Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

'Friendly' Worms Could Spread Software Fixes

Posted by Zonk on Thu Feb 14, 2008 04:54 PM
from the perfect-way-to-make-a-rogue-ai dept.
Security Worms IT
An anonymous reader writes "Microsoft researchers are working out the perfect strategies for worms to spread through networks. Their goal is to distribute software patches and other friendly information via virus, reducing load on servers. This raises the prospect of worm races — deploying a whitehat worm to spread a fix faster than a new attacking worm can reach vulnerable machines."

Related Stories

Firehose:MS researchers designing the "perfect worm" by Anonymous Coward
[+] Why Old SQL Worms Won't Die 64 comments
narramissic writes "In a recent ITworld article, Security researcher Brent Huston ponders how it is that versions of SQL worms dating back to 2002 represent nearly 70% of all malicious traffic on the Internet today. 'I have made a few attempts to backtrack hosts that perform the scans and at first blush many show the signs of common botnet infections. Most are not running exposed SQL themselves, so that means that the code has likely been implemented into many bot-net exploitation frameworks. Perhaps the bot masters have the idea that when they infiltrate a commercial network, the SQL exploits will be available and useful to them? My assessment team says this is pretty true. Even today, they find blank "sa" passwords and other age-old SQL issues inside major corporate clients. So perhaps, that is why these old exploits continue to thrive."
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

'Friendly' Worms Could Spread Software Fixes 25 Comments More | Login /

 Full
 Abbreviated
 Hidden
More | Login
Loading... please wait.

  • Prior Art (Score:5, Informative)

    by orclevegam (940336) on Thursday February 14, @04:55PM (#22425596)
    This is a very old idea. One of the earliest worm/viruses was actually of the "white-hat" variety. Nothing to see here, move along.

    • Re:Prior Art (Score:5, Insightful)

      by deadzaphod (699097) on Thursday February 14, @04:59PM (#22425660) Homepage
      Very, very old idea. The first worm of this type was called "Reaper" and was created to kill the "Creeper" worm. http://www.viruslist.com/en/viruses/encyclopedia?chapter=153310937 [viruslist.com]

      • Re:Prior Art (Score:5, Informative)

        by nmb3000 (741169) <nmb3000@that-google-mail-site.com> on Thursday February 14, @05:05PM (#22425786) Homepage Journal
        Very, very old idea.

        And still being used occasionally. The most recent one I recall is Welchia [wikipedia.org] which used the same RPC exploit as Blaster but tried to help the user by installing patches to prevent further use of the exploit.

        It's an interesting idea, but still causes some of the big collateral problems that worms cause. Welchia brought university and corporate networks to their knees because of high traffic just as well as Blaster did - perhaps even moreso since it was also doing a lot of HTTP requests to Microsoft's servers. I think a better solution would be a more surefire way to make sure users get patched when such a critical vulnerability is found. That's the ironic part of the Blaster/Welchia RPC exploit, there was a patch available for months before the worm was released.
        • It's an interesting idea, but still causes some of the big collateral problems that worms cause. Welchia brought university and corporate networks to their knees because of high traffic just as well as Blaster did

          You could program the worm to spread based on a random calculation, and assign it a threshold so the traffic isn't excessive. This would give the worm a very low probability to survive.

          However, a better approach IMO would be to get rid of all the Genuine Advantage and activation crack, and allow boxes using old and famous activation keys (such as the "devil's own") to get updated with Windows Update.

    • Re:Prior Art (Score:5, Funny)

      by verbalcontract (909922) on Thursday February 14, @05:00PM (#22425676)

      This is a very old idea. One of the earliest worm/viruses was actually of the "white-hat" variety. Nothing to see here, move along.

      DUH. That's why my Norton Antivirus lights up when I click on those helpful "GET RID OF SPYWARE" ads?

    • This one is different. (Score:5, Insightful)

      by Bananatree3 (872975) on Thursday February 14, @05:06PM (#22425800)
      First off this wouldn't be some whitehat's haphazard cure worm like the Welchia worm. This worm would proabably be signed by microsoft, made by microsoft. from TFA:

      Because no central server needs to provide and coordinate all the downloads, Software patches that spread like worms could be faster and easier to distribute because no central server must bear all the load.
      This is more P2P patch distribution, which is not a bad idea.

      • Re:This one is different. (Score:5, Funny)

        by mhall119 (1035984) on Thursday February 14, @05:17PM (#22426010) Homepage Journal
        If only it were possible to provide a list of other servers that somehow mirrored the data available on the central server....

        Or, even better, a way to send requests to the same domain name to physically different servers...

        I think I may be on to something here.

      • Re:This one is different. (Score:4, Insightful)

        by KublaiKhan (522918) on Thursday February 14, @05:18PM (#22426032) Homepage Journal
        And what, exactly, is stopping someone from forging an MS cert on their own worm (or, simpler, giving the appearance of a legit one--y'know, like bank website phishing), exploiting the worm dispersal mechanism, and rootkitting everyone who's stupid enough to let this worm in?

  • A viral implementation of Windows Update? (Score:5, Funny)

    by lawaetf1 (613291) on Thursday February 14, @04:56PM (#22425610)
    "A friendly worm updated your computer which required a reboot."

  • Annnndddd... (Score:5, Insightful)

    by RandoX (828285) on Thursday February 14, @04:57PM (#22425624)
    What makes this any more legal than a black hat worm?

  • This is an old idea (Score:5, Insightful)

    by sm62704 (957197) on Thursday February 14, @04:58PM (#22425638) Homepage Journal
    It keeps resurfacing every now and then. Get this through your thick skulls: It's my computer. Keep your God damned hands off of it. I don't care how good your intentions are, you have no right to infect MY computer with anything at all, good or bad.

    If you use a tool like this on your own network, fine, but if I find it on my own you had better cover your tracks because I'll go ballistic.

    • not exactly (Score:5, Insightful)

      by Brigadier (12956) on Thursday February 14, @05:06PM (#22425810)

      If I'm not mistaken according to Micro Soft's EULA you don't actually own the software they do. They are just giving you permission to use it. Though you do own the hardware the worm in question would only affect or change the Soft Ware. In addition you neither own your network connection or most likely the building you live in ( dorm, apartment, mortgaged home etc) so from a purly legal stand point you have no leg to stand on. Though I do completely understand and support the meaning behind yrou rant :)
  • Anyone remember when someone did this for Blaster and created the "Welchia" worm variant? An article on it is located here: White Hat Worm [entmag.com] and Microsoft even complained that it "generated excess network traffic". Now they are proposing to do the same thing? How are they going to make the worm spread, through vulnerabilities like Welchia did? Hope they don't use an RPC vulnerability and cause your system to crash like it did!

    I guess this goes with all of the tags we've seen today on articles of "whatcouldpossiblygowrong?".

  • I can hear it already... (Score:5, Funny)

    by TheUni (1007895) on Thursday February 14, @05:01PM (#22425714)
    Customer: Something's wrong, my computer's not acting right.
    Tier1 Customer Support: Ok sir, I'd be happy to help you with that. Firstly, do you have the latest Microsoft Virus(tm) installed?
    Customer: Yes.
    Tier1 Customer Support: OK, do you have an Antivirus installed?
    Customer: Yes.
    Tier1 Customer Support: Ah, that's the problem. You'll need to remove the Antivirus in order for the Virus to function correctly. It's not safe these days to be running without the latest Virii!

  • Stupid Idea (Score:4, Interesting)

    by StillNeedMoreCoffee (123989) on Thursday February 14, @05:02PM (#22425732)
    If the mechanism exists, it will be compromised. Haven't you leaned anything yet? Better design a system that can't process a worm.

    The temptation if this became a strategy, i.e. the system can run Microsoft Worms only, would in a very short time, run Microsoft like worms.

    This seems more like and admission that their systems can't be secured.

    Or "Who's finger is in the dike? Dammit, thats not my dike!"

  • At one point, I liked this idea.... (Score:4, Interesting)

    by mbourgon (186257) on Thursday February 14, @05:08PM (#22425866) Homepage
    then we got hit with the anti-slammer worm. The slammer worm hadn't infected us, but the anti-slammer did, and wound up rebooting about 20 servers (which begs the question "why weren't they already patched?"), during the middle of the day. Pure panic mode as they started spontaneously rebooting.

  • nothing to see here... (Score:4, Informative)

    by RyLaN (608672) <satH4n@@@gmail...com> on Thursday February 14, @05:10PM (#22425886) Homepage
    http://blanu.net/curious_yellow.html/ [blanu.net]

    Brandon Wiley proposed a scenario in which a future internet would be consumed by the warfare between several (black or white) worms that feature node-coordinated efforts to prevent detection and removal. For those too lazy to read the link, "Curious Yellow" is basically a modular worm in which zero-day exploits can be added as they are discovered allowing for unchecked growth across the 'net. The worm can then work with other nodes to attack targets by dropping all their traffic, or by subtly modified whatever they receive. The best way to fight such a worm is with fire, a similarly designed "white" worm that goes around patching hosts as quickly as it can.

    IMO, remote exploits are rare enough that I don't see this ever happening. On the other hand, with enough infected bot nodes to work with the data mining potentials of some of the more sophisticated extant work networks does worry me...

  • Oh yah, that'll work. (Score:4, Insightful)

    by Secret Rabbit (914973) on Thursday February 14, @05:19PM (#22426042) Journal
    Because M$ is soooo very good at normal updates:

    http://blogs.msdn.com/ie/archive/2007/12/18/post-install-issues-with-ms07-069-ie6-on-xpsp2.aspx [msdn.com]

    (Among others) That they'll be a perfect candidate to create this type.

    For that matter, I'd really like to know how someone/people who might do this, would get around that whole illegal thing.

  • This BS creeps up time and again.... (Score:4, Insightful)

    by gweihir (88907) on Thursday February 14, @05:24PM (#22426128)
    There are no friendly worms. Compromising the security of a system, REGARDLESS OF PURPOSE, is a hostile and criminal act. There is no excuse for it. In addition, an agile black hat could hijack the worm and put its own malcode in there.

    Anybody proposing this nonsense just shows they do not even have elementary security knowledge and did not research the topic at all. Incompetents.

  • I can't wait... (Score:5, Funny)

    by hoggoth (414195) on Thursday February 14, @05:28PM (#22426176) Journal
    Till the script kiddies use this delivery mechanism to bypass all security and deliver their own custom payloads.
    Yay Microsoft! They have such good instincts when it comes to security!

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2008 SourceForge, Inc.