A question for the list... May 17 2003 04:27AM
Dan Hanson (dhanson securityfocus com)
As part of incident handling and response, most of us have had to respond
to virus infections that have affected networks and hosts. Reports are
circulating that members of the IRC operator community have distributed
code through the update mechanism of the Fizzer virus. The code reportedly
attempts to remove the virus from the host. The latest information seems
to indicate that the "update" code was removed until further testing can
be done and more discussion regarding the legalities of this are had.

At last year's Blackhat conference in Las Vegas, Tim Mullen presented what
turned out to be a very controversial proposal. Briefly, he questioned why
it would be inappropriate to strike back and disable (if not remove) a
worm from hosts that are clearly not being adequately managed.

The discussion, both in the session, and after, included those who
felt that this was simply vigilanteism that has no place in the current
world, and those who feel that there is a responsibility for someone to do
something to try to maintain, if not improve, the security situation for
those connected to the Internet.

It seems to me that a group finally took it upon themselves to do exactly
what Tim was suggesting the community consider. But it appears that they
have done it without any consultation of the community in general, and if
I have read the reports correctly, with no authorization.

Here is a link for a report on and it contains some opinions by
legal folk.

A bunch of ideas for discussion pop-up to me... some of these may not be
totally on-topic for this forum, if you can tie something back into
incident response, I'll likely allow it through.

-What are the implications down the road?

-Are there concerns that organizations have with this trend? Legal?

-Is this any different than a similar activity that installs
malicious code on the target host?

-The approach that Tim advocated was significantly less intrusive than the
approach taken with the Fizzer virus, Tim's approach made no significant
changes on the targeted host, simply blocked the ability of Nimda to
replicate (if I remember correctly), and notify the owner that they have
been compromised and where to go to find help in removing the infection.
The approach taken to actually modify the system to remove Fizzer seems to
go significantly past that. Why was the reaction to Tim's
advocacy of discussion so hostile, and to date, I have seen no negative
criticism of the Fizzer removal.

-Is this a catalyst for a group (IETF?) of some kind to debate these
issues to find a resolution? I think that most people would agree that the
increasing risk that these distributed networks pose to every Internet
connected host is grave, and a better method is required to deal with
them. Are there other ideas that don't get us into "arms races" with
malcode writers.

-If this becomes standard practice, will this force the communication and
update channels underground/encrypted (the "arms race" that I mentioned)

-What are some of the strategies that organizations are implementing to
control their exposure to these communication channels?

-If a command can be given in a channel to "shut down" the network of
hosts, what is the view on the legality of doing this? If you had a host
on your network that was suddenly shut down by a well meaning (or not so
well meaning third party), what would your response be?

I am not advocating the validity of one side over another, I just find it
curious how similar the idea of Tim's, and the actual attempt to remove
the virus, are.

As an aside, I would like to keep the discussion on this civil. If posts
become to flamey to oneside or the other (i think both sides have valid
ends) they will likely be rejected.


*** Wireless LAN Policies for Security & Management - NEW White Paper ***
Just like wired networks, wireless LANs require network security policies
that are enforced to protect WLANs from known vulnerabilities and threats.
Learn to design, implement and enforce WLAN security policies to lockdown enterprise WLANs.

To get your FREE white paper visit us at:

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus