Other
A Good Worm Is Hard to Find
Are 'benevolent' worms the solution to the patching problem? This CTO doesn't think so.
By CSO Contributor
August 30, 2004 — CSO — In August last year, a week after the Blaster worm infected computers across the
Internet, a "benevolent" worm started spreading in its wake. Called Nachi, Blast.D and
Welchia (why can't the people who name these things pick a single name and stick with
it?), it infected computers through the same vulnerability that Blaster did. But its effects
were different. If it found Blaster it deleted it, and then it applied the relevant Microsoft
patch to close the vulnerability so Blaster could not reinfect. Then, Nachi scanned the
network for other infected machines and repaired them, too.
Blast.D represents a cool-sounding idea that we hear about again and again. Why don't
we use worms for good instead of evil? Worms are great at infecting computers, so why
don't we use them to patch vulnerabilities, update systems, and improve security?
Benevolent worms are attractive for several reasons. One, they are poetic: turning
weapons against themselves. Two, they let ethical programmers share in the fun of
designing worms
one of the nastiest online security problems: patching vulnerabilities.
Everyone knows that patching is in shambles. Users, especially home users, don't do it.
At the corporate level, the best patching techniques involve a lot of negotiation, pleading
and manual labor, things that nobody enjoys very much. From the point of view of a
software engineer, benevolent worms look like a killer app. You turn a difficult social
problem into a fun technical problem. You don't have to convince people to install
patches. You use technology to force them to do it.
And that's exactly why they're a terrible idea. Patching other people's machines without
annoying them is good; patching other people's machines without their consent is not. A
worm is not "bad" or "good" depending on its payload. Viral propagation mechanisms are
inherently bad, and giving them beneficial payloads doesn't make things better. A worm
is no tool for any rational network administrator, regardless of intent. When Nachi was
released, no company suggested that it be allowed to infect the Internet, even though its
payload was ostensibly benevolent.
A successful worm runs without the consent of the user. It has a small amount of code,
and once it starts to spread, it is self-propagating and will keep going automatically until
it's halted.
These characteristics are simply incompatible with a good software distribution
mechanism. The characteristics of good software distribution
choice, making installation flexible and universal, allowing for uninstallation
for a worse worm. Characteristics of good worms—,quieter and less obvious to the
user, smaller and easier to propagate, impossible to contain
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
