Active Immunization Against Internet Viruses, Worms & Trojans
By Angsuman Chakraborty, Gaea News NetworkSunday, April 22, 2007
Active immunization is an extremely interesting technique in fighting against internet based viruses, trojans and worms. Laurent Oudot of the Rstack team created a prototype in 2003. He identified hosts compromised with msblast.exe worm using honeyd - a popular honeypot and then immunized them using the same exploit (to obtain a shell) as the worm itself and run a simple script to clean the system of the worm.
There are strong implications of this concept. Technically a script kiddie too can use the same backdoor created by a worm and create more hamrful exploits. All he has to do is use honeypots to look for new exploits. However that is something he can do even today and some does it.
Then there are strong moral implications. Is it fair to immunize a exploited system irrespective of their owners knowledge and will? What happens if something gies wrong?
Let’s take a real-life scenario. Suppose you have a child in your community with a highly infectious disease who is attending school and his parents are away. Would you wait for his parents to come back, inform the cops, inform the school authorities or directly immunize the child yourself. You will probably do one of more of the above depending on the virulence of the infection and perceived risk to your own children. It is the same with the internet.
Personally I think if I am being attacked by a system, willingly or not, then I have the right to immunize it. Frankly it will be much easier once such actions are explicitly backed by law.
The same technique when applied to a large corporation becomes much simpler in terms of ethics and morality. The corporation has full rights to its machines and active immunization is the way to go.
The downside is that crackers too can fight back by introducing code which seals the backdoor it created after its has infected the system. Future communication with the owner will be through polling only. Again access to corporate intranet is simpler and needn’t use the backdoor. Overall I think active immunization is a very useful strategy for large corporation and can also be implemented on internet if adopted by hosting providers for their own networks.
Tags: Future, School
moiz