Why I
Published The Network Worm
And, How and Why It Will Remain On My
Site
Saturday, 26 February
2000
The Controversy
Two days ago, I encountered a self-replicating
"worm" on a client's system which was written in the
Windows Scripting language (Visual Basic Script). I cast about in
UseNet and on search engines for evidence that this script was
broadly known and found nothing at all.
Because I saw the desirability of making this unusual script
known to others; and in order to illustrate the perils of the
vulnerability it exploits; I published a page describing my
discovery, which included the full text of the script and my
analysis of its actions. I considered, and still consider this
information to be of value to many good people.
That page is http://pc-help.org/news/scriptworm.htm.
I posted that URL to several relevant UseNet newsgroups,
including alt.comp.virus and microsoft.public.activex.programming.scripting.vbscript.
To my surprise, I received an email from Nick FitzGerald, who
implored me (his word) to remove the script from my page. Nick
was polite and eloquent. He raised some concerns I considered
valid, but I hesitated to comply with his wishes. I felt I had
the thing in good perspective, but I was interested in examining
the issues.
So I posted my concerns to alt.comp.virus, and invited input
from the newsgroup's denizens.
I have received both scathing criticism and glowing praise for
my publication of the script; and some responses in between. I
was begged to leave it in place; and I was told to remove it
immediately, and that I could expect my ISP to receive demands
that they remove the material.
The core issue is not a new one. Well-intentioned and
competent people can disagree, even where the most damaging and
virulent code is concerned. Free availability of information,
even to extremes, is a keystone of the personal philosophy of
some. Others advocate the strictest of controls and exclusivity
of computer exploits, even to the point of criminalizing the
publication of code which fits their definition of
"dangerous."
I have a strong tendency to agree with the unfettered sharing
of information among responsible persons. I recoil from
authoritarianism. Responsible persons are in the very great
majority. Just as we can't spend our lives behind locked doors --
it would be a complete surrender to the evil from which we seek
to protect ourselves -- we can't allow the potential for abuse to
mean that we hide useful information from our more worthy
fellows.
Nonetheless, there are no absolutes. I have taken the input
under advisement, and I have come to a decision.
My Decision
The decision I have made is one of my own creation. No one
suggested it to me.
I have decided to leave the script on my site.
However: I have now altered it to emasculate
its ability to scan and to replicate. It required only a single
change; which no person who is not very familiar with Windows
Scripting is likely to recognize.
This change prevents the clueless-and-malicious from using it
as-is or with simple alterations to cause any sort of trouble.
Thus it addresses the most valid argument I have seen against the
script's publication.
Meanwhile, it does not in any way compromise my reasons for
publishing the code in the first place, which I believe remain
completely valid.
I realize this may fall well short of the preferences of some
respected and thoughtful people on both sides of the
issue. But I hope they'll respect my choice all the same.
A Summary of My Rationale
Publishing this code will
benefit readers in several ways.
The worm is not in itself
a serious threat.
Publishing the code
with slight alterations will not significantly benefit
malefactors.
The probability that
the code will be used maliciously is not high.
My publication of the
code does not represent an ethical reversal.
- Publishing this code
will benefit readers in several ways.
- It will benefit professionals.
- There exist thousands of skilled IT
professionals with security
responsibilities. Many of these people
are not anti-virus industry insiders, and
they are not afforded any special access
to information about exploits they have
every reason to understand in the fullest
possible detail. In this one case, I have
an opportunity to help those people. This
worm is unique enough to be of real
interest, and it presents possibilities
with which those professionals might be
better prepared to deal if they are more
fully informed.
- It will benefit interested amateurs with
legitimate intent.
- Innumerable individuals who would never
use such information irresponsibly, will
wish to understand the inner workings of
this fascinating exploit and of Windows
Scripting. I have already heard from some
people who fit this description; they
appreciate what I've done.
- It will benefit present and potential
victims of this and similar exploits.
- How many people do you suppose, had no
idea even that a file of extension .VBS
could pose the same threat as an .EXE?
That fact alone doesn't require
additional details, but future exploits
using Windows Scripting will certainly
appear. Alert readers of any skill level
who encounter anything even vaguely
similar to this worm will be better
prepared to recognize what they're
dealing with once they've read a detailed
description of a hostile script.
- The worm is not in
itself a serious threat.
- Though intrusive, the code is not
significantly hostile.
- Its one and only function is
self-replication. Its action on an
"infected" host might
conceivably cause crashes or network
congestion but it has not been
demonstrated to do so. The worm does not
increase the host's risk of intrusion by
other means. It doesn't compare at all
closely with dangerous viruses or
intrusion tools, thus its exposure should
not be held to standards that would apply
to those other, far more hostile and
virulent exploits.
- The worm affects only a small percentage
of systems.
- Only Net-connected machines which have
open, writable shares available through
the Internet link can conceivably be
affected by this worm or by any variant
thereof. That is a tiny percentage of
computers, certainly less than 1%. Only a
subset of that group, which share their
entire C: drive (or another drive or
folder with the name "C"), will
be connected-to by the worm and will be
sent a copy of the worm. And, only those
of that group which have the Windows
Script Host installed (it's included with
IE5) will actually run the script. This
makes it very much unlike typical worms
and viruses, which usually function on
practically any Microsoft platform.
- However:
The worm is easily capable of adaptation to
hostile purposes.
- It is only fair to acknowledge the very
real potential for a more damaging
version. Fairly simple additions to the
worm script could cause it to do serious
damage to its hosts. This, in my opinion,
is the one argument
against its publication which has strong,
even convincing merit when taken into
consideration with all the facts. And it
is the reason I have altered the
published script.
- Publishing the
code with slight alterations will not significantly
benefit malefactors.
- Skilled baddies don't need any help.
- Anyone with a little imagination could
have thought of this exploit on his own,
and many probably have. Even if the idea
is a new concept to a mischief-maker, if
he has moderate programming skills he can
easily produce code which replicates and
exceeds this worm's capabilities, with
nothing more than the most sketchy
outline of its functions. The existing,
very detailed and fully accurate
descriptions such as this
one at NAI are far more than
sufficient.
- Unskilled wanna-be baddies (the one real
issue here) will have a problem they won't easily
solve.
- In my experience, genuine bad guys are
usually lazy and incompetent. I'm not
telling what I did to the script. This
should weed out most or all of the very
few kiddies we may have cause to
worry about.
- The probability
that the code will be used maliciously is not
high.
- I acknowledge opinions to the contrary,
but I find that a critic's own
evidence is my best
argument.
- In a
posting to alt.comp.virus, Jeffrey
A. Setaro said:
Think back to when W97M/Melissa was
discovered... A host of well meaning
people posted the code here and on the
web under the assumption that it would
help combat the spread of the virus.
Unfortunately all it really did was
enable other virus writers to create
roughly a dozen new variants in a matter
of days. I suspect your posting the
VBS/Netlog.A code publicly will
unfortunately have the same effect (FWIW
there are now about 30 known Melissa
variants)
Jeffrey's tale is quite true. The
Melissa code was widely publicized. I
obtained a copy of it myself, and
examined it with interest. Numerous
variants, some of them much more hostile
than Melissa, did appear. Moreover,
Melissa is in some respects a good
analogy to the worm I analyzed:
- Both are written in a form of Visual
Basic.
- Each is a worm, though different in
mode of operation.
- Like the Netlog worm, Melissa carried
no truly hostile payload.
But there the analogy ends. Melissa was
more intrusive than the worm at issue. It
ran successfully on a large percentage of
systems, both Win9x and NT. It was vastly
more successful at proliferation. It did
far more harm; it could overwhelm mail
servers. Also, it altered document
headers on the affected machine to
contain mischievous information.
But most of all, Melissa was an
absolutely huge media event. It
made the evening TV news! We all watched
events unfold as a massive manhunt
ensued, and as the perpetrator was
arrested by grim Federal agents. Hardly a
computer user anywhere fails to recognize
Melissa by name. Untold numbers of people
had, and have to this day, access to its
source code, fully interpreted by
obliging experts. Hardly a hacker or
cracker anywhere lacks the easy
opportunity to create his own diabolical
Melissa.
Yet only thirty variants exist.
That is an amazingly small number!
It's simple math. If the Netlog worm gets
one-thirtieth of the public exposure
Melissa has had, we can reasonably expect
one variant to appear. But it
won't get a hundredth.
Some individuals have variously attempted
to convey an image of an Internet teeming
with hostile creatures who can be counted
upon to flock to my site, all with images
of crashed systems everywhere dancing in
their eyes.
I just don't buy it. The facts don't
support such dire prognostications.
Fear-mongering on such a flimsy basis
does not, in my view, justify the denial
of information to the unoffending people
who so obviously, so vastly outnumber the
bad guys.
- My publication of
the code does not represent an ethical reversal.
- Among the concerns raised by my actions
is this one:
- In a
posting to alt.comp.virus, Nick
FitzGerald said:
By your own, apparent, past
standards, the code should never have
been posted. I refer you to your own
"How I Handle Email" page (http://www.nwi.net/~pchelp/email.htm),
and specifically to the last section
"Messages I Do Not Answer". The
first point is:
"Requests for trojans, exploits and
hacker tools. Yes, I have a huge
collection, probably 300 trojans and
hundreds of "hAx0r t0o1z." NO,
I don't distribute them. Occasionally I
will pass on specific items to people who
identify themselves and whom I feel
completely certain will use them for
positive purposes."
Whilst I, and probably most of the acv
"regulars" applaud that
position, I find it entirely contradicted
by your decision to post the full source
code and thereby the full beast, as VBS
is an interpreted script language. Surely
your decision to post the code goes
directly against your own (laudable!)
guidelines for redistributing malware.
Please explain this apparent total
contradiction of your previously stated
position of cautious distribution.
It isn't a "total
contradiction" for several reasons:
- I have made other disclosures
which had potential for abuse, for
similar reasons. One example is
the detailed descriptions I provided well
over a year ago, about how Back Orifice
could be made to hide more effectively on
my page Almost
All The Ways to Find Your Back Orifice.
- There is something to be gained
by publishing the script. A
variety of people, a numerous audience
altogether, will gain by the availability
of the information.
- The fear-mongering doesn't wash
with me. The comparison to
Melissa, placed in perspective above,
demonstrates this point quite well. I
never at any time regarded this script as
a threat of any magnitude.
- The worm isn't an intrusion
tool. Its hosts' serious
vulnerabilities aren't even exposed.
- The worm doesn't contain a
payload. Unless you lack
seriously for a sense of proportion, you
can't treat this thing by the standards
you would apply to a destructive virus or
a tool for comprehensive intrusion. Even
given a payload, it is a minor threat by
its very nature, because:
- The worm works only on rare
systems. See above.
- The worm
isn't the real
problem. The systems it uses as
hosts all suffer from a pre-existing,
extreme vulnerability. I offer solutions
to this problem, and I have done so for
years. (Incidentally, if the AV vendors
are doing their jobs properly, victims of
this worm will be alerted to the
vulnerability it represents -- and will
be advised how to secure their shared
drive. If that happens, the existence of
the worm can be made to have a positive
effect.)
- I do, as of now, address the
most significant truly valid concern:
that a malicious-but-clueless wannabe
will use the code I published to create a
more hostile script (that is, make a
trojan of the worm); whereas the
miscreant might not manage it without my
help. Now that I've crippled the script,
that junior malefactor will have to crack
the books before he can run it. The truly
competent cracker is irrelevant; he could
code something far worse in his sleep and
with only the general concept to go on.
And he'd scoff at the use of Visual Basic
for the purpose.
Home