
-If a command can be given in a channel to "shut down" the network of
hosts,
what is the view on the legality of doing this? If you had a host on
your
network that was suddenly shut down by a well meaning (or not so well
meaning third party), what would your response be?
I am not advocating the validity of one side over another, I just find
it
curious how similar the idea of Tim's, and the actual attempt to
remove the
virus, are.
As an aside, I would like to keep the discussion on this civil. If
posts
become to flamey to oneside or the other (i think both sides have valid
ends) they will likely be rejected.
D
-----------------------------------------------------------------------
-----
*** Wireless LAN Policies for Security & Management - NEW White Paper
***
Just like wired networks, wireless LANs require network security
policies
that are enforced to protect WLANs from known vulnerabilities and
threats.
Learn to design, implement and enforce WLAN security policies to
lockdown
enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
-----------------------------------------------------------------------
-----
-----------------------------------------------------------------------
-----
*** Wireless LAN Policies for Security & Management - NEW White Paper
***
Just like wired networks, wireless LANs require network security
policies
that are enforced to protect WLANs from known vulnerabilities and
threats.
Learn to design, implement and enforce WLAN security policies to
lockdown enterprise WLANs.
To get your FREE white paper visit us at:
http://www.securityfocus.com/AirDefense-incidents
-----------------------------------------------------------------------
-----
Intro
