Why I Published The Network Worm
And, How and Why It Will Remain On My Site
Saturday, 26 February 2000

The Controversy

Two days ago, I encountered a self-replicating "worm" on a client's system which was written in the Windows Scripting language (Visual Basic Script). I cast about in UseNet and on search engines for evidence that this script was broadly known and found nothing at all.

Because I saw the desirability of making this unusual script known to others; and in order to illustrate the perils of the vulnerability it exploits; I published a page describing my discovery, which included the full text of the script and my analysis of its actions. I considered, and still consider this information to be of value to many good people.

That page is http://pc-help.org/news/scriptworm.htm.

I posted that URL to several relevant UseNet newsgroups, including alt.comp.virus and microsoft.public.activex.programming.scripting.vbscript.

To my surprise, I received an email from Nick FitzGerald, who implored me (his word) to remove the script from my page. Nick was polite and eloquent. He raised some concerns I considered valid, but I hesitated to comply with his wishes. I felt I had the thing in good perspective, but I was interested in examining the issues.

So I posted my concerns to alt.comp.virus, and invited input from the newsgroup's denizens.

I have received both scathing criticism and glowing praise for my publication of the script; and some responses in between. I was begged to leave it in place; and I was told to remove it immediately, and that I could expect my ISP to receive demands that they remove the material.

The core issue is not a new one. Well-intentioned and competent people can disagree, even where the most damaging and virulent code is concerned. Free availability of information, even to extremes, is a keystone of the personal philosophy of some. Others advocate the strictest of controls and exclusivity of computer exploits, even to the point of criminalizing the publication of code which fits their definition of "dangerous."

I have a strong tendency to agree with the unfettered sharing of information among responsible persons. I recoil from authoritarianism. Responsible persons are in the very great majority. Just as we can't spend our lives behind locked doors -- it would be a complete surrender to the evil from which we seek to protect ourselves -- we can't allow the potential for abuse to mean that we hide useful information from our more worthy fellows.

Nonetheless, there are no absolutes. I have taken the input under advisement, and I have come to a decision.

My Decision

The decision I have made is one of my own creation. No one suggested it to me.

I have decided to leave the script on my site.

However: I have now altered it to emasculate its ability to scan and to replicate. It required only a single change; which no person who is not very familiar with Windows Scripting is likely to recognize.

This change prevents the clueless-and-malicious from using it as-is or with simple alterations to cause any sort of trouble. Thus it addresses the most valid argument I have seen against the script's publication.

Meanwhile, it does not in any way compromise my reasons for publishing the code in the first place, which I believe remain completely valid.

I realize this may fall well short of the preferences of some respected and thoughtful people on both sides of the issue. But I hope they'll respect my choice all the same.

A Summary of My Rationale

Publishing this code will benefit readers in several ways.
The worm is not in itself a serious threat.
Publishing the code with slight alterations will not significantly benefit malefactors.
The probability that the code will be used maliciously is not high.
My publication of the code does not represent an ethical reversal.

• Publishing this code will benefit readers in several ways.
  • It will benefit professionals.
    • There exist thousands of skilled IT professionals with security responsibilities. Many of these people are not anti-virus industry insiders, and they are not afforded any special access to information about exploits they have every reason to understand in the fullest possible detail. In this one case, I have an opportunity to help those people. This worm is unique enough to be of real interest, and it presents possibilities with which those professionals might be better prepared to deal if they are more fully informed.
  • It will benefit interested amateurs with legitimate intent.
    • Innumerable individuals who would never use such information irresponsibly, will wish to understand the inner workings of this fascinating exploit and of Windows Scripting. I have already heard from some people who fit this description; they appreciate what I've done.
  • It will benefit present and potential victims of this and similar exploits.
    • How many people do you suppose, had no idea even that a file of extension .VBS could pose the same threat as an .EXE? That fact alone doesn't require additional details, but future exploits using Windows Scripting will certainly appear. Alert readers of any skill level who encounter anything even vaguely similar to this worm will be better prepared to recognize what they're dealing with once they've read a detailed description of a hostile script.

• The worm is not in itself a serious threat.
  • Though intrusive, the code is not significantly hostile.
    • Its one and only function is self-replication. Its action on an "infected" host might conceivably cause crashes or network congestion but it has not been demonstrated to do so. The worm does not increase the host's risk of intrusion by other means. It doesn't compare at all closely with dangerous viruses or intrusion tools, thus its exposure should not be held to standards that would apply to those other, far more hostile and virulent exploits.
  • The worm affects only a small percentage of systems.
    • Only Net-connected machines which have open, writable shares available through the Internet link can conceivably be affected by this worm or by any variant thereof. That is a tiny percentage of computers, certainly less than 1%. Only a subset of that group, which share their entire C: drive (or another drive or folder with the name "C"), will be connected-to by the worm and will be sent a copy of the worm. And, only those of that group which have the Windows Script Host installed (it's included with IE5) will actually run the script. This makes it very much unlike typical worms and viruses, which usually function on practically any Microsoft platform.
  • However: The worm is easily capable of adaptation to hostile purposes.
    • It is only fair to acknowledge the very real potential for a more damaging version. Fairly simple additions to the worm script could cause it to do serious damage to its hosts. This, in my opinion, is the one argument against its publication which has strong, even convincing merit when taken into consideration with all the facts. And it is the reason I have altered the published script.

• Publishing the code with slight alterations will not significantly benefit malefactors.
  • Skilled baddies don't need any help.
    • Anyone with a little imagination could have thought of this exploit on his own, and many probably have. Even if the idea is a new concept to a mischief-maker, if he has moderate programming skills he can easily produce code which replicates and exceeds this worm's capabilities, with nothing more than the most sketchy outline of its functions. The existing, very detailed and fully accurate descriptions such as this one at NAI are far more than sufficient.
  • Unskilled wanna-be baddies (the one real issue here) will have a problem they won't easily solve.
    • In my experience, genuine bad guys are usually lazy and incompetent. I'm not telling what I did to the script. This should weed out most or all of the very few kiddies we may have cause to worry about.

• The probability that the code will be used maliciously is not high.
  • I acknowledge opinions to the contrary, but I find that a critic's own evidence is my best argument.
    • In a posting to alt.comp.virus, Jeffrey A. Setaro said:
      Think back to when W97M/Melissa was discovered... A host of well meaning people posted the code here and on the web under the assumption that it would help combat the spread of the virus. Unfortunately all it really did was enable other virus writers to create roughly a dozen new variants in a matter of days. I suspect your posting the VBS/Netlog.A code publicly will unfortunately have the same effect (FWIW there are now about 30 known Melissa variants)
      
      Jeffrey's tale is quite true. The Melissa code was widely publicized. I obtained a copy of it myself, and examined it with interest. Numerous variants, some of them much more hostile than Melissa, did appear. Moreover, Melissa is in some respects a good analogy to the worm I analyzed:
      
      - Both are written in a form of Visual Basic.
      - Each is a worm, though different in mode of operation.
      - Like the Netlog worm, Melissa carried no truly hostile payload.
      
      But there the analogy ends. Melissa was more intrusive than the worm at issue. It ran successfully on a large percentage of systems, both Win9x and NT. It was vastly more successful at proliferation. It did far more harm; it could overwhelm mail servers. Also, it altered document headers on the affected machine to contain mischievous information.
      
      But most of all, Melissa was an absolutely huge media event. It made the evening TV news! We all watched events unfold as a massive manhunt ensued, and as the perpetrator was arrested by grim Federal agents. Hardly a computer user anywhere fails to recognize Melissa by name. Untold numbers of people had, and have to this day, access to its source code, fully interpreted by obliging experts. Hardly a hacker or cracker anywhere lacks the easy opportunity to create his own diabolical Melissa.
      
      Yet only thirty variants exist. That is an amazingly small number!
      
      It's simple math. If the Netlog worm gets one-thirtieth of the public exposure Melissa has had, we can reasonably expect one variant to appear. But it won't get a hundredth.
      
      Some individuals have variously attempted to convey an image of an Internet teeming with hostile creatures who can be counted upon to flock to my site, all with images of crashed systems everywhere dancing in their eyes.
      
      I just don't buy it. The facts don't support such dire prognostications. Fear-mongering on such a flimsy basis does not, in my view, justify the denial of information to the unoffending people who so obviously, so vastly outnumber the bad guys.

• My publication of the code does not represent an ethical reversal.
  • Among the concerns raised by my actions is this one:
    • In a posting to alt.comp.virus, Nick FitzGerald said:
      By your own, apparent, past standards, the code should never have been posted. I refer you to your own "How I Handle Email" page (http://www.nwi.net/~pchelp/email.htm), and specifically to the last section "Messages I Do Not Answer". The first point is:
      
      "Requests for trojans, exploits and hacker tools. Yes, I have a huge collection, probably 300 trojans and hundreds of "hAx0r t0o1z." NO, I don't distribute them. Occasionally I will pass on specific items to people who identify themselves and whom I feel completely certain will use them for positive purposes."
      
      Whilst I, and probably most of the acv "regulars" applaud that position, I find it entirely contradicted by your decision to post the full source code and thereby the full beast, as VBS is an interpreted script language. Surely your decision to post the code goes directly against your own (laudable!) guidelines for redistributing malware.
      
      Please explain this apparent total contradiction of your previously stated position of cautious distribution.
      
      It isn't a "total contradiction" for several reasons:
      
      - I have made other disclosures which had potential for abuse, for similar reasons. One example is the detailed descriptions I provided well over a year ago, about how Back Orifice could be made to hide more effectively on my page Almost All The Ways to Find Your Back Orifice.
      - There is something to be gained by publishing the script. A variety of people, a numerous audience altogether, will gain by the availability of the information.
      - The fear-mongering doesn't wash with me. The comparison to Melissa, placed in perspective above, demonstrates this point quite well. I never at any time regarded this script as a threat of any magnitude.
      - The worm isn't an intrusion tool. Its hosts' serious vulnerabilities aren't even exposed.
      - The worm doesn't contain a payload. Unless you lack seriously for a sense of proportion, you can't treat this thing by the standards you would apply to a destructive virus or a tool for comprehensive intrusion. Even given a payload, it is a minor threat by its very nature, because:
      - The worm works only on rare systems. See above.
      - The worm isn't the real problem. The systems it uses as hosts all suffer from a pre-existing, extreme vulnerability. I offer solutions to this problem, and I have done so for years. (Incidentally, if the AV vendors are doing their jobs properly, victims of this worm will be alerted to the vulnerability it represents -- and will be advised how to secure their shared drive. If that happens, the existence of the worm can be made to have a positive effect.)
      - I do, as of now, address the most significant truly valid concern: that a malicious-but-clueless wannabe will use the code I published to create a more hostile script (that is, make a trojan of the worm); whereas the miscreant might not manage it without my help. Now that I've crippled the script, that junior malefactor will have to crack the books before he can run it. The truly competent cracker is irrelevant; he could code something far worse in his sleep and with only the general concept to go on. And he'd scoff at the use of Visual Basic for the purpose.

Home