“Friendly Worms” Facing Friendly Fire
Monday February 18, 2008 at 3:28 pm CST
Posted by Joe Telafici
When a colleague pointed me at this article about some MS research on using worm techniques to distribute patches more efficiently, I had a moment of extreme déjà vu. After all, Fred Cohen was talking about beneficial uses of viruses in the mid-80’s. But since then, we’ve had a number of attempts occur that prove the old adage that the road to hell is paved with good intentions.
Back in 2001 we saw CodeGreen attempt to locate and patch machines infected with the infamous CodeRed worm. In a variety of other cases, one piece of self-propagating code (worm) has tried to patch backdoors or vulnerabilities, but usually in a self-preservation attempt against a rival author rather than for any altruistic purpose. Examples of this include the Linux Cheese worm and a variety of Bagle and Netsky variants that attempted to remove the other during the much-publicized “Virus Wars” of 2004.
The use of self-replicating code to fix other security problems has invariably proved to be a Bad Idea in the real world because we simply do not understand the epidemiology of the complex, heterogeneous universe we call the Internet. Rather than steal his thunder, I’d invite you to check out Igor Muttik’s talk on “Good Viruses” in the Research Revealed track at RSA this April 9th, if this topic interests you. Alternatively, check out Vesselin Bontchev’s paper on this subject here.
On the other hand, if you actually read the Microsoft research at http://research.microsoft.com/~milanv/, he’s really looking at how the epidemiology of good code versus bad code works. Given that most worms are Windows-based, and Microsoft, by definition, is providing the patches to block those worms that exploit vulnerabilities in their software, this is not irrelevant. While biological analogies to computer viruses are often dismissed, this is one area where a “computer epidemiology” discipline would be most welcome.
McAfee pushes something like a petabyte (Pb) of DAT signatures out in a month, so I can’t even imagine how much bandwidth Microsoft consumes delivering patches to all the Windows machines on the planet. And given how little we really understand about how information flows between computers on the internet, there’s something to be said for advancing the science of information dissemination.
Unfortunately, what most researchers concentrate on is the spread of self-propagating worms exploiting services, like Slammer, Blaster, CodeRed, Witty and other high-profile, fast-spreading worms. Today, though, we’re much more likely to see a huge variety of fairly prosaic threats that rely as much on social engineering as exploits to propagate. And this is an area where there is painfully little research.
What are the different propagation rates for Web 2.0-based threats like the spate of MySpace or FaceBook attacks over the last couple of years, versus any other web-based attack? How do regional idiosyncrasies like localized software vectors or language of social engineering affect threat propagation? How fast do patches or AV signatures need to be distributed to dampen the spread of threats propagating at different rates? How do different peer-to-peer (P2P) strategies compare to other mechanisms for “good code” dissemination. All of these are increasingly valid and relevant questions in the Wild West of today’s internet.
Let’s just remember that there is no “beta” version of the internet we can experiment on at scale. 
February 18th, 2008 at 22:53
1) The article claims that such an approach will “minimise the amount of global traffic across the network”. This is false. The global traffic will actually increase - because of all the added probing. What will be decreased is the load on Microsoft’s servers.
2) What about those savvy net admins who don’t want buggy updates blindly pushed on their machines without them having the chance to test the impact of these updates first?
3) There is absolutely no need to implement this as self-replicating code. What can be done is build a P2P network for distribution of data (the patches). There is no need for a self-replicating program to infect other computers - the P2P software can come built-in Windows. Even now Microsoft is taking the wrong approach by distributing their patches as executables (with random names, at that, and installed from random paths) - which is playing havoc with my firewall/whitelisting software.
(OK, part of the annoyance is the fault of the whitelisting software which can’t be instructed to silently allow all executables that are digitally signed by a particular producer, but still…)
4) The whole point of patching is to fix all vulnerable systems. However, a P2P-like virus has absolutely no guarantee that it will reach all those computer that centralized distribution normally reaches. This can go wrong in two ways. First, vulnerable systems might not get patched, because the virus hasn’t reached them. Second, the virus can keep probing and clogging the network, despite that all systems that need patching have been patched.
Regards,
Vesselin
September 17th, 2008 at 22:47
[...] "Back in 2001 we saw CodeGreen attempt to locate and patch machines infected with the infamous CodeRed worm. In a variety of other cases, one piece of self-propagating code (worm) has tried to patch backdoors or vulnerabilities, but usually in a self-preservation attempt against a rival author rather than for any altruistic purpose. Examples of this include the Linux Cheese worm and a variety of Bagle and Netsky variants that attempted to remove the other during the much-publicized ‘Virus Wars’ of 2004. The use of self-replicating code to fix other security problems has invariably proved to be a Bad Idea in the real world because we simply do not understand the epidemiology of the complex, heterogeneous universe we call the Internet," Telafici commented. [...]