'Friendly' Worms Could Spread Software Fixes

An anonymous reader writes "Microsoft researchers are working out the perfect strategies for worms to spread through networks. Their goal is to distribute software patches and other friendly information via virus, reducing load on servers. This raises the prospect of worm races — deploying a whitehat worm to spread a fix faster than a new attacking worm can reach vulnerable machines."

Annnndddd...

[RandoX]

What makes this any more legal than a black hat worm?

This is an old idea

[sm62704]

It keeps resurfacing every now and then. Get this through your thick skulls: It's my computer. Keep your God damned hands off of it. I don't care how good your intentions are, you have no right to infect MY computer with anything at all, good or bad.

If you use a tool like this on your own network, fine, but if I find it on my own you had better cover your tracks because I'll go ballistic.

Just what we need...

[weak*]

... a system that will further reduce transparency regarding MS updates...

Re:Prior Art

[deadzaphod]

Very, very old idea. The first worm of this type was called "Reaper" and was created to kill the "Creeper" worm. http://www.viruslist.com/en/viruses/encyclopedia?chapter=153310937 [viruslist.com]

Caused Issues the last time someone tried it..

[ironwill96]

Anyone remember when someone did this for Blaster and created the "Welchia" worm variant? An article on it is located here: White Hat Worm [entmag.com] and Microsoft even complained that it "generated excess network traffic". Now they are proposing to do the same thing? How are they going to make the worm spread, through vulnerabilities like Welchia did? Hope they don't use an RPC vulnerability and cause your system to crash like it did!

I guess this goes with all of the tags we've seen today on articles of "whatcouldpossiblygowrong?".

3-2-1 tagged "whatcouldpossiblygowrong"

[sd.fhasldff]

I'm surprised this hasn't been slapped with the "whatcouldpossiblygowrong" tag yet.... seems like most stories are, pretty much regardless of content.

Bad idea

[EmbeddedJanitor]

MS already sat on AUtopatcher because they said that they lost control of the distribution and a malicious patch could slip in. With the worm thing it is a bazzillion times worse. So many more potential points of infection.

Re:Annnndddd...

[sm62704]

How many people went to prison for the Sony XCP rootkit?

That's right, none. There's your clue.

This one is different.

[Bananatree3]

First off this wouldn't be some whitehat's haphazard cure worm like the Welchia worm. This worm would proabably be signed by microsoft, made by microsoft. from TFA:

Because no central server needs to provide and coordinate all the downloads, Software patches that spread like worms could be faster and easier to distribute because no central server must bear all the load.

This is more P2P patch distribution, which is not a bad idea.

not exactly

[Brigadier]

If I'm not mistaken according to Micro Soft's EULA you don't actually own the software they do. They are just giving you permission to use it. Though you do own the hardware the worm in question would only affect or change the Soft Ware. In addition you neither own your network connection or most likely the building you live in ( dorm, apartment, mortgaged home etc) so from a purly legal stand point you have no leg to stand on. Though I do completely understand and support the meaning behind yrou rant :)

Extremely bad idea

[Zen]

I don't care who implements this solution. It was a bad idea a few years ago and it's still a bad idea today. The delivery mechanism will be compromised, and just having this type of thing out there will create new interest in creating hazardous worms/virii. I don't know about you guys, but I don't want anybody touching any of my systems. Ever! How about differences in configurations? What if I have a highly modified registry because I'm doing some advanced package testing? Then you come in and 'fix' something based on default values and it corrupts my entire system? Who's going to fix it then?

What about all the security admins who filter traffic based on pattern matches and ports? So now when we see a spike in traffic from thousands of machines going to 1433 on successive IP's we're supposed to somehow make a diagnosis on whether it's good or bad traffic? It's unnecessary overhead on the network. Whatever it's intention, auto fixing of problems and specifically designed auto replicating extra internet traffic is a bad idea.

Re:A viral implementation of Windows Update?

[Anonymous Coward]

Clippy worm: "I see you have Ubuntu installed, would you like to purchase and install Windows Vista?"

Re:This one is different.

[KublaiKhan]

And what, exactly, is stopping someone from forging an MS cert on their own worm (or, simpler, giving the appearance of a legit one--y'know, like bank website phishing), exploiting the worm dispersal mechanism, and rootkitting everyone who's stupid enough to let this worm in?

Oh yah, that'll work.

[Secret Rabbit]

Because M$ is soooo very good at normal updates:

http://blogs.msdn.com/ie/archive/2007/12/18/post-install-issues-with-ms07-069-ie6-on-xpsp2.aspx [msdn.com]

(Among others) That they'll be a perfect candidate to create this type.

For that matter, I'd really like to know how someone/people who might do this, would get around that whole illegal thing.

Re:not exactly

[zulater]

Just because you may not own the building or the network you still have a basic right to privacy.
If you want to argue that route you can still prove that you own the router, network cable, processor etc. so you still own the last few feet they are trespassing on. Heck renters still have a right to use lethal force against an intruder is many states. So there is a legal leg to stand on.
Regardless privacy is the main concern.

This BS creeps up time and again....

[gweihir]

There are no friendly worms. Compromising the security of a system, REGARDLESS OF PURPOSE, is a hostile and criminal act. There is no excuse for it. In addition, an agile black hat could hijack the worm and put its own malcode in there.

Anybody proposing this nonsense just shows they do not even have elementary security knowledge and did not research the topic at all. Incompetents.

Re:not exactly

[sm62704]

Oh, I realise that it would probably be legal. They have armies of lawyers and lobbyists.

Now, I keep asking this question about EULAS: tell me, now. Mike buys a naked, no OS computer and a boxed set of Windows Vista Home, and asks me to install it for him. If I'm the one who agrees to the EULA, how is he legally held to that EULA? He didn't agree to anything, I did. And unless he's signed "power of attorney" to me, well?

What if his ten year old child (or neighbor kid) installs it?

What if it's already installed on a computer he gets at Best Buy? I ask this out of ignorance because I haven't bought a whole computer since 1987. You have to agree to a contract AFTER buying the computer?

How can this hold up in court?

If I have six PCs in my house networked together then I do own my network connection. I also own MY COPY of Windows. Nowhere on the box does it say I don't.

You can't put a contract in a new car's glove box saying "if you open this glove box you are held to the following conditions..."

I wish a real lawyer would explain to me how in the hell anybody thinks a EULA is binding on anybody. It makes no sense at all.

Re:This is an old idea

[mkoko]

Or breaks a more critical computer, say at a hospital. Once the possibility of human loss is recognized, this idea should (hopefully) be tossed aside.

Re:This one is different.

[evanbd]

Did you pay any attention to the last 30 years or so of cryptography [wikipedia.org]? Any peer-to-peer patch distribution system would use digital signatures that are difficult to fake. The corresponding public keys would be distributed with the OS install or through some other secure mechanism (SSL from the main update site or similar). Any attacker that can install their own key could install a worm through that route anyway.

P2P is quite good at solving intermittent high demand distribution problems, and is quite well matched to this.

Re:Bad idea

[Lord Balto]

Not to mention the ability it would give Microsoft to "upgrade" your software whether you wanted it or not. This would be a bad idea from a company you could actually trust. From Microsoft? Horrendous.