5

A comment from another user had me thinking. What are some well-known (or perhaps not quite so) examples of in-the-wild "malicious" software that do nothing actually malicious, but instead takes advantage of security vulnerabilities to actually patch them and make the target system more secure against future attacks?

I remember reading a couple years back about a router-targetting virus with that behavior. I can't seem to find the reports now, though.

Clarification: By "benign" I mean actively benign, as opposed to non-"actively malicious" specimens like Creeper.

Marc.2377
  • 594
  • 3
  • 10
  • 1
    By definition, a program that spreads automatically through a computer against the owner's wishes cannot be considered truly _benign_. There were, however, some viruses and worms whose _purposes_ were benevolent. – forest Apr 12 '19 at 06:10
  • @forest, yes indeed. Benevolent is the word I was missing. Thanks :P – Marc.2377 Apr 12 '19 at 18:28

2 Answers2

7

I doubt you'll find any virus which is completely benign (even fixing a vulnerability after exploiting it is still malicious behavior, even if it is intended to be beneficial), but there are plenty of examples of exploits which are. The most well-known would have to be jailbreak exploits, where a vulnerability in a proprietary and closed system is attacked intentionally by the owner of the device to "root" it and gain better control.

In the past, people released malware (viruses, worms, etc.) for fun. Some people would be particularly malicious, with their software corrupting files or rendering a system useless, whereas others would be relatively harmless, doing nothing more than spreading (sometimes too fast, which does cause harm). Back in those days, people would also occasionally release viruses which attacked other viruses. In fact, the Creeper virus you mentioned was attacked by another virus called the Reaper, which did nothing but attempt to remove Creeper infections. Of course, it was still a virus, so it can't be called entirely benign.

Another example of a "friendly worm" would be Welchia, which spread automatically through networks, patching the DCOM RPC vulnerability used by the infamous Blaster worm. Nowadays however, most malware is made for profit, and the historical "malicious mischievousness" is far less common. If you ever see a worm or virus which attempts to destroy existing infections today, the purpose is usually to destroy the competition so it can run its own payload. Some malware calls this feature "mini-AV".

forest
  • 65,613
  • 20
  • 208
  • 262
  • 1
    This is a good answer but it seems inverted - the strong example comes last, the mild example comes in the middle, and the caveats are the first paragraph. – gowenfawr Apr 12 '19 at 09:05
  • 1
    @gowenfawr Because I don't fully consider those latter two examples as truly benign, since they are violating the desires of the owner of the computer. It's for the same reason I would consider someone who sneaks around and vaccinates children against their parents' wishes to not be benign, despite the fact that vaccinations are good for them and the community. – forest Apr 12 '19 at 18:35
  • 2
    First thing I thought of was [Hajime](https://en.wikipedia.org/wiki/Hajime_(malware)), which got a lot of media coverage not terribly long ago. – AndrolGenhald Apr 12 '19 at 18:53
3

There's been a few of these in the recent years.

Someone named "Alexey", that was patching vulnerable MicroTik routers.

https://www.zdnet.com/article/a-mysterious-grey-hat-is-patching-peoples-outdated-mikrotik-routers/

The White Team with Linux.Wifatch.

https://news.softpedia.com/news/creators-of-the-benevolent-linux-wifatch-malware-reveal-themselves-493938.shtml

The Janit0r with BrickerBot (although it bricked the vulnerable device, so it wasn't all that benevolent).

https://www.zdnet.com/article/homeland-security-warns-of-brickerbot-malware-that-destroys-unsecured-internet-connected-devices/

Some of them will "inject" then patch devices, some will simply brick them so they can't get infected and added to a botnet, and some malware will also infect a device, but patch it so it cannot be infected by anyone else (except themselves).

Aura
  • 304
  • 1
  • 5