The Internet may be facing one of the most unexpected security threats yet — Good Samaritans.
The so-called white hat worm that brought computer systems to a crawl at Air Canada and several other companies this week was moving from machine to machine in a bid to undo the damage wrought by Blaster,
a destructive worm that has infected computers worldwide, security experts said.
Welchia, one of the many names the white hat worm is being called, spreads from across networks, removing Blaster and forcing infected computers to download a patch from Microsoft Corp. to fix the vulnerability it exploited. But in some cases, sources say the effort to do so ties up network traffic, causing nearly as many problems as Blaster itself.
Between Blaster and Welchia, 700,0000 machines worldwide had been infected as of Wednesday, according to Symantec Corp.
“”‘Vigilante justice’ isn’t quite the right term,”” said John Aycock, an assistant professor in the University of Calgary’s computer science department who teaches a controversial course in creating malware. The term ‘vigilante’ implies intent to punish the wrongdoers, he said, while whoever released Welchia was trying to fix a problem. Instead, Aycock refers to it by the oxymoronic handle “”benevolent malicious software.””
“”There’s something appealing about the idea,”” Aycock said, but it’s fraught with legal and ethical issues. Network users haven’t subscribed to a bug-fixing service, and haven’t given informed consent for an outsider, however well-intentioned, to access their machines.
At Aliant Telecom, which was among the businesses affected, spokewoman Isabelle Robinson said there was no large-scale disruption to its customers’ Internet service, partly because of patching efforts in the wake of the Blaster virus, which caused a doubling of customer service calls. But until she’d read about Welchia in the paper, “”I didn’t realize it was supposed to be a fix,”” she said.
Regardless of the intentions, “”You don’t want code running on your machines without your permission,”” said Neel Mehta, research engineer with Internet Security Systems’ X-Force research group.
White hat worms aren’t entirely new, but they’re very rare, according to Oliver Friederichs, a senior manager with Symantec’s security reponse team. Code Green was released in July 2001 in an effort to clean up after the notorious Code Red virus. “”We really haven’t seen it happen that often,”” Friederichs said.
Welchia is far more effective at spreading itself than the Blaster worm it was concocted to “”cure,”” Mehta said. It attempts to exploit a second vulnerability in Microsoft server software and searches 300 open connections for hosts to infect, compared to Blaster’s 20. It connect-back shell code is better at bypassing firewalls. If it had had a more destructive payload, it could have wrought widespread chaos.
“”There is the basis there for something more malicious,”” Mehta said.
While Welchia isn’t the most virulent of worms — it has yet to cause widespread Internet outages as SQL Slammer did earlier this year — its impact is comparable to the early days of Code Red, said Friederichs and will cost “”significant resources”” to eradicate.
“”Even though the worm removes itself when the clock hits 2004, what are you going to do in the meantime? You still have this thing running on your system,”” Friederichs said.
The virus spread more quickly in Asia, as there was a hard-coded list of network subnets in the code. Mehta says the worm originated in Asia, likely China. It only installs in computers running the U.S. English, Chinese, Taiwanese and Korean versions of Windows.
The writer embedded a message to his wife and child within the code of the worm, Mehta said.
Comment: [email protected]
