De-worming internet not as easy as it seems

It seems to be the perfect solution to any virus attack on the internet - send out another virus to clean up the problem, but Christchurch-based virus expert Nick FitzGerald says it's not that simple.

It seems to be the perfect solution to any virus attack on the internet - send out another virus to clean up the problem, but Christchurch-based virus expert Nick FitzGerald says it's not that simple.

The Blaster virus, which appeared last week, is still wreaking havoc around the world albeit at a slower rate. However, a new virus - the Nachi virus - has been released into the wild in an attempt to clean up the problem.

Nachi looks for the same exploit as Blaster but instead of turning the infected system into a zombie for a denial of service attack on Microsoft, it cleans corrupted systems and patches the hole.

However, while the writer's intention seems to be a good one, FitzGerald says the worm could cause more trouble than it's worth.

"There are several issues with Nachi, the first being that while the outcome may be desirable, even if the worm is bug free and doesn't have a destructive payload or any form of unpleasantness associated with it, it's still putting code on a machine without the owner's permission and that's unethical and in many countries illegal."

FitzGerald says while Blaster spread quickly through the unpatched networks, Nachi won't be able to flourish quite so effectively.

"Lots of network firewalls are now blocking traffic to that port, lots more have been patched and those that were infected are probably being disinfected and patched right now, so Nachi doesn't have that same reach that Blaster had in the first instance."

On top of that, FitzGerald says that any system that has been patched by the worm still needs a thorough cleaning as it may well have picked up some of the newer, nastier viruses that are circulating taking advantage of the same flaw.

"It's not a safe practice to say 'I'll look at it later' because you don't know what's happened to that machine between the initial infection and the newly applied patch.

You also don't know if the patch is 100% effective for that configuration of machine."

FitzGerald does see the merit involved in using the same security flaw that caused the problem to fix it, however.

"I can see a network operator writing a script that would propagate across his own network looking for the hole, but you'd have to be absolutely certain that it couldn't escape out into the world beyond your own network."

FitzGerald also says he can't see any professional anti-virus vendor distributing a self-replicating worm to patch systems or clean up infections because such a worm would also cause trouble with network traffic loads and become as much of a nuisance as a virus itself.

The New Zealand Network Operators Group (NZ NOG) mailing list has reported sightings of what could be the Nachi virus in New Zealand already. As Computerworld Online reported yesterday (New variant of Blaster worm "fixes" infected systems) Computer Associates rates Nachi a "medium" threat, indicating only a few reports from CA's customers. However, Trend Micro says the new worm is a spreading rapidly in China and South Korea, prompting a "red alert" from that company to its customers in Asia.

Join the newsletter!

Error: Please check your email address.

Tags blaster

More about CA TechnologiesMicrosoftTrend Micro Australia

Show Comments

Market Place

[]