Taking It to the Worm
: A counterattack script was used by some administrators to try to stop the onslaught of the MSBlaster worm.
March 28, 2006
MSBlaster worked only against unpatched Windows computers. Microsoft and several other Internet security agencies broadcast several alerts warning Windows users to patch their machines. Unfortunately, the masses either didn't get the warnings or ignored them. When the MSBlaster worm was released, it successfully infected hundreds of thousands of machines. Even if your network was fully patched, MSBlaster could cause slowdown problems because of the many exploited computers.
Some honeypot administrators wrote a service script (which Listing A shows) that when connected to, connected back to the originating host, killed the MSBlaster worm process, cleaned a malicious registry entry (by using a created-on-the-fly registry edit file), and rebooted the machine. Offensive scripts can have mixed results when run against unauthorized computers and networks. You'd think that removing a worm would always be a good thing, but worm cleaners have a way of causing as many problems as or more problems than the disease.
For example, a kind-hearted soul created a worm called Welchia that did nearly the same thing as the script in Listing A. Welchia connected to vulnerable hosts, removed the MSBlaster worm, and downloaded the Microsoft patch needed to close the vulnerability. Although the MSBlaster worm was only a problem for a few days, the Welchia worm inadvertently brought down networks for weeks because its scanning mechanism was even more aggressive than the original worm. Welchia proved to be much worse than the worm it was designed to cure.
About the Author
You May Also Like