An anonymous reader writes "Microsoft researchers are working out the perfect strategies for worms to spread through networks. Their goal is to distribute software patches and other friendly information via virus, reducing load on servers. This raises the prospect of worm races — deploying a whitehat worm to spread a fix faster than a new attacking worm can reach vulnerable machines."
And still being used occasionally. The most recent one I recall is Welchia [wikipedia.org] which used the same RPC exploit as Blaster but tried to help the user by installing patches to prevent further use of the exploit.
It's an interesting idea, but still causes some of the big collateral problems that worms cause. Welchia brought university and corporate networks to their knees because of high traffic just as well as Blaster did - perhaps even moreso since it was also doing a lot of HTTP requests to Microsoft's servers. I think a better solution would be a more surefire way to make sure users get patched when such a critical vulnerability is found. That's the ironic part of the Blaster/Welchia RPC exploit, there was a patch available for months before the worm was released.
It's an interesting idea, but still causes some of the big collateral problems that worms cause. Welchia brought university and corporate networks to their knees because of high traffic just as well as Blaster did
You could program the worm to spread based on a random calculation, and assign it a threshold so the traffic isn't excessive. This would give the worm a very low probability to survive.
However, a better approach IMO would be to get rid of all the Genuine Advantage and activation crack, and allow boxes using old and famous activation keys (such as the "devil's own") to get updated with Windows Update.
We need these friendly worms to patch these systems. How else than with lots of rapidly spreading, good intentioned automata are we to pave the very long road to Hell on time and under budget?
MS already sat on AUtopatcher because they said that they lost control of the distribution and a malicious patch could slip in. With the worm thing it is a bazzillion times worse. So many more potential points of infection.
It could be done right with the correct combination of hardware, software, and keys. Use TPM to verify that the worm is valid and to verify the keys, then standard use of certificates and signing can be used to ensure that the patches aren't tampered with before they hit the drive.
Unfortunately, without the infrastructure in place, it's going to be much harder to ensure that nothing goes wrong.
Yeah, but this is a beautifully-summarized "plot point" on our way to the inevitable: SkyNet, or the Matrix, or whatever you want to call the rise of the machines.
First off this wouldn't be some whitehat's haphazard cure worm like the Welchia worm. This worm would proabably be signed by microsoft, made by microsoft. from TFA:
Because no central server needs to provide and coordinate all the downloads, Software patches that spread like worms could be faster and easier to distribute because no central server must bear all the load.
This is more P2P patch distribution, which is not a bad idea.
And what, exactly, is stopping someone from forging an MS cert on their own worm (or, simpler, giving the appearance of a legit one--y'know, like bank website phishing), exploiting the worm dispersal mechanism, and rootkitting everyone who's stupid enough to let this worm in?
Did you pay any attention to the last 30 years or so of cryptography [wikipedia.org]? Any peer-to-peer patch distribution system would use digital signatures that are difficult to fake. The corresponding public keys would be distributed with the OS install or through some other secure mechanism (SSL from the main update site or similar). Any attacker that can install their own key could install a worm through that route anyway.
P2P is quite good at solving intermittent high demand distribution problems, and is quite we
There is absolutly no need to trust your peers. Modern p2p protocols use cryptography (usually secure hashes, but cryptographically signed data also works) to verify that what you downloaded is authentic.
In the case of secure hashes, you only have to trust that you got the hash value from a trusted source. In other words, you have to trust the original distributor as well as any intermediate distibutor that provides the hash.
With signed data you don't even have to trust any intermediate distributor. The data
I thought the exact same thing, minus the move along part.
The thing is, now we can "Let" access come from a good worm, and deny access from a good worm. Also, we now have the tech to have the good worm live a lifespan, for instance, terminating itself on a timer or home connection count, etc such as to reduce the potential hole it leaves open. Or it could be a "signed" worm.
It's definately an old Idea, but one that we now have a way to make it P2P.
It keeps resurfacing every now and then. Get this through your thick skulls: It's my computer. Keep your God damned hands off of it. I don't care how good your intentions are, you have no right to infect MY computer with anything at all, good or bad.
If you use a tool like this on your own network, fine, but if I find it on my own you had better cover your tracks because I'll go ballistic.
If I'm not mistaken according to Micro Soft's EULA you don't actually own the software they do. They are just giving you permission to use it. Though you do own the hardware the worm in question would only affect or change the Soft Ware. In addition you neither own your network connection or most likely the building you live in ( dorm, apartment, mortgaged home etc) so from a purly legal stand point you have no leg to stand on. Though I do completely understand and support the meaning behind yrou rant:)
Oh, I realise that it would probably be legal. They have armies of lawyers and lobbyists. Now, I keep asking this question about EULAS: tell me, now. Mike buys a naked, no OS computer and a boxed set of Windows Vista Home, and asks me to install it for him. If I'm the one who agrees to the EULA, how is he legally held to that EULA? He didn't agree to anything, I did. And unless he's signed "power of attorney" to me, well?
What if his ten year old child (or neighbor kid) installs it?
Now, I keep asking this question about EULAS: tell me, now. Mike buys a naked, no OS computer and a boxed set of Windows Vista Home, and asks me to install it for him. If I'm the one who agrees to the EULA, how is he legally held to that EULA? He didn't agree to anything, I did. And unless he's signed "power of attorney" to me, well?
well he owns the computer, and has given you permission to act on his behalf installing the software. assuming you made him aware and he did not object the responsibility is his. If you did not make him aware thus he did not agree to it, he woudl then have recourse if he were sued say by microsoft to then sue you.
What if his ten year old child (or neighbor kid) installs it?
if the child is his he will incur any responsibility for actions made by the child
If I have six PCs in my house networked together then I do own my network connection. I also own MY COPY of Windows. Nowhere on the box does it say I don't.
See excerpt from microsoft EULA below.
3. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this EULA. The Software is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Software. The Software is licensed, not sold. http://www.microsoft.com/windowsxp/home/eula.mspx [microsoft.com]
Anyone remember when someone did this for Blaster and created the "Welchia" worm variant? An article on it is located here: White Hat Worm [entmag.com] and Microsoft even complained that it "generated excess network traffic". Now they are proposing to do the same thing? How are they going to make the worm spread, through vulnerabilities like Welchia did? Hope they don't use an RPC vulnerability and cause your system to crash like it did!
I guess this goes with all of the tags we've seen today on articles of "whatcouldpossiblygowrong?".
Customer: Something's wrong, my computer's not acting right. Tier1 Customer Support: Ok sir, I'd be happy to help you with that. Firstly, do you have the latest Microsoft Virus(tm) installed? Customer: Yes. Tier1 Customer Support: OK, do you have an Antivirus installed? Customer: Yes. Tier1 Customer Support: Ah, that's the problem. You'll need to remove the Antivirus in order for the Virus to function correctly. It's not safe these days to be running without the latest Virii!
... a site owner who receives one of these "worms" doesn't decide to replace the payload with something nastier. The data could of course be encrypted and checksummed, but this would need access to a central repository again, and would also mean that every machine would need a port wide open to Internet to receive and transmit such data.
We had developed a "worm" that exploited the exact same holes as several of the common ones around at the time to release on the corporate network. The point of "worm" was to deliver the fixes for those exploits. We were calling the program a "white worm" (short for White Blood Cell Worm). It was quickly shot down by security at the time.
See? This is why M$ built in all of those insecurities, so they could build viral technology to fix your computer all up for you. Don't you wish all those OSS systems could be infected now?
IANAL but it's interesting that they are conducting this research in England, at the very least this would require a change in the EULA that MSFT could be deemed an "authorised user" of the computer, from the Computer Misuse Act 1990 [hmso.gov.uk]:
3 Unauthorised modification of computer material
(1) A person is guilty of an offence if--
(a) he does any act which causes an unauthorised modification of the contents of any computer; and
(b) at the time when he does the act he has the requisite intent and the requisite kno
then we got hit with the anti-slammer worm. The slammer worm hadn't infected us, but the anti-slammer did, and wound up rebooting about 20 servers (which begs the question "why weren't they already patched?"), during the middle of the day. Pure panic mode as they started spontaneously rebooting.
I don't care who implements this solution. It was a bad idea a few years ago and it's still a bad idea today. The delivery mechanism will be compromised, and just having this type of thing out there will create new interest in creating hazardous worms/virii. I don't know about you guys, but I don't want anybody touching any of my systems. Ever! How about differences in configurations? What if I have a highly modified registry because I'm doing some advanced package testing? Then you come in and 'fix' something based on default values and it corrupts my entire system? Who's going to fix it then?
What about all the security admins who filter traffic based on pattern matches and ports? So now when we see a spike in traffic from thousands of machines going to 1433 on successive IP's we're supposed to somehow make a diagnosis on whether it's good or bad traffic? It's unnecessary overhead on the network. Whatever it's intention, auto fixing of problems and specifically designed auto replicating extra internet traffic is a bad idea.
Brandon Wiley proposed a scenario in which a future internet would be consumed by the warfare between several (black or white) worms that feature node-coordinated efforts to prevent detection and removal. For those too lazy to read the link, "Curious Yellow" is basically a modular worm in which zero-day exploits can be added as they are discovered allowing for unchecked growth across the 'net. The worm can then work with other nodes to attack targets by dropping all their traffic, or by subtly modified whatever they receive. The best way to fight such a worm is with fire, a similarly designed "white" worm that goes around patching hosts as quickly as it can.
IMO, remote exploits are rare enough that I don't see this ever happening. On the other hand, with enough infected bot nodes to work with the data mining potentials of some of the more sophisticated extant work networks does worry me...
There are no friendly worms. Compromising the security of a system, REGARDLESS OF PURPOSE, is a hostile and criminal act. There is no excuse for it. In addition, an agile black hat could hijack the worm and put its own malcode in there.
Anybody proposing this nonsense just shows they do not even have elementary security knowledge and did not research the topic at all. Incompetents.
Till the script kiddies use this delivery mechanism to bypass all security and deliver their own custom payloads. Yay Microsoft! They have such good instincts when it comes to security!
Prior Art (Score:5, Informative)
Re:Prior Art (Score:5, Insightful)
Parent
Re:Prior Art (Score:5, Informative)
And still being used occasionally. The most recent one I recall is Welchia [wikipedia.org] which used the same RPC exploit as Blaster but tried to help the user by installing patches to prevent further use of the exploit.
It's an interesting idea, but still causes some of the big collateral problems that worms cause. Welchia brought university and corporate networks to their knees because of high traffic just as well as Blaster did - perhaps even moreso since it was also doing a lot of HTTP requests to Microsoft's servers. I think a better solution would be a more surefire way to make sure users get patched when such a critical vulnerability is found. That's the ironic part of the Blaster/Welchia RPC exploit, there was a patch available for months before the worm was released.
Parent
Re:Prior Art (Score:5, Interesting)
You could program the worm to spread based on a random calculation, and assign it a threshold so the traffic isn't excessive. This would give the worm a very low probability to survive.
However, a better approach IMO would be to get rid of all the Genuine Advantage and activation crack, and allow boxes using old and famous activation keys (such as the "devil's own") to get updated with Windows Update.
Parent
Re:Prior Art (Score:4, Funny)
Parent
Re:Prior Art (Score:5, Funny)
DUH. That's why my Norton Antivirus lights up when I click on those helpful "GET RID OF SPYWARE" ads?
Parent
Bad idea (Score:3, Insightful)
Re: (Score:3, Interesting)
Unfortunately, without the infrastructure in place, it's going to be much harder to ensure that nothing goes wrong.
Re: (Score:3, Funny)
Re:Prior Art (Score:5, Funny)
We can survive salt water, high EMP fields, and power outages. A computer can't handle carpet.
My money's always going to be on the meatbags.
Parent
Re:Prior Art (Score:5, Funny)
- Chapek 9 robot general
Parent
This one is different. (Score:5, Insightful)
Parent
Re:This one is different. (Score:5, Funny)
Or, even better, a way to send requests to the same domain name to physically different servers...
I think I may be on to something here.
Parent
Re: (Score:3, Funny)
Then again, it'll never catch on. Who's ever gonna download more than 2mb anyway? The tubes would get clogged!
It's OK, Comcast will block it.
Re:This one is different. (Score:4, Insightful)
Parent
Re: (Score:3, Insightful)
Did you pay any attention to the last 30 years or so of cryptography [wikipedia.org]? Any peer-to-peer patch distribution system would use digital signatures that are difficult to fake. The corresponding public keys would be distributed with the OS install or through some other secure mechanism (SSL from the main update site or similar). Any attacker that can install their own key could install a worm through that route anyway.
P2P is quite good at solving intermittent high demand distribution problems, and is quite we
Re: (Score:3, Informative)
Modern p2p protocols use cryptography (usually secure hashes, but cryptographically signed data also works) to verify that what you downloaded is authentic.
In the case of secure hashes, you only have to trust that you got the hash value from a trusted source. In other words, you have to trust the original distributor as well as any intermediate distibutor that provides the hash.
With signed data you don't even have to trust any intermediate distributor. The data
Honestly! (Score:2)
The thing is, now we can "Let" access come from a good worm, and deny access from a good worm. Also, we now have the tech to have the good worm live a lifespan, for instance, terminating itself on a timer or home connection count, etc such as to reduce the potential hole it leaves open. Or it could be a "signed" worm.
It's definately an old Idea, but one that we now have a way to make it P2P.
So, what... (Score:2)
Re: (Score:2)
I couldn't find a wikipedia link to cover this idea, but uncyclopedia [uncyclopedia.org] has one.
-mcgrew
A viral implementation of Windows Update? (Score:5, Funny)
Re:A viral implementation of Windows Update? (Score:4, Insightful)
Parent
Annnndddd... (Score:5, Insightful)
Re:Annnndddd... Well, these worm (Score:5, Funny)
Parent
Re:Annnndddd... (Score:5, Insightful)
That's right, none. There's your clue.
Parent
This is an old idea (Score:5, Insightful)
If you use a tool like this on your own network, fine, but if I find it on my own you had better cover your tracks because I'll go ballistic.
Re: (Score:2)
Re: (Score:2, Interesting)
What's more, it'll make one hell of a fun class action suit.
If they had any sense, MS would nip this one in the bud...but then, they're the ones who gave us Windows Me, so...
not exactly (Score:5, Insightful)
If I'm not mistaken according to Micro Soft's EULA you don't actually own the software they do. They are just giving you permission to use it. Though you do own the hardware the worm in question would only affect or change the Soft Ware. In addition you neither own your network connection or most likely the building you live in ( dorm, apartment, mortgaged home etc) so from a purly legal stand point you have no leg to stand on. Though I do completely understand and support the meaning behind yrou rant
Parent
Re: (Score:3, Insightful)
Now, I keep asking this question about EULAS: tell me, now. Mike buys a naked, no OS computer and a boxed set of Windows Vista Home, and asks me to install it for him. If I'm the one who agrees to the EULA, how is he legally held to that EULA? He didn't agree to anything, I did. And unless he's signed "power of attorney" to me, well?
What if his ten year old child (or neighbor kid) installs it?
What if it's already instal
Re:not exactly (Score:4, Informative)
3. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this EULA. The Software is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Software. The Software is licensed, not sold.
http://www.microsoft.com/windowsxp/home/eula.mspx [microsoft.com]
Parent
My Tin foil hat part of my brain says... (Score:2, Redundant)
Just what we need... (Score:2, Insightful)
Caused Issues the last time someone tried it.. (Score:5, Insightful)
I guess this goes with all of the tags we've seen today on articles of "whatcouldpossiblygowrong?".
3-2-1 tagged "whatcouldpossiblygowrong" (Score:3, Insightful)
I can hear it already... (Score:5, Funny)
Tier1 Customer Support: Ok sir, I'd be happy to help you with that. Firstly, do you have the latest Microsoft Virus(tm) installed?
Customer: Yes.
Tier1 Customer Support: OK, do you have an Antivirus installed?
Customer: Yes.
Tier1 Customer Support: Ah, that's the problem. You'll need to remove the Antivirus in order for the Virus to function correctly. It's not safe these days to be running without the latest Virii!
NO shortage of worms (Score:2)
Stupid Idea (Score:4, Interesting)
The temptation if this became a strategy, i.e. the system can run Microsoft Worms only, would in a very short time, run Microsoft like worms.
This seems more like and admission that their systems can't be secured.
Or "Who's finger is in the dike? Dammit, thats not my dike!"
But Just hope.... (Score:2)
Thought of doing this once (Score:2)
Funny (Score:2)
Planned it All Along (Score:2)
Legality (Score:2)
IANAL but it's interesting that they are conducting this research in England, at the very least this would require a change in the EULA that MSFT could be deemed an "authorised user" of the computer, from the Computer Misuse Act 1990 [hmso.gov.uk]:
Worm Wars! (Score:2)
At one point, I liked this idea.... (Score:4, Interesting)
Extremely bad idea (Score:3, Insightful)
What about all the security admins who filter traffic based on pattern matches and ports? So now when we see a spike in traffic from thousands of machines going to 1433 on successive IP's we're supposed to somehow make a diagnosis on whether it's good or bad traffic? It's unnecessary overhead on the network. Whatever it's intention, auto fixing of problems and specifically designed auto replicating extra internet traffic is a bad idea.
nothing to see here... (Score:4, Informative)
Brandon Wiley proposed a scenario in which a future internet would be consumed by the warfare between several (black or white) worms that feature node-coordinated efforts to prevent detection and removal. For those too lazy to read the link, "Curious Yellow" is basically a modular worm in which zero-day exploits can be added as they are discovered allowing for unchecked growth across the 'net. The worm can then work with other nodes to attack targets by dropping all their traffic, or by subtly modified whatever they receive. The best way to fight such a worm is with fire, a similarly designed "white" worm that goes around patching hosts as quickly as it can.
IMO, remote exploits are rare enough that I don't see this ever happening. On the other hand, with enough infected bot nodes to work with the data mining potentials of some of the more sophisticated extant work networks does worry me...
Oh yah, that'll work. (Score:4, Insightful)
http://blogs.msdn.com/ie/archive/2007/12/18/post-install-issues-with-ms07-069-ie6-on-xpsp2.aspx [msdn.com]
(Among others) That they'll be a perfect candidate to create this type.
For that matter, I'd really like to know how someone/people who might do this, would get around that whole illegal thing.
This BS creeps up time and again.... (Score:4, Insightful)
Anybody proposing this nonsense just shows they do not even have elementary security knowledge and did not research the topic at all. Incompetents.
I can't wait... (Score:5, Funny)
Yay Microsoft! They have such good instincts when it comes to security!