'Anti-worms' fight off Code Red threat

Earlier this week two separate security developers released so-called 'anti-worms' designed to clean and patch machines against variants of the Code Red worm.

Over the weekend, a German coder calling himself Herbert HexXer released a program called Code Green which patches vulnerable systems and removes backdoors left by Code Red II. Machines which have Code Green installed randomly scan the internet for NT servers infected with the Code Red variant.

After it detects an infected machine Code Green installs itself (infects?) and then downloads the Code Red patch from Microsoft to close the vulnerability. In much the same way that Code Red works, Code Green then uses the host machine to start scanning for more victims.

Also over the weekend, fellow coder Markus Kern released a similar program called CRclean which is a "passively spreading worm" that only targets systems that first attack the machine on which CRclean is running.

The program then retaliates by patching and cleaning the infected systems, before installing a copy of itself on the new host. CRclean also removes itself from the system on shutdown if the date is November 2001 or later.

Both programs leave unique signatures in the server logs of machines they modify so that they can be identified. But such methods of worm fighting have long been frowned upon by the majority of security experts, as their unorthodox techniques are suggestive of worm activity itself.

Back in May the security industry came down hard on the Linux-based Cheese worm, which patched a vulnerability exploited by the Li0n worm. Technically, such programs, no matter how good their intentions, are still modifying a system without the administrator's consent.

Applying patches randomly has also been known to cause problems on some systems. Of course, the accompanying text to Code Green and CRclean comes plastered with disclaimers.

"Be sure to know what you are doing, as this code uses 'viral/worm' techniques and could potentially cause damage. I will not take responsibility for any damage that might be caused by this code," warned HexXer.

"It should be obvious that I take no responsibility for what you do with this code. Although it doesn't contain any malicious code, don't blame me if you [damage] your network or system," said Kern.

Although the authors have not set their code loose on the internet, now the programs are in the public arena rumblings on the security grapevine suggest that it is only a matter of time before these 'worms' make their appearance.

Info on Code Green can be found here. And info on CRclean can be found here.