'Friendly' Worms Could Spread Software Fixes 306
An anonymous reader writes "Microsoft researchers are working out the perfect strategies for worms to spread through networks. Their goal is to distribute software patches and other friendly information via virus, reducing load on servers. This raises the prospect of worm races — deploying a whitehat worm to spread a fix faster than a new attacking worm can reach vulnerable machines."
Prior Art (Score:5, Informative)
Re:Prior Art (Score:1, Informative)
http://en.wikipedia.org/wiki/Welchia [wikipedia.org]
I remember Welchia being a lot more trouble than it was worth due to it's excessive attempts to spread itself.
Re:Prior Art (Score:5, Informative)
And still being used occasionally. The most recent one I recall is Welchia [wikipedia.org] which used the same RPC exploit as Blaster but tried to help the user by installing patches to prevent further use of the exploit.
It's an interesting idea, but still causes some of the big collateral problems that worms cause. Welchia brought university and corporate networks to their knees because of high traffic just as well as Blaster did - perhaps even moreso since it was also doing a lot of HTTP requests to Microsoft's servers. I think a better solution would be a more surefire way to make sure users get patched when such a critical vulnerability is found. That's the ironic part of the Blaster/Welchia RPC exploit, there was a patch available for months before the worm was released.
Welchia, anybody? (Score:1, Informative)
nothing to see here... (Score:4, Informative)
Brandon Wiley proposed a scenario in which a future internet would be consumed by the warfare between several (black or white) worms that feature node-coordinated efforts to prevent detection and removal. For those too lazy to read the link, "Curious Yellow" is basically a modular worm in which zero-day exploits can be added as they are discovered allowing for unchecked growth across the 'net. The worm can then work with other nodes to attack targets by dropping all their traffic, or by subtly modified whatever they receive. The best way to fight such a worm is with fire, a similarly designed "white" worm that goes around patching hosts as quickly as it can.
IMO, remote exploits are rare enough that I don't see this ever happening. On the other hand, with enough infected bot nodes to work with the data mining potentials of some of the more sophisticated extant work networks does worry me...
Re:This one is different. (Score:3, Informative)
Modern p2p protocols use cryptography (usually secure hashes, but cryptographically signed data also works) to verify that what you downloaded is authentic.
In the case of secure hashes, you only have to trust that you got the hash value from a trusted source. In other words, you have to trust the original distributor as well as any intermediate distibutor that provides the hash.
With signed data you don't even have to trust any intermediate distributor. The data can automatically be verified to have originated from the original distributor.
Of course, if you can't trust the original distributor, such when you download random files from p2p, then you are on your own. But that isn't what we are talking about here.
Cryptographic signatures? (Score:2, Informative)
Re:not exactly (Score:4, Informative)
3. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this EULA. The Software is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Software. The Software is licensed, not sold.
http://www.microsoft.com/windowsxp/home/eula.mspx [microsoft.com]