[NTLUG:Discuss] New IIS Virus

Steve Baker sjbaker1 at airmail.net
Wed Sep 19 22:31:01 CDT 2001 

Daniel Hauck wrote:

> I would like to open up discussion about implementing "counter-agents."
> Clearly, there is little to no risk of prosecution and I think
> "self-defence" is a valid argument.  I'd be happy to host counter-offensive
> software on my server while I still have port 80 access.

I agree that a counter-virus *sounds* like a good idea.  It could be
something that spreads using the same mechanism as the original virus - so
it ought to only catch machines that are either vulnerable or already
infected - and if all it does is remove the virus and apply the needed
patch to plug the gap then it *sounds* pretty benign.

HOWEVER, it's still (currently) illegal - and whilst the odds of you being
prosecuted are small, the penalties for this kind of thing are *INSANE* - you
could wind up with 25 years in jail.  Even if the probability of prosecution
is small, it's not zero.

Also, there is a small chance that someone has failed to install the
Microsoft patch for some very good reason:

  1) It could be that the patch has some nasty side-effect that prevents
     this machine from fulfilling it's job - so it's owner has chosen not
     to install it.  Given the poor overall quality of Microsoft's work, it
     seems very possible that installing a new patch would break something
     else.  If that were the case then your "benign" virus could turn out to
     cause vast financial damage to someone - worse than the original virus.

  2) There are systems set up by Internet security companies as 'Honey Pots'
     to attract virii in the hope of enabling these companies to develop
     anti-virus software...fixing the loophole that they deliberately left
     open could get you into a lot of trouble.

There is also a risk that any bug in your anti-virus code could actually
do great damage in some way or other.

I think this is just a DANGEROUS thing to contemplate.

----------------------------- Steve Baker -------------------------------
Mail : <sjbaker1 at airmail.net>   WorkMail: <sjbaker at link.com>
URLs : http://web2.airmail.net/sjbaker1
       http://plib.sf.net http://tuxaqfh.sf.net http://tuxkart.sf.net
       http://prettypoly.sf.net http://freeglut.sf.net
       http://toobular.sf.net   http://lodestone.sf.net

More information about the Discuss mailing list