Ordinarily, stories about infectious, self-spreading computer worms fall within a spectrum that ranges from sobering to alarming. This morning the Cheese worm - which began appearing yesterday in Linux systems - has security experts and systems administrators struggling to keep a straight face as they proclaim, "Bad worm. Bad worm."
Cheese is a worm, but it at least tries to do good. It scans the Internet to locate Linux systems that have been compromised by an earlier worm named "1i0n" or "Lion." After entering by the Lion door, Cheese slams the door behind it and tries to clean up the Lion droppings. Then it looks for more systems to cleanse.
Most reporters interviewed Kevin Houle, the security analyst who authored yesterday's report on the worm for the Computer Emergency Response Team Coordination Center. ZDNet's Robert Lemos (in a report that also ran on ZDNet's parent CNET and on MSNBC) quoted Houle as saying the worm is a nice thought, but not a solution: "Essentially, it's doing the same thing that any intruder does, which is to modify a system in an unauthorized way and use it to attack other sites."
The Register's reporter pinpointed what's new about this worm: "Cheese may be the first worm which automates the exploitation not of an existing vulnerability, as most do, but of an existing compromise."
Someone who posted a message on Slashdot conjured up images of an arms race among benevolent worms. Will a mouse worm devour the Cheese worm, then succumb to the cat worm, and so on up the food chain? Another Slashdotter tutted, "It's a cute idea, really, but it has to stop."
CERT Incident Note IN-2001-05: The Cheese Worm
Computer Emergency Response Team Coordination Center
The Linux Cheese Worm: A Welcome Helper?
'Friendly' Cheese Worm Reveals Many Compromised Boxes
Cheese the Friendly Worm on the Loose
Cheese Worm Fixes Broken Linux Systems?