'Friendly' Worms Could Spread Software Fixes

An anonymous reader writes "Microsoft researchers are working out the perfect strategies for worms to spread through networks. Their goal is to distribute software patches and other friendly information via virus, reducing load on servers. This raises the prospect of worm races — deploying a whitehat worm to spread a fix faster than a new attacking worm can reach vulnerable machines."

Prior Art

[orclevegam]

This is a very old idea. One of the earliest worm/viruses was actually of the "white-hat" variety. Nothing to see here, move along.

Re:Prior Art

[Tojo-Mojo]

A specific example was the Welchia (a "fix" for Blaster that unfortunately had many of the same symptoms):
http://en.wikipedia.org/wiki/Welchia [wikipedia.org]
I remember Welchia being a lot more trouble than it was worth due to it's excessive attempts to spread itself.

Re:Prior Art

[nmb3000]

Very, very old idea.

And still being used occasionally. The most recent one I recall is Welchia [wikipedia.org] which used the same RPC exploit as Blaster but tried to help the user by installing patches to prevent further use of the exploit.

It's an interesting idea, but still causes some of the big collateral problems that worms cause. Welchia brought university and corporate networks to their knees because of high traffic just as well as Blaster did - perhaps even moreso since it was also doing a lot of HTTP requests to Microsoft's servers. I think a better solution would be a more surefire way to make sure users get patched when such a critical vulnerability is found. That's the ironic part of the Blaster/Welchia RPC exploit, there was a patch available for months before the worm was released.

Welchia, anybody?

[Anonymous Coward]

I remember when I worked for Penn State University during the Blaster outbreak. Ironically enough, we fielded more machines infected with Welchia, the white-hat worm for that particular vulnerability, than we did for Blaster itself. White-hat or Black-hat, "reducing loads on servers" is irrelevant because of the strain the worms will put on the routers and switches in the middle, let alone the clogged internet-facing pipes.

nothing to see here...

[RyLaN]

http://blanu.net/curious_yellow.html/ [blanu.net]

Brandon Wiley proposed a scenario in which a future internet would be consumed by the warfare between several (black or white) worms that feature node-coordinated efforts to prevent detection and removal. For those too lazy to read the link, "Curious Yellow" is basically a modular worm in which zero-day exploits can be added as they are discovered allowing for unchecked growth across the 'net. The worm can then work with other nodes to attack targets by dropping all their traffic, or by subtly modified whatever they receive. The best way to fight such a worm is with fire, a similarly designed "white" worm that goes around patching hosts as quickly as it can.

IMO, remote exploits are rare enough that I don't see this ever happening. On the other hand, with enough infected bot nodes to work with the data mining potentials of some of the more sophisticated extant work networks does worry me...

Re:This one is different.

[Wildclaw]

There is absolutly no need to trust your peers.

Modern p2p protocols use cryptography (usually secure hashes, but cryptographically signed data also works) to verify that what you downloaded is authentic.

In the case of secure hashes, you only have to trust that you got the hash value from a trusted source. In other words, you have to trust the original distributor as well as any intermediate distibutor that provides the hash.

With signed data you don't even have to trust any intermediate distributor. The data can automatically be verified to have originated from the original distributor.

Of course, if you can't trust the original distributor, such when you download random files from p2p, then you are on your own. But that isn't what we are talking about here.

Cryptographic signatures?

[bob van hove]

A hash of the code is encrypted with MS' private key, which stays at HQ, the hash can only be decrypted with the public key. (google asymmetric cryptography, if you'd like more info)

Re:not exactly

[Brigadier]

Now, I keep asking this question about EULAS: tell me, now. Mike buys a naked, no OS computer and a boxed set of Windows Vista Home, and asks me to install it for him. If I'm the one who agrees to the EULA, how is he legally held to that EULA? He didn't agree to anything, I did. And unless he's signed "power of attorney" to me, well?

well he owns the computer, and has given you permission to act on his behalf installing the software. assuming you made him aware and he did not object the responsibility is his. If you did not make him aware thus he did not agree to it, he woudl then have recourse if he were sued say by microsoft to then sue you.

What if his ten year old child (or neighbor kid) installs it?

if the child is his he will incur any responsibility for actions made by the child

If I have six PCs in my house networked together then I do own my network connection. I also own MY COPY of Windows. Nowhere on the box does it say I don't.

See excerpt from microsoft EULA below.

3. RESERVATION OF RIGHTS AND OWNERSHIP. Microsoft reserves all rights not expressly granted to you in this EULA. The Software is protected by copyright and other intellectual property laws and treaties. Microsoft or its suppliers own the title, copyright, and other intellectual property rights in the Software. The Software is licensed, not sold.
http://www.microsoft.com/windowsxp/home/eula.mspx [microsoft.com]