Full Disclosure mailing list archives
Re: Benign Worms
From: Rob Lemos <lists () robertlemos com>
Date: Fri, 13 May 2005 10:01:38 -0700
k k wrote:
I am an academic researcher. I benefited a lot during my previous interaction at the full disclosure list on a different topic and now, I am here to get some input on benign worms. There is debate surrounding whether releasing benign worms such as Nachi or Welcha, in general is ethical or not. But network administrators can still create benign worms for their need (not necessarily Nachi or Welcha) and release them in their domain to patch systems. 1. Do people do that? Or at least, have you considered it? 2. If yes, under what conditions would you do that? 3. If not, what prevents you from doing that?
Adding self propagation features to any program is problematic at best. A good example of what can happen is the Nachi worm (a.k.a., MSBlast.D and Welchia), which probably caused more havoc inside corporate networks than the original MSBlast (a.k.a. Blaster worm) because of its over-aggressive attempts at propagation. http://news.com.com/Worm+double+whammy+still+hitting+hard/2100-1002_3-5066875.html All one has to do, in fact, is go back to the original incident where the term "worm" was first used and you can see the danger. Two researchers at Xerox PARC decided to use a worm to update experimental Ethernet drivers and ended up disrupting the entire network and crashing all their nodes. The research was done in the late 70s and the paper was publish in 1982. http://news.com.com/Year+of+the+Worm/2009-1001_3-254061.html Another good example is the Trend Micro update snafu that caused clients to suck up 100 percent of CPU time. While the individual nodes did not infect others, cleanup involved many, many nodes, similar to cleaning up after a worm. A better approach is an automated scanning and patch system (this is more akin to the Trend Micro--or for that matter, any antivirus company--update situation) or a system that sends out exploits for various holes and, if a system is rooted, updates that system. Then, if something goes wrong, you only have one system to shut down and fix the programs on, rather than cleaning your entire network. HP has played around with an exploit-node-type network. http://news.com.com/HP+aims+to+throttle+Net+threats/2100-7349_3-5163633.html Infecting other machines with even a "beneficial" worm is illegal if you are not the owner of the machine. Infecting a network that you have ownership over with a "beneficial" worm is generally a bad thing, because the network effects of self propagation are hard to gauge and small errors can easily turn into big problems. Just wait until we start playing around with programming genes of organisms that self replicate. http://www.securityfocus.com/news/11082 -R -- | robert lemos | | editor-at-large, securityfocus | rlemos () securityfocus com | | technology journalist | mail () robertlemos com | _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Benign Worms k k (May 13)
- Re: Benign Worms Valdis . Kletnieks (May 13)
- Re: Benign Worms Valdis . Kletnieks (May 13)
- Re: Benign Worms Rob Lemos (May 13)
- Re: Benign Worms Michael Holstein (May 13)
- Re: Benign Worms Eric Paynter (May 13)
- Re: Benign Worms Benjamin Franz (May 13)
- Re: Benign Worms Eric Paynter (May 13)
- Re: Benign Worms Dan (May 15)
- Re: Benign Worms Valdis . Kletnieks (May 14)
- Re: Benign Worms Eric Paynter (May 14)
- Re: Benign Worms Valdis . Kletnieks (May 14)
- Re: Benign Worms Eric Paynter (May 14)
- Re: Benign Worms James Tucker (May 14)
- Re: Benign Worms Eric Paynter (May 13)