1

Hypothetically, say I wrote a worm, call it W1, just for fun/to see if I could, and it had silently infected a large number of computers attached to the internet. Say it didn't do anything but just run on the victims' computers, silently, but without doing anything malicious. However, I'm sure I would have broken some law or another so I decide I want to silently and inconspicuously recall the worm so it is no longer running on anyone's computers so I don't get in trouble.

How would I go about doing so? I would assume the best thing to do would be write a second version of the worm W2 that again silently infects as many computers as possible, and if it detects my original worm tries to remove it. However, there are a number of problems with that:

First, not every computer already infected with W1 will be able to be infected with W2. They may have gone offline, or their virus detection could detect W2 but not W1.

Second, there is the matter of removing W2. Once W2 removes W1 if it finds it (or does nothing if it doesn't), we need to remove W2 or else this whole exercise was pointless. If we program W2 to remove itself before spreading, W2 will never spread. If we program W2 to spread for a bit before removing itself, the computer could become re-infected with W2 (unless we leave a trace there, like a file indicating W2 was there?).

So would this be feasible? Would you be able to remove W1 and W2 without any indication either were ever there? And would it be traceable back to the originator of the worm?

iobender
  • 129
  • 3
  • 1
    there are too many variables to account for in your hypothetical – schroeder Mar 23 '16 at 20:14
  • 4
    I'm not a legal, but even spreading W2 might be considered a crime. Think this way: if someone breaks in your house, steals something, then breaks again in your house to return your stuff, he could (at least under some jurisdictions) be caught the second time and prosecuted even if he wasn't caught the first time. So the idea of spreading a worm-deleting worm to avoid prosecution is kind of weird. – A. Darwin Mar 23 '16 at 20:20
  • I agree with @a-darwin That is like robbing a guy, shooting him, and then performing life saving surgery on him and giving his wallet back. It doesn't make what you did before right and if anything it looks worse (trying to hide the evidence). – Bacon Brad Mar 24 '16 at 04:32
  • If you know how to program, it's readily apparent as to how you can do this. – Mark Buffalo Mar 24 '16 at 04:49
  • A modular worm always contact a C&C server for what operation to perform on the victim's machine. If the command is "spam 1.1.1.1", the worm start sending spam on the IP address. Make sure the worm has the capability to act on "delete yourself" command and it will happily comply. That's why everything - including malware - needs to be generic and modular. – void_in Mar 24 '16 at 08:38

2 Answers2

5

Submit W1 to various anti-virus vendors. Eventually after a few months, W1 will be removed from most computers by the anti-virus and you do not need W2.

Mikhail
  • 51
  • 1
  • I don't think this satisfies "silently and inconspicuously recall", but I like the approach – schroeder Mar 24 '16 at 04:20
  • I wouldn't bother submitting it to AV vendors unless the worm had potential. IE: Uses an unpatched vulnerability, could be mass distributed, etc. More information https://security.stackexchange.com/questions/117311/im-a-white-hat-and-i-develop-my-own-viruses-should-i-report-it-when-almost-all/ – Bacon Brad Mar 24 '16 at 04:28
2

It would be almost impossible to recall/remove the worm once it is deployed. However as an alternative approach would be to code worm 1 to exhibit the following behavior:

  1. Contact a Command and Control server every few hours-days
  2. If it has failed to reach the server after a few attempts delete itself
  3. When it reaches the server the server can tell it to self destruct

This way you do not need a second worm and the first can clean itself in the on or offline scenario. However this does require prior planning.

AstroDan
  • 2,226
  • 13
  • 24
  • Yeah the scenario I had in mind was that I had already accidentally released the worm. – iobender Mar 23 '16 at 20:20
  • 1
    Ok, I misunderstood the question. I will edit further when I can come up with a better idea. However note that total recall will be impossible. Plus there is a fare risk that the exploit used to spread w1 will be patched and w2 will need to use completely new technology. The best solution might be to report w1 (anonymously) to Microsoft and the Anti-Virus providers and let them handle the removal. – AstroDan Mar 23 '16 at 20:30