I was talking to Silverstr last night about the latest Microsoft worm and the new “anti-worm” worm that is making the rounds and attempting to patch systems, but causing problems in itself.
Silv asked me what I thought about the anti-worm worm, and I had to reply that I didn’t know. In a way it was good, something to automatically do what the system admins of the affected systems didn’t do, silently and in the background, was a neat idea. When code red hit a while back there was a perl module that would interperate certain requests respond by trying to
- attempt to use the same hole that code red used to delete the code red executable
- send a windows popup message to the system saying that the system was infected and it had tried to clean it, and where to download the patch.
On the other hand however, I don’t trust other people on my computer, much less Microsoft auto updating my system for me (the idea actually scares the shit out of me, and if it did happen it’d be the first thing I turned off). In a time where updates can easily remove important functionality or features (I read a story yesterday (not sure where) about an IE for Mac update that removed some plugin functionality, and various Tivo updates have removed features like commercial/30 second skip) I’m pretty sure I want to be at least given the choice.
The other thing of course is that now you have twice the number of worms infecting your systems, running through your network, and clogging up your systems. What if the anti-worm worm made a mistake? Or cleaned up the original worm but left a backdoor in there for itself logging the IP as an unpatched system? None of these things are beyond the realm of possibilities.
Cheers to all ya’ll out there fighting this thing now. Good luck!