Counter-Hacking: Savior or Vigilante?

Is Counter-Attacking Justified?

When a new virus or worm strikes it is marginally acceptable that many users and system administrators get caught by surprise. Even those diligent about security may only update their malicious code beginning to spread and when the antivirus vendors actually release the update to detect it.

But, is it acceptable for users or system administrators to continue being caught “by surprise” by that same threat a year later?

Two years? Is it acceptable that a good chunk of the bandwidth on the Internet and on your ISP is being chewed up by virus and worm traffic that is easily preventable?

Set aside for the moment that most recent major viruses and worms have capitalized on vulnerabilities that had patches available months prior and that if users would patch on a timely basis the virus wouldn’t be a threat in the first place. Forgetting that fact, it still seems reasonable that once a new threat is detected and the antivirus and operating system vendors release patches and updates to fix the vulnerabilities and to detect and block the threat that all users should apply the necessary updates to protect themselves and the rest of us that share the Internet community with them.

If a user, through ignorance or choice, does not apply the necessary patches and updates and continues to propagate the infection does the community have a right to respond?

Many consider it morally and ethically wrong. It is simple vigilantism. Those on that side of the fence would argue that taking matters into your own hands to somehow retaliate or automatically respond to the threat make you no better than the original threat from a legal standpoint.

Recently the W32/Fizzer@MM worm was spreading rapidly around the Internet.

One of the facets of the worm was to connect to a specific IRC channel to look for updates to the worm code. That IRC channel was shut down so the worm could not update itself. Some IRC operators took it upon themselves to write code that would automatically disable the worm and host it from that IRC channel. This way, any infected machine that tried to connect for updates to the worm code would automatically have the worm disabled. The code was subsequently removed until further investigation could be done on the legalities of such a strategy.

Should it be legal? Why not? In this particular case there seems little to no chance of affecting an uninfected machine. They did not retaliate by broadcasting their own anti-worm. They posted “vaccination” code on a site that the worm seeks out. Arguably, only those devices that were infected would have any reason to connect to the site and therefore would obviously need the vaccine. If the owners of those devices either did not know or did not care that their machine was infected shouldn’t it be considered a service that these operators did to try and clean them up?

Intrusion Detection (IDS)devices at one point tried to implement a method to block attacks called “shunning”.

If a number of unauthorized packets were detected that exceeded some established thresholds the device would automatically create a rule to block future packets from that address. The problem with a technique like this is that the attackers could spoof the source address on the IP packets. Basically, by forging the packet headers to look like the source IP was the IP address of the IDS device it would block its own IP address and in effect shut down the IDS sensor.

A similar issue comes into play when trying to respond to email-borne viruses. Many of the newer viruses tend to spoof the source email address.

Therefore any automated attempt at replying to the source to let them know they are infected would be misguided.

According to Black’s Law Dictionary self defense is defined as "that degree of force which is not excessive and is appropriate in protecting oneself or one's property. When such force is used, a person is justified and is not criminally liable, nor liable in a tort.” Based on this definition, it seems that a “reasonable” response is warranted and legal.

One distinction however is that with viruses and worms we are generally talking about users who don’t know they are infected.

So, it isn’t so much like retaliating with reasonable force to a mugger who is attacking you. A better example would be a person who parks their car on a hill and doesn’t set the parking brake. When they walk away from their car and it begins rolling down the hill toward your house are you within your rights to jump in and stop it or divert it with whatever “reasonable” method you can? Would you be prosecuted for grand theft auto for getting in the car or willful destruction of property if you somehow diverted the car to crash into something else? I doubt it.

When we talk about the fact that Nimda is still actively traveling about the Internet infecting un-protected users it affects the whole community. The user may have sovereignty over their computer, but they don’t, or shouldn’t, have sovereignty on the Internet. They can do what they want with their computer in their own world, but once they connect to the Internet and impact the community they should be subject to certain expectations and guidelines for participating in the community.

I don’t think that individual users should take to retaliating just like individual citizens shouldn’t hunt down criminals. Unfortunately, we have police and other law enforcement agencies that are responsible for hunting down criminals in the real world, but we have no Internet equivalent. There is no group or agency with the authority to police the Internet and reprimand or penalize those who violate the guidelines of the community.

To try and establish such an organization would be daunting because of the global nature of the Internet. A rule that applies in the United States may not apply in Brazil or Singapore.

Even without a “police force” with the authority to enforce rules or guidelines on the Internet, should there be an organization or organizations with the authority to create counter-worms or virus vaccines that would proactively seek out infected computers and attempt to clean them? Ethically, would invading a computer with the intent to clean it be any better than the virus or worm that invaded the computer in the first place?

There are more questions than answers right now and it is somewhat of a slippery slope to start down on. Counter-attacking seems to fall into a large gray area between reasonable self-defense and stooping to the level of the original malicious code developer. The gray area needs to be investigated though and some direction needs to be given on how to handle members of the Internet community that continue to be vulnerable to and / or propagating threats for which fixes are readily and freely available.