'Friendly' Worms Could Spread Software Fixes 306
An anonymous reader writes "Microsoft researchers are working out the perfect strategies for worms to spread through networks. Their goal is to distribute software patches and other friendly information via virus, reducing load on servers. This raises the prospect of worm races — deploying a whitehat worm to spread a fix faster than a new attacking worm can reach vulnerable machines."
Prior Art (Score:5, Informative)
Re:Prior Art (Score:5, Insightful)
Re:Prior Art (Score:5, Informative)
And still being used occasionally. The most recent one I recall is Welchia [wikipedia.org] which used the same RPC exploit as Blaster but tried to help the user by installing patches to prevent further use of the exploit.
It's an interesting idea, but still causes some of the big collateral problems that worms cause. Welchia brought university and corporate networks to their knees because of high traffic just as well as Blaster did - perhaps even moreso since it was also doing a lot of HTTP requests to Microsoft's servers. I think a better solution would be a more surefire way to make sure users get patched when such a critical vulnerability is found. That's the ironic part of the Blaster/Welchia RPC exploit, there was a patch available for months before the worm was released.
Re:Prior Art (Score:5, Interesting)
You could program the worm to spread based on a random calculation, and assign it a threshold so the traffic isn't excessive. This would give the worm a very low probability to survive.
However, a better approach IMO would be to get rid of all the Genuine Advantage and activation crack, and allow boxes using old and famous activation keys (such as the "devil's own") to get updated with Windows Update.
Re:Prior Art (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Prior Art (Score:5, Funny)
DUH. That's why my Norton Antivirus lights up when I click on those helpful "GET RID OF SPYWARE" ads?
Bad idea (Score:3, Insightful)
Re: (Score:3, Interesting)
Unfortunately, without the infrastructure in place, it's going to be much harder to ensure that nothing goes wrong.
Re: (Score:3, Funny)
Re:Prior Art (Score:5, Funny)
We can survive salt water, high EMP fields, and power outages. A computer can't handle carpet.
My money's always going to be on the meatbags.
Re:Prior Art (Score:5, Funny)
- Chapek 9 robot general
This one is different. (Score:5, Insightful)
Re:This one is different. (Score:5, Funny)
Or, even better, a way to send requests to the same domain name to physically different servers...
I think I may be on to something here.
Re: (Score:3, Funny)
Then again, it'll never catch on. Who's ever gonna download more than 2mb anyway? The tubes would get clogged!
It's OK, Comcast will block it.
Re:This one is different. (Score:4, Insightful)
Re: (Score:2)
And what, exactly, is stopping MS from sending out a worm with security bugs? Given Microsoft's current security track record, I think this would be a bad idea.
Not only is this an old idea, it was dismissed long ago as a bad idea. I'm amused that Microsoft is only now discovering it.
Many other measures becides certificates... (Score:2)
1)Every time a "P2P patch" is detected, Windows calculates the patch's MD5 Hash and sends it to Microsoft. If Windows recieves an OK message from Microsoft it's allowed in. And not just a standard "okay" packet, but an encrypted one. You could also have a whitelist on microsoft's site and Windows goes out to it and checks its hash against it.
2)Encrypt the patch, and require Windows to go out to microsoft's site to get a
Cryptographic signatures? (Score:2, Informative)
Re: (Score:3, Insightful)
Did you pay any attention to the last 30 years or so of cryptography [wikipedia.org]? Any peer-to-peer patch distribution system would use digital signatures that are difficult to fake. The corresponding public keys would be distributed with the OS install or through some other secure mechanism (SSL from the main update site or similar). Any attacker that can install their own key could install a worm through that route anyway.
P2P is quite good at solving intermittent high demand distribution problems, and is quite we
Re: (Score:2)
Why would you have to "let [it] in"? The white hat worm spreads itself via the same mechanism as the black hat worm, and closes the vulnerability behind it. You're vulnerable to both of them or neither of them, but either way, you don't have to "let" anything in.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
Modern p2p protocols use cryptography (usually secure hashes, but cryptographically signed data also works) to verify that what you downloaded is authentic.
In the case of secure hashes, you only have to trust that you got the hash value from a trusted source. In other words, you have to trust the original distributor as well as any intermediate distibutor that provides the hash.
With signed data you don't even have to trust any intermediate distributor. The data
Re: (Score:2)
Honestly, this sort of thing is well understood--it's just hard to get users to do it. It can be done automatically, however, in some cases.
Honestly! (Score:2)
The thing is, now we can "Let" access come from a good worm, and deny access from a good worm. Also, we now have the tech to have the good worm live a lifespan, for instance, terminating itself on a timer or home connection count, etc such as to reduce the potential hole it leaves open. Or it could be a "signed" worm.
It's definately an old Idea, but one that we now have a way to make it P2P.
Re: (Score:2)
Thats completely true. I guess I wasn't thinking of that. If it was a whitehat type of worm, though, it will never get out of Redmond. People will cry, and rightfully so w/ good reason, that their rights will be violated, or just plain old Microphucked.
I love the idea of P2P distribution of hotfixes ala Bliztorent, and that has a much higher probabliity of seeing the light of day in an OS situation than a true worm does. Even if a white worm distributed fixes , black worms would just distrubut
Re: (Score:2)
Re: (Score:2)
An old AND bad idea (Score:2)
And besides being old, this is also a bad idea for two reasons:
So, what... (Score:2)
Re: (Score:2)
I couldn't find a wikipedia link to cover this idea, but uncyclopedia [uncyclopedia.org] has one.
-mcgrew
Re: (Score:2)
Re: (Score:2)
A viral implementation of Windows Update? (Score:5, Funny)
Re:A viral implementation of Windows Update? (Score:4, Insightful)
Annnndddd... (Score:5, Insightful)
Re:Annnndddd... Well, these worm (Score:5, Funny)
Re:Annnndddd... (Score:5, Insightful)
That's right, none. There's your clue.
MOD PARENT UP! (Score:2)
Re: (Score:2)
So for people who can't deal with different disjunctive categories let me make a summary: still illegal, better than a virus, not ideal.
Re: (Score:2)
This is an old idea (Score:5, Insightful)
If you use a tool like this on your own network, fine, but if I find it on my own you had better cover your tracks because I'll go ballistic.
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2, Interesting)
What's more, it'll make one hell of a fun class action suit.
If they had any sense, MS would nip this one in the bud...but then, they're the ones who gave us Windows Me, so...
not exactly (Score:5, Insightful)
If I'm not mistaken according to Micro Soft's EULA you don't actually own the software they do. They are just giving you permission to use it. Though you do own the hardware the worm in question would only affect or change the Soft Ware. In addition you neither own your network connection or most likely the building you live in ( dorm, apartment, mortgaged home etc) so from a purly legal stand point you have no leg to stand on. Though I do completely understand and support the meaning behind yrou rant
Re: (Score:2)
Microsoft doesn't own a single piece of software on this computer, or my home box. If they want to start "attacking" my systems with worms, maybe I should disassemble one of them and "fix" it. I'm sure most of you can figure out what would be the best way to "repurpose" such a stupid idea.
Re: (Score:2, Insightful)
If you want to argue that route you can still prove that you own the router, network cable, processor etc. so you still own the last few feet they are trespassing on. Heck renters still have a right to use lethal force against an intruder is many states. So there is a legal leg to stand on.
Regardless privacy is the main concern.
Re: (Score:2, Funny)
Re: (Score:3, Insightful)
Now, I keep asking this question about EULAS: tell me, now. Mike buys a naked, no OS computer and a boxed set of Windows Vista Home, and asks me to install it for him. If I'm the one who agrees to the EULA, how is he legally held to that EULA? He didn't agree to anything, I did. And unless he's signed "power of attorney" to me, well?
What if his ten year old child (or neighbor kid) installs it?
What if it's already instal
Re:not exactly (Score:4, Informative)
3. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this EULA. The Software is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Software. The Software is licensed, not sold.
http://www.microsoft.com/windowsxp/home/eula.mspx [microsoft.com]
Re: (Score:2)
It would be nice if someone could do something about the spam-bots. I don't think anyone would mind a worm infecting a zombie. If you can't secure your own computer, maybe anyone on the net should have the right of attack? Is there a sure-way to identify a computer
Re: (Score:2)
~D
Re: (Score:2, Interesting)
A well designed "white hat worm" could just sit and listen for a while until it got hit with a computer probing for the vulnerability and then infect and fix the computer that did
My Tin foil hat part of my brain says... (Score:2, Redundant)
Re: (Score:2)
Re: (Score:2)
Just what we need... (Score:2, Insightful)
Caused Issues the last time someone tried it.. (Score:5, Insightful)
I guess this goes with all of the tags we've seen today on articles of "whatcouldpossiblygowrong?".
3-2-1 tagged "whatcouldpossiblygowrong" (Score:3, Insightful)
I can hear it already... (Score:5, Funny)
Tier1 Customer Support: Ok sir, I'd be happy to help you with that. Firstly, do you have the latest Microsoft Virus(tm) installed?
Customer: Yes.
Tier1 Customer Support: OK, do you have an Antivirus installed?
Customer: Yes.
Tier1 Customer Support: Ah, that's the problem. You'll need to remove the Antivirus in order for the Virus to function correctly. It's not safe these days to be running without the latest Virii!
NO shortage of worms (Score:2)
Re: (Score:2)
This has nothing to do with security, it's a means of saving money for Microsoft. If they can push their updates via worms, they use MY bandwidth to distribute their updates rather than their own.
Evil, sneaky bastards, ain't they? Tami [slashdot.org] would be proud.
-mcgrew
(PS- don't click that link, it will infect you with the "Tami" virus)
Re: (Score:2)
If that's the worst mistake I make today I'm in good shape.
Stupid Idea (Score:4, Interesting)
The temptation if this became a strategy, i.e. the system can run Microsoft Worms only, would in a very short time, run Microsoft like worms.
This seems more like and admission that their systems can't be secured.
Or "Who's finger is in the dike? Dammit, thats not my dike!"
But Just hope.... (Score:2)
Thought of doing this once (Score:2)
Funny (Score:2)
Planned it All Along (Score:2)
Legality (Score:2)
IANAL but it's interesting that they are conducting this research in England, at the very least this would require a change in the EULA that MSFT could be deemed an "authorised user" of the computer, from the Computer Misuse Act 1990 [hmso.gov.uk]:
Worm Wars! (Score:2)
At one point, I liked this idea.... (Score:4, Interesting)
Extremely bad idea (Score:3, Insightful)
What about all the security admins who filter traffic based on pattern matches and ports? So now when we see a spike in traffic from thousands of machines going to 1433 on successive IP's we're supposed to somehow make a diagnosis on whether it's good or bad traffic? It's unnecessary overhead on the network. Whatever it's intention, auto fixing of problems and specifically designed auto replicating extra internet traffic is a bad idea.
nothing to see here... (Score:4, Informative)
Brandon Wiley proposed a scenario in which a future internet would be consumed by the warfare between several (black or white) worms that feature node-coordinated efforts to prevent detection and removal. For those too lazy to read the link, "Curious Yellow" is basically a modular worm in which zero-day exploits can be added as they are discovered allowing for unchecked growth across the 'net. The worm can then work with other nodes to attack targets by dropping all their traffic, or by subtly modified whatever they receive. The best way to fight such a worm is with fire, a similarly designed "white" worm that goes around patching hosts as quickly as it can.
IMO, remote exploits are rare enough that I don't see this ever happening. On the other hand, with enough infected bot nodes to work with the data mining potentials of some of the more sophisticated extant work networks does worry me...
Why not use P2P? (Score:2)
1) Checked Microsoft's servers for a list of needed updates with MD5 hashes for those updates.
2) Check bittorrent or some other P2P network (perhaps even a custom one) for those updates.
3) Download the file, compare it against the MD5 hash.
4) If it doesn't match, delete it and find it on another computer. If it does match, alert the user to install the update. (Or install it automatically if that's the setting t
Re: (Score:2)
By using a worm to distribute the fix they are, in effect, creating a peer-to-peer network. The difference is that in your scenario the machine initiates the upgrade process, while in Microsoft's the machine is given the upgrade. If you are running something critical, you can tell it to wait and come back later. Will Micr
Still illegal (Score:2)
To paraphrase many cartoon pets... (Score:2)
Good vs. bad worms/viruses? (Score:2)
Liability bomb (Score:2)
With most viruses, you haven't a clue where they come from, so you can't sue. This one will likely be cryptographically signed.
Oh yah, that'll work. (Score:4, Insightful)
http://blogs.msdn.com/ie/archive/2007/12/18/post-install-issues-with-ms07-069-ie6-on-xpsp2.aspx [msdn.com]
(Among others) That they'll be a perfect candidate to create this type.
For that matter, I'd really like to know how someone/people who might do this, would get around that whole illegal thing.
This BS creeps up time and again.... (Score:4, Insightful)
Anybody proposing this nonsense just shows they do not even have elementary security knowledge and did not research the topic at all. Incompetents.
Re: (Score:2)
I can't wait... (Score:5, Funny)
Yay Microsoft! They have such good instincts when it comes to security!
Anyone else think Futurama: Friendly Worms? (Score:2)
Interesting Idea (Score:2)
I foresee legal problems, trojans, network bandwidth being wasted, and new bugs introduced. "No Sir, I don't like it."
--Pathway
Microsoft must love going to court (Score:2)
Riiiighht.... (Score:2)
Sounds like a game I used to play (Score:2, Interesting)
Time sure flies ... (Score:2)
Oh, wait... they're serious?!?!?!?
Why not use bittorrent? (Score:2, Interesting)
No. Just Stop. (Score:2)
And even if you accept, for a moment, the premise that this worm could actually work without any collateral damage (which is unacceptable), do you REALLY want Microsoft (or any entit
No wonder Microsoft produces unsecure code... (Score:2)
No seriously...they're now writing the virus?!!! I guess they've given up on actually producing relatively secure software then...
Just like the old saying - if you can't beat them, join them.
Yet another reason to go to Linux, Mac, or something else.
What's going to stop.... (Score:2)
Bad idea (Score:2)
END COMMUNICATION
not again (Score:2)
What's MS at? Reinventing old, bad ideas, again?