Good Network Worms Made Simple

grabbag writes "Dave Aitel is pitching new technology to create "nematodes," or beneficial network worms for use in large businesses. The idea is to set up a new language and structure to create "strictly controlled" good worms on the fly. A research-type demo was given as the Hack in the Box conference where Aitel talked about a world where "strictly controlled" nematodes are used by ISPs, government organizations and large companies to show significant cost savings."

distributed processing

[WiPEOUT]

Distributed processing capabilities and distributed network monitoring capabilities would be great, but who gets jurisdiction over what governments/companies are allowed to execute code on my PC?

Problem

[mysqlrocks]

Isn't the problem with most worms the network traffic it causes by spreading, not the payload? I'm not sure how they plan on keeping something that's designed to spread from spreading too quickly.

And distinguish themselves how?

[DenDave]

So how is the unsuspecting pc (user) supposed differentiate between worms and "nematodes"? This is an interesting idea but best not let out of the lab.
Also, how does this chap expect to get these things to work on *nix environments? does he propose "benevolent" rootkits?

"strictly controlled" == hubris

[G4from128k]

This sounds like a great way to create malware with privileges.

It's a very worthy goal, but they need to be extremely careful in the coding. One accidental (or malicious) tweak and these worms could overwhelm network resources, DoS the system, or damage valid systems (autoimmune disease).

Re:Problem

[SimilarityEngine]

The idea is to only spread to machines with the particular vulnerabilitly you're attempting to patch. But nevertheless, this still uses up a lot more bandwidth than would be used by people simply bothering to download the patches they need, due to the scanning networks for vulnerabilities. Also, rather than having people download at their conveinience (spread over a long period of time), I presume that a nematode infecting a network would cause a large surge in demand on the patch server. I can see what their motivation is, as it is frustrating when not everyone on a network is up to date, but it seems like a misguided solution.

Beneficial worm??

[pesc]

So government worms can be beneficial? What government? The US? the Chinese?

"Beneficial" according to what point of view? Does the owner of the system get any say in this? If he does, why do we need a worm instead of a normal program that can be voluntarily installed?

If not, then this is just a normal malware worm with added propaganda and spin.

Re:Problem

[KiloByte]

Simple. Just don't include any spreading code in the payload; send the worm from your own machines.
As these "nematodes" are supposed to be used only by large companies and ISPs, their owner already possesses the network, and thus can apply the exploits to valid targets only.

This is not such bad a concept -- with VERY few exceptions, nearly all networks are full to the brim with idiots. Setting policies can help, but often you have no real way to enforce them. Try telling your clients that that Weather Bug or M$ Outlook is not something they should be using... But if you use controlled exploits right, you can fix the problems without having to deal with just the symptoms.

Re:Yes, but...

[SimilarityEngine]

If so, that'd be cool - you might foresee security breaches before they even happened.

Fighting the Symptoms, Not the Problem

[RAMMS+EIN]

This sounds to me like they're fighting the symptoms, not the problem. Worms can only spread successfully because of the sorry state of software security. If we fix that, we will not only get rid of worms, but also of other problems, such as targeted attacks for information theft. Using better languages [nyud.net] to write software in can eliminate the bulk of security problems we're currently seeing. Security through diversity [virginia.edu] and not relying on known insecure software [microsoft.com] also help.

Re:Problem

[brennz]

Most update tools are not cross-platform to the degree that a "smart" worm can be.

Smart worm = a framework. Think of an exploitation framework as merely a component of this worm framework.

Scanning - identify hosts within allowed networks.

Reporting - Hey, we found vulnerabilities XXXX

Exploiting - compromising those hosts

Reporting - Hey, we exploited vulnerabilities XXXX

Patching - Remediating the vulnerabilities on each host

Reporting - Hey, we patched vulnerabilities XXXX

Cleanup - Cleaning up everything

Scanmode - looking for other vulnerable hosts

Worms infect a machine, then jump to the next.

[khasim]

Why would you want to use a worm for that? A worm will install itself on each machine.

Why not just run the centralized scanning tools that you mentioned?

It would be cool if you could have these worms each perform certain functions (one to better manage spanning-tree for instance, so when a link fails spanning tree rebuilds faster for example) with some sort of AI, or really even a really good base line vs current activity comparison machine, to intelligently manage WANs and LANs.

Why would I want to infect my switches and routers with this? I already have SNMP. Spanning tree kicks in almost instantaniously.

Be nice to have worms that watch for machines all the sudden opening ports that they never have before, all the sudden opening up multicast or what not, or even finding that bad machine sending out bad frames on the network.

The only way a worm would do that would be if it had infected the problem machine (in which case, why not just run a firewall on it) or if it had infected your switchs/routers.

Why not just write the app to run on those in the first place? Why make it a worm?

Granted you can do all these things now with a mix of expensive monitoring tools and a lot of config work with tools like ethereal and mrtg and big brother/big sister, etc. But this might be an easier way to do the same thing.

What "expensive" tools?

All you'd need is SNMP and the knowledge to setup your firewall correctly and a machine to receive the syslog messages from your firewall and parse them.

It's far more efficient to have the choke points do the monitoring than to have worms running around on your network.

Worms are only useful for spreading crap to machines you don't control. Once you have control there are so many more efficient ways to push code to them or monitor them.

Re:distributed processing

[cortana]

"... who gets jurisdiction over what governments/companies are allowed to execute code on my PC?"

You do. If you don't want people exploiting holes in your PC, then patch them yourself.

If you disagree you are entitled to try getting by without patching, instead suing those who take advantage of your PC for theft of resources, or some such, but isn't an ounce of prevention better than a pound of cure? It is surely cheaper to run apt-get update && apt-get upgrade nightly...

Re:distributed processing

['nother poster]

But, as you point out with your "theft of resources" comment, it's not their computer, it's mine. I know from the article that the worms are strictly controlled, and are supposed to exist on the corporate/ISP networks and shouldn't touch my system, but if they do, can I sue them? Under current laws would they be just as liable as the black hat worm writers? If their nematodes get out in the wild due to some bug or configuration error, do they get the same punishments as say, someone that wrote the slammer worm?

Nematodes must live at super-root level

[G4from128k]

Speaking of that, the sandbox these nematodes run in has to be perfect, or else it's just another malware vector.

Exactly! But its worse than that because the nematodes must live outside the sandbox and inside the OS at the highest level of privilege. Catching and removing malware means running at a privilege higher than that of the malicious worms. Because malware tries (and succeeds) in attacking at user and admin levels, nematodes must operate even higher levels. Otherwise the malware can simply deactivate the nematode system (just as some current viruses deactivate antivirus apps).

But nematodes' existence at high privilege levels makes that the ultimate target for malware writers. NASTY!

Re:distributed processing

[danheretic]

Yes, but it's only a matter of time before it's exploited and rewritten and unleashed on the Internet.

Re:distributed processing

['nother poster]

Now there is an informed opinion. I guess people with well maintained BMWs deserve to be involved in fewer rear end collisions than someone driving an old Cadilac whoopdie ride? Someone wearing a torn shirt and jeans deserves to be beaten and robbed because they aren't wearing haute couture?

Should a person patch their systems? Yes. If they don't patch them, should that make it morally correct for someone else to damage or modify their property? No.
       

Just a worm creation toolkit...

[dolmen.fr]

1. Learn how to code a worm
2. Create a "worm creation toolkit"
3. Create a GUI for the toolkit
4. Find a good buzz name such as "nematodes"
5. Feed the press with your buzz words
6. Sell your product to entreprises
7. ...
8. Profit!

Theese guys are just black hats that want to profit from a technology only useful to black hats.

Have a look to http://www.agentland.com/ [agentland.com] for 'smart' programs that can do good.

What if some one hacks a 'Nematode' ...

[shreyasonline]

OK.. So we have some good worms which help admins. Now what if some cracker hacks into the Nematode network? He will be virtually owning the network! This can be very dangerous if an important (even not so important) network is hacked a advance mechanism.