Good Network Worms Made Simple 137
grabbag writes "Dave Aitel is pitching new technology to create "nematodes," or beneficial network worms for use in large businesses. The idea is to set up a new language and structure to create "strictly controlled" good worms on the fly. A research-type demo was given as the Hack in the Box conference where Aitel talked about a world where "strictly controlled" nematodes are used by ISPs, government organizations and large companies to show significant cost savings."
distributed processing (Score:5, Insightful)
Problem (Score:5, Insightful)
And distinguish themselves how? (Score:3, Insightful)
Also, how does this chap expect to get these things to work on *nix environments? does he propose "benevolent" rootkits?
"strictly controlled" == hubris (Score:4, Insightful)
It's a very worthy goal, but they need to be extremely careful in the coding. One accidental (or malicious) tweak and these worms could overwhelm network resources, DoS the system, or damage valid systems (autoimmune disease).
Re:Problem (Score:2, Insightful)
Beneficial worm?? (Score:5, Insightful)
"Beneficial" according to what point of view? Does the owner of the system get any say in this? If he does, why do we need a worm instead of a normal program that can be voluntarily installed?
If not, then this is just a normal malware worm with added propaganda and spin.
Re:Problem (Score:4, Insightful)
As these "nematodes" are supposed to be used only by large companies and ISPs, their owner already possesses the network, and thus can apply the exploits to valid targets only.
This is not such bad a concept -- with VERY few exceptions, nearly all networks are full to the brim with idiots. Setting policies can help, but often you have no real way to enforce them. Try telling your clients that that Weather Bug or M$ Outlook is not something they should be using... But if you use controlled exploits right, you can fix the problems without having to deal with just the symptoms.
Re:Yes, but... (Score:3, Insightful)
Fighting the Symptoms, Not the Problem (Score:5, Insightful)
Re:Problem (Score:3, Insightful)
Smart worm = a framework. Think of an exploitation framework as merely a component of this worm framework.
Scanning - identify hosts within allowed networks.
Reporting - Hey, we found vulnerabilities XXXX
Exploiting - compromising those hosts
Reporting - Hey, we exploited vulnerabilities XXXX
Patching - Remediating the vulnerabilities on each host
Reporting - Hey, we patched vulnerabilities XXXX
Cleanup - Cleaning up everything
Scanmode - looking for other vulnerable hosts
Worms infect a machine, then jump to the next. (Score:4, Insightful)
Why not just run the centralized scanning tools that you mentioned? Why would I want to infect my switches and routers with this? I already have SNMP. Spanning tree kicks in almost instantaniously. The only way a worm would do that would be if it had infected the problem machine (in which case, why not just run a firewall on it) or if it had infected your switchs/routers.
Why not just write the app to run on those in the first place? Why make it a worm? What "expensive" tools?
All you'd need is SNMP and the knowledge to setup your firewall correctly and a machine to receive the syslog messages from your firewall and parse them.
It's far more efficient to have the choke points do the monitoring than to have worms running around on your network.
Worms are only useful for spreading crap to machines you don't control. Once you have control there are so many more efficient ways to push code to them or monitor them.
Re:distributed processing (Score:3, Insightful)
If you disagree you are entitled to try getting by without patching, instead suing those who take advantage of your PC for theft of resources, or some such, but isn't an ounce of prevention better than a pound of cure? It is surely cheaper to run apt-get update && apt-get upgrade nightly...
Re:distributed processing (Score:2, Insightful)
Nematodes must live at super-root level (Score:3, Insightful)
Exactly! But its worse than that because the nematodes must live outside the sandbox and inside the OS at the highest level of privilege. Catching and removing malware means running at a privilege higher than that of the malicious worms. Because malware tries (and succeeds) in attacking at user and admin levels, nematodes must operate even higher levels. Otherwise the malware can simply deactivate the nematode system (just as some current viruses deactivate antivirus apps).
But nematodes' existence at high privilege levels makes that the ultimate target for malware writers. NASTY!
Re:distributed processing (Score:2, Insightful)
Re:distributed processing (Score:2, Insightful)
Should a person patch their systems? Yes. If they don't patch them, should that make it morally correct for someone else to damage or modify their property? No.
Just a worm creation toolkit... (Score:3, Insightful)
2. Create a "worm creation toolkit"
3. Create a GUI for the toolkit
4. Find a good buzz name such as "nematodes"
5. Feed the press with your buzz words
6. Sell your product to entreprises
7.
8. Profit!
Theese guys are just black hats that want to profit from a technology only useful to black hats.
Have a look to http://www.agentland.com/ [agentland.com] for 'smart' programs that can do good.
What if some one hacks a 'Nematode' ... (Score:2, Insightful)