Bug Watch - Beware the friendly virus

Last week, another Linux worm was making the rounds - a worm with a different twist. The goal of the Linux.Cheese.Worm was actually to close exploits opened by a previous virus, the Linux.Lion.Worm.

This type of 'friendly' virus is often described as an 'antivirus virus'. The concept has existed for over a decade, but their occurrence is rather rare.

The first was discovered in 1988 and named Den_Zuko. It was created by Denny Yanuar Ramdhani in Bandung, Indonesia and once it had infected a user's system, its intention was to detect and remove the first PC virus, Pakistani Brain.

Despite the fact that the Linux.Cheese.Worm attempts to close an exploit opened by another worm, antivirus viruses are far from welcome. First and foremost, when a virus is released, the author no longer has control over its movements.

Viruses have a life of their own and are unpredictable once released into the wild. You cannot just turn them off. This has been known since the first documented viruses were created by Xerox PARC's Jon Hepps and John Shock in 1982.

They attempted to create worms for distributed computing but the viruses got out of control and forced the shutdown of multiple systems. Fortunately, they remained within their isolated computing environment.

Secondly, such viruses can have unforeseen affects due to bugs or indirect damage. The Robert Morris internet worm, for example, caused 10 per cent of the internet to be shutdown in 1988 because a bug in the code caused the worm to replicate to a much greater degree than was anticipated.

Similarly, postings by IT professionals to security mailing lists report that the Linux.Cheese.Worm had generated a noticeable increase in their network traffic due to its need to scan arbitrary systems for the existence of the security hole.

Finally, an antivirus virus performs the same underlying malicious actions as a virus, infiltrating and modifying systems without the authorisation of the administrator.

Blindly applying patches or changing software configurations can have a disastrous impact. Most administrators will test changes to their environments for weeks at a time. Rogue code making such modifications without the approval of the administrator could lead to serious breaches of security policy or impede the performance of a system.

Fortunately, releasing such creations are no more legal than purely malicious threats. This week, Max Butler was sentenced to 18 months in prison for spreading a version of the ADM Linux worm, which attempted to close the hole that the original worm exploited.

His version was released in 1998 and reportedly infected hundreds of computers in a few days. Butler joins the relatively few other virus writers who have been sent to prison despite his supposed intentions.

A virus is a virus, and there is no such thing as a 'good' one. The inherent instability and replicating nature of a virus makes it a dangerous piece of code.

There is nothing that cannot be fixed or patched by using legitimate code which has been tested and implemented by the person responsible for that system. The simple self-replicating nature of a virus makes such code malicious despite any good intentions.