But, is it acceptable for users or system administrators to continue being caught “by surprise” by that same threat a year later? Two years? Is it acceptable that a good chunk of the bandwidth on the Internet and on your ISP is being chewed up by virus and worm traffic that is easily preventable?
Set aside for the moment that most recent major viruses and worms have capitalized on vulnerabilities that had patches available months prior and that if users would patch on a timely basis the virus wouldn’t be a threat in the first place. Forgetting that fact, it still seems reasonable that once a new threat is detected and the antivirus and operating system vendors release patches and updates to fix the vulnerabilities and to detect and block the threat that all users should apply the necessary updates to protect themselves and the rest of us that share the Internet community with them.
If a user, through ignorance or choice, does not apply the necessary patches and updates and continues to propagate the infection does the community have a right to respond? Many consider it morally and ethically wrong. It is simple vigilantism. Those on that side of the fence would argue that taking matters into your own hands to somehow retaliate or automatically respond to the threat make you no better than the original threat from a legal standpoint.
Recently the W32/Fizzer@MM worm was spreading rapidly around the Internet. One of the facets of the worm was to connect to a specific IRC channel to look for updates to the worm code. That IRC channel was shut down so the worm could not update itself. Some IRC operators took it upon themselves to write code that would automatically disable the worm and host it from that IRC channel. This way, any infected machine that tried to connect for updates to the worm code would automatically have the worm disabled. The code was subsequently removed until further investigation could be done on the legalities of such a strategy.
Should it be legal? Why not? In this particular case there seems little to no chance of affecting an uninfected machine. They did not retaliate by broadcasting their own anti-worm. They posted “vaccination” code on a site that the worm seeks out. Arguably, only those devices that were infected would have any reason to connect to the site and therefore would obviously need the vaccine. If the owners of those devices either did not know or did not care that their machine was infected shouldn’t it be considered a service that these operators did to try and clean them up?
Intrusion Detection (IDS)devices at one point tried to implement a method to block attacks called “shunning”. If a number of unauthorized packets were detected that exceeded some established thresholds the device would automatically create a rule to block future packets from that address. The problem with a technique like this is that the attackers could spoof the source address on the IP packets. Basically, by forging the packet headers to look like the source IP was the IP address of the IDS device it would block its own IP address and in effect shut down the IDS sensor.
A similar issue comes into play when trying to respond to email-borne viruses. Many of the newer viruses tend to spoof the source email address. Therefore any automated attempt at replying to the source to let them know they are infected would be misguided.
