The Naïve Samaritan.
No, it’s not a Conrad novel.
Utilizing the very same malware techniques to combat malware samples themselves does not constitute an act free from impugnment. No one is above the law … and such like.
Over the years there have been several examples of members of the general public who have written programs which attempt to clean computers infected with malware. Of course, one cannot fault the goodwill gesture towards mankind. The issues of concern pertain to the methods used, especially those related to maximising exposure to the cleaner program. These methods tend to involve the functionality to spread like a worm.
A few years ago there was an outbreak of the Code Red worm for which someone decided to write a Code Green in an attempt to clean up servers infected with Code Red. Unfortunately, Code Green used exactly the same method to propagate itself from machine to machine as Code Red.
A more recent example is that of VBS/SillyAV-A which spreads like a USB worm and attempts to reverse the effects of other malware infections. This worm modifies registry entries to re-enable the Task Manager and Regedit, in case they have been disabled by malware. It also contains the following message as a comment in its script:
"This antivirus program is intended to repair your computer from any sorts of virus attacks.
This program is exactly like a normal virus but it repairs things rather than destroying them."
From a security software perspective we have to paint both malware and cleaners which behave like malware with the same brush. We simply cannot have vigilante programs running amok on our customers’ computers. That would pose far too great a security risk.
To those Samaritans out there our advice would be to aid us in providing cleanup in the appropriate way by providing samples and information rather than attempting to provide the cleanup yourselves.
Posted on March 22nd, 2008 by SKM, SophosLabs UKFiled under: General, Malware
Windows 7 security - A great leap forward or business as usual?
