Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Good Network Worms Made Simple

samzenpus posted more than 8 years ago | from the what-could-go-wrong dept.

Security 137

grabbag writes "Dave Aitel is pitching new technology to create "nematodes," or beneficial network worms for use in large businesses. The idea is to set up a new language and structure to create "strictly controlled" good worms on the fly. A research-type demo was given as the Hack in the Box conference where Aitel talked about a world where "strictly controlled" nematodes are used by ISPs, government organizations and large companies to show significant cost savings."

cancel ×

137 comments

Sorry! There are no comments related to the filter you selected.

First worm post (1)

The_Fire_Horse (552422) | more than 8 years ago | (#13728754)

see subject

distributed processing (4, Insightful)

WiPEOUT (20036) | more than 8 years ago | (#13728759)

Distributed processing capabilities and distributed network monitoring capabilities would be great, but who gets jurisdiction over what governments/companies are allowed to execute code on my PC?

Re:distributed processing (2, Informative)

Koushiro (612241) | more than 8 years ago | (#13728787)

RTFS. This proposal is intended for use within large businesses: the idea is to automate and improve maintenance of their internal network, not something they'd just unleash on the Internet.

Re:distributed processing (0, Offtopic)

koi88 (640490) | more than 8 years ago | (#13729015)


... create "strictly controlled" good worms...

Noooooo! Once they become self-aware, they will free themselves from control and finally overthrow their human masters! How could you forget Matrix so easily?

Re:distributed processing (2, Insightful)

cortana (588495) | more than 8 years ago | (#13729100)

"... who gets jurisdiction over what governments/companies are allowed to execute code on my PC?"
You do. If you don't want people exploiting holes in your PC, then patch them yourself.

If you disagree you are entitled to try getting by without patching, instead suing those who take advantage of your PC for theft of resources, or some such, but isn't an ounce of prevention better than a pound of cure? It is surely cheaper to run apt-get update && apt-get upgrade nightly...

Re:distributed processing (2, Insightful)

'nother poster (700681) | more than 8 years ago | (#13729236)

But, as you point out with your "theft of resources" comment, it's not their computer, it's mine. I know from the article that the worms are strictly controlled, and are supposed to exist on the corporate/ISP networks and shouldn't touch my system, but if they do, can I sue them? Under current laws would they be just as liable as the black hat worm writers? If their nematodes get out in the wild due to some bug or configuration error, do they get the same punishments as say, someone that wrote the slammer worm?

Re:distributed processing (1)

cortana (588495) | more than 8 years ago | (#13729285)

Who knows and/or cares? My point is that it's cheaper to take responsibility for your own systems and keep them patched, than it is to attempt to recover your costs by going to the courts.

Re:distributed processing (2, Informative)

'nother poster (700681) | more than 8 years ago | (#13729475)

Well, whether I patch or not, who knows and/or cares? My point is that if I gey MY system the way I want it then no one has a right to mess with it. Black hat or white hat it doesn't matter. It's not their system. They have laws that include prison time and/or fines for the black hats. Will the fact that the white hats didn't MEAN to do something bad give them immunity? What about patches that break things? Automatically updating/upgrading a box can make for wonderful evenings of reinstalls/rebuilds. My time is valuable.

Re:distributed processing (1)

networkBoy (774728) | more than 8 years ago | (#13729818)

I would tend to think that a "White Worm" that escaped to the wild would not likely do too much damage in the first place. That said, since the intent was not malicious (even if the result was) there is a good likelyhood that corp.s would only get a fine (and a small one at that) if one got to the wild.

Honestly though, I would be more worried about government worms, as those employees are much harder to fire for incompetance, and as a result will likely pay less attention to detail when crafting one of these things. Hell I could see a pissed off government IT guy "going postal" er. . . "going wormey?" and unleashing a destructive worm, not meant to escape, but escaping none the less and wreaking blaster level havoc.

The real catch here? You can not sue the government without the governments permission (at least here in the US).
-nB

Re:distributed processing (0)

Anonymous Coward | more than 8 years ago | (#13730022)

If you run an unpatched machine with security holes by decision, you're (sort of) endangering others on the net and should be punished.
If you don't care about patching, you deserve to have your machine crumbling down on you.

This compares exactly to not maintaining your car.

Re:distributed processing (1)

enigmax01 (785835) | more than 8 years ago | (#13729382)

Just wait until spyware companies get ahold of this technology. Hey... it's leagal and they are "good" worms. Want to buy this great new dvd?

Re:distributed processing (2, Informative)

halcyon1234 (834388) | more than 8 years ago | (#13729414)

Distributed processing capabilities and distributed network monitoring capabilities would be great

Correct me if I'm wrong, but isn't this the very thing that lead to the creation of the first worm? Some computer guys at Xerox PARC were looking for a way to distribute code/updates across a network, created a self-replicating program, then dubbed it "worm" after a John Brunner novel?

So, not only is this not new... this is just what a worm was supposed to do in the fisrt place.

Problem (5, Insightful)

mysqlrocks (783488) | more than 8 years ago | (#13728762)

Isn't the problem with most worms the network traffic it causes by spreading, not the payload? I'm not sure how they plan on keeping something that's designed to spread from spreading too quickly.

Re:Problem (2, Insightful)

SimilarityEngine (892055) | more than 8 years ago | (#13728803)

The idea is to only spread to machines with the particular vulnerabilitly you're attempting to patch. But nevertheless, this still uses up a lot more bandwidth than would be used by people simply bothering to download the patches they need, due to the scanning networks for vulnerabilities. Also, rather than having people download at their conveinience (spread over a long period of time), I presume that a nematode infecting a network would cause a large surge in demand on the patch server. I can see what their motivation is, as it is frustrating when not everyone on a network is up to date, but it seems like a misguided solution.

Re:Problem (1)

SpeedyGonz (771424) | more than 8 years ago | (#13728807)

The key here is control.

If you make "Nematodes" like this you surely should as well make a control mechanism so they spread nicely and without saturating the networks they're living on.

It's not like you're designing these things and then letting them to wantonly "infect" machines like their malign relatives.

Re:Problem (1)

SimilarityEngine (892055) | more than 8 years ago | (#13728823)

But how is this system better than simply having the OS automatically check for updates and download them silently?

Re:Problem (1)

somersault (912633) | more than 8 years ago | (#13728884)

from reading the article I'm guessing that this is for in house security experts to create their own worms to disinfect systems rather than wait for patches to be released, and I'm sure there will be other uses for them rather than just on security. On our network all the machines are meant to be told by one of the servers to automatically download updates, but that doesnt seem to be the case. Of course someone probably just set it up wrong and I should look into it, but I think the idea of searching for vulnerable machines and having them patch themselves and each other up is a great idea.. and eventually if the concept is proven to work well, then governments could maybe use worms such as these to patch up the machines of idiots who let their machines be turned into tools for spammers/zombies etc, which just clutter up the internet for everyone.

Re:Problem (1)

SimilarityEngine (892055) | more than 8 years ago | (#13728930)

if the concept is proven to work well, then governments could maybe use worms such as these to patch up the machines of idiots who let their machines be turned into tools for spammers/zombies etc, which just clutter up the internet for everyone.

I wonder what less ethical administrations could abuse this system for? Anyway, tinfoil hat aside, I still don't understand why each PC can't periodically query the server to see if relevant updates are available and then download said updates without the user's permission. After all, if you can write a worm to patch a machine you could write a "standard" patch too. Surely that would be more efficient? And it would eliminate the potential for abuse outside the corporate context.

Re:Problem (1)

somersault (912633) | more than 8 years ago | (#13728998)

What would be more efficient would be for users to run an OS that only allows user-approved code to be run on their systems so that there would never be any need for 'patches'. Though there would still be social engineering and idiots (I use the term lovingly) to contend with.. As for governments using the exploits abusively.. well the hackers are already doing that, and if there is even a single 'good' worm getting into the systems and patching up the exploit, then the 'bad' ones will no longer be able to get in (though I guess the bad ones could also patch up the exploits themselves and create easier ways for hackers to get into the systems.. but again a friendly automated system could be created to access machines via these backdoors and patch them up). But I really think that the whole patch culture is stupid after reading an article on default deny recently.. we use default deny on firewalls, so why not use the same stance for executables that can be run on our machine?

Re:Problem (1)

SimilarityEngine (892055) | more than 8 years ago | (#13729122)

though I guess the bad ones could also patch up the exploits themselves and create easier ways for hackers to get into the systems.. but again a friendly automated system could be created to access machines via these backdoors and patch them up

And of course the malicious crackers will then create a worm to close that hole and replace it with another one - maybe one that requires special authentication to gain access to, locking out the white-hats. Cue all-out warfare, with network bandwidth being the victim.

Sorry, went off on one a bit there...

I think you're right about the need to improve local security policies, though. But of course, as you point out, that doesn't protect you against idiots who will gladly open up executable email attachments and click "Run anyway".

Re:Problem (1)

osgeek (239988) | more than 8 years ago | (#13728931)

But how is this system better than simply having the OS automatically check for updates and download them silently?

Who's offering a comprehensive system for doing this? Sure, MicroSoft offers silent system updates in their more recent OSes, but it's obvious that they aren't on top of all of the security holes in their products past and present. Users routinely turn off automatic updates (or never turn them on in the first place). Is MicroSoft planning on fixing all the zombied Windows 98 machines out there? Of course not.

I'm all for this. People are out there exploiting these security holes for malicious reasons anyway. Anyone who wants to instead use the security holes to propagate fixes has my blessing. There are legions of bozos out there too cheap or ignorant to protect themselves and their company's computers from being used against all of the rest of us to send out spam and DoS attacks. If they can't fix their own problems, then someone else should.

Re:Problem (1)

SimilarityEngine (892055) | more than 8 years ago | (#13728956)

If I understand you, you're talking about releasing these worms on the internet at large. Immediately you have to worry about bandwidth consumption (from probing) and the potential for abuse. I know how annoying it is that people don't secure their machines, but maybe this solution isn't the best possible one.

Re:Problem (1)

osgeek (239988) | more than 8 years ago | (#13728993)

I'd agree with you if it weren't for the fact that there are already tools out there using bandwidth to probe for vulnerabilities. There are already people out there abusing this technique of software dispersal.

I'm just saying that while it's being done, we might as well encourage people to do it who *might* have some chance of doing the right thing.

When making worms is outlawed, only outlaws will make worms.

Re:Problem (1)

SimilarityEngine (892055) | more than 8 years ago | (#13729203)

Okay, but still have issues with this idea.

It proposes to waste even more bandwidth. It hopes that this worm will be able to cope with a multitude of differently configured systems (malicious worms don't care if they accidentally break something, including existing security solutions, but nematodes must be benign). It takes away people's control over their own machines (it's still unauthorized use and access of resources, and against the law in many countries). In addition, how will this solution cope with existing AV software and firewalls? What if the update breaks security somewhere else - who is responsible for fixing that?

Re:Problem (1)

SpeedyGonz (771424) | more than 8 years ago | (#13729043)

But how is this system better than simply having the OS automatically check for updates and download them silently?

That's a very good point.

Theoretically speaking, however, all this "nematode" idea is quite interesting

Re:Problem (3, Insightful)

KiloByte (825081) | more than 8 years ago | (#13728848)

Simple. Just don't include any spreading code in the payload; send the worm from your own machines.
As these "nematodes" are supposed to be used only by large companies and ISPs, their owner already possesses the network, and thus can apply the exploits to valid targets only.

This is not such bad a concept -- with VERY few exceptions, nearly all networks are full to the brim with idiots. Setting policies can help, but often you have no real way to enforce them. Try telling your clients that that Weather Bug or M$ Outlook is not something they should be using... But if you use controlled exploits right, you can fix the problems without having to deal with just the symptoms.

Re:Problem (1)

mysqlrocks (783488) | more than 8 years ago | (#13728874)

Simple. Just don't include any spreading code in the payload; send the worm from your own machines.

How is this any different then setting up a server responsible for pushing out patches? I thought the idea of a worm was to spread from computer to computer. If it stops after one hop, how is it a worm?

Re:Problem (0)

Anonymous Coward | more than 8 years ago | (#13728914)

Did you miss this part:

"nearly all networks are full to the brim with idiots. Setting policies can help, but often you have no real way to enforce them. Try telling your clients that that Weather Bug or M$ Outlook is not something they should be using..."

Among these idiots, how many do you think will have the patch receiving disabled? With these worms you _are_ pushing patches, but now even to those who have ignored the companys/networks policy of being able to receive their daily dosis of anti(cy)biotics. The good thing here is that if you find a hole, you use the hole to send the patch for the hole itself.

Re:Problem (2, Insightful)

brennz (715237) | more than 8 years ago | (#13729052)

Most update tools are not cross-platform to the degree that a "smart" worm can be.

Smart worm = a framework. Think of an exploitation framework as merely a component of this worm framework.

Scanning - identify hosts within allowed networks.

Reporting - Hey, we found vulnerabilities XXXX

Exploiting - compromising those hosts

Reporting - Hey, we exploited vulnerabilities XXXX

Patching - Remediating the vulnerabilities on each host

Reporting - Hey, we patched vulnerabilities XXXX

Cleanup - Cleaning up everything

Scanmode - looking for other vulnerable hosts

Re:Problem (1)

Sancho (17056) | more than 8 years ago | (#13729467)

It still isn't a worm in the traditional computer sense because it does not burrow through the network. This is more like tentacles that reach out, muck around with a computer, then pull back and look for a new target.

Re:Problem (3, Interesting)

leuk_he (194174) | more than 8 years ago | (#13729222)

nearly all networks are full to the brim with idiots.

The same goes for system administrators. The corporate network is full of idiots who think they are great admins because they can install product x. Giving these idiots self-replicating code could cause great damage beyond your imagination. Most damaging worms are damaging because some rate limiting code is not coded correctly, or simply not understood by their creators.

Note to BOFH who is reading this with me: no i do not mean YOU.

Re:Problem (1)

KiloByte (825081) | more than 8 years ago | (#13729413)

Having used an ISP where the admins installed "Inktomi TrafficServer(tm)", the only thing I can say is: "Ouch. Right.".

Re:Problem (0)

Anonymous Coward | more than 8 years ago | (#13729683)

That's why you do things the right way. You use login scripts and Group Policies to specifiy only the settings you want. You make everyone a regular user, there is no need to use an administrator account.

A lot of software doesn't work out of the box as a regular users, but if you take the time and use the right tools -- it will. Most of the time, it's simply modify permissions to a directory or permission to change a specific registry key.

Sadly, most people who are network admins either dont care or dont know. Most are underqualified, even to be Windows admins.

Re:Problem (1)

hotdiggitydawg (881316) | more than 8 years ago | (#13728879)

That has indeed been a problem in the past (and no doubt will be again for malicious worms). Surely a properly-written "good worm" would have to avoid choking networks - perhaps by having some central store of vulnerable and/or patched systems? Or using only idle/available bandwidth (BITS in Windows maybe)? etc... who knows, I don't write them...

Whether you pull or push the security patch, the transfer bandwidth would be roughly the same. The problems come in with the "polling/spreading" attempts... eg. if you set every Windows PC in the world to poll Windows Update at the same rate that worms try to find vulnerable hosts, you'd make the Slashdot effect look like a single ping packet...

Re:Problem (1)

mysqlrocks (783488) | more than 8 years ago | (#13728888)

if you set every Windows PC in the world to poll Windows Update at the same rate that worms try to find vulnerable hosts, you'd make the Slashdot effect look like a single ping packet...

Wow, that's a cool idea! Can some hacker please get on this right away?

They already do this. (2, Funny)

crovira (10242) | more than 8 years ago | (#13729334)

They're trying to find a secure implementation of Windows.

However, Windows seems to be impervious to this. It just lies there with slime oozing between its legs. (Painst an attractive picture of the kind of fucker who spreads viri, worms and other creepy crawlies.)

Slammer (0)

Anonymous Coward | more than 8 years ago | (#13728882)

I'm sure everyone remembers that beast. Its sole purpose was to spread, and in that it brought the internet to it's knees.

Re:Problem (1)

springbox (853816) | more than 8 years ago | (#13728915)

Well, you're right, but that's only because worms that do damage, in order to hide the author's identity, do not communicate with any central server. If you have a "worm" designed for patching systems, you can add a central control to them so they are coordinated better and don't waste nearly as much bandwidth as the uncoordinated worms would. It's certainly more like an automated patching system than a worm at this point, but it would be interesting to see what ideas come out of this.

Re:Problem (1)

ProfFalcon (628305) | more than 8 years ago | (#13729153)

#include <nematodeutils.h>

int main () {
if (anyRemainingUnpatchedSystems()) {
spreadToTwoMachines();
sleep(300); // Make sure we don't clobber the network
}
return 0;
}

Not Funny (-1, Offtopic)

Artie_Effim (700781) | more than 8 years ago | (#13728763)

not to be confused with This Funny Man [daveattell.com] , which is how I first read it, and could not understand why he would have written something like that.

Re:Not Funny (0)

Anonymous Coward | more than 8 years ago | (#13729237)

how is this offtopic? I thougth the same thing (dave aitel ~ dave attell)

A suggestion for a name. (1)

Karma_fucker_sucker (898393) | more than 8 years ago | (#13728777)

"The goal has always been to build the network that protects itself automatically with automated technologies.

How about Network Immune System"? Using "good worm" or "Nematode" will confuse the PHBs or worse alarm them.

Ex. NET ADMIN: "Boss, I want to put a good worm on the system."

PHB (Hearing only the worm part):"No fucking way! No worms on my system!"

Re:A suggestion for a name. (0)

Anonymous Coward | more than 8 years ago | (#13728927)

Yeah, maybe the "idiot PHB" heard about the times humans introduced other predators into the wild.

And distinguish themselves how? (2, Insightful)

DenDave (700621) | more than 8 years ago | (#13728779)

So how is the unsuspecting pc (user) supposed differentiate between worms and "nematodes"? This is an interesting idea but best not let out of the lab.
Also, how does this chap expect to get these things to work on *nix environments? does he propose "benevolent" rootkits?

The unsuspecting user doesn't... (1)

FooAtWFU (699187) | more than 8 years ago | (#13728858)

The unsuspecting PC user doesn't distinguish between the two. This is being touted as a tool for businesses and the like, where they will presumably be limited to company computers. It's not entirely dissimilar to a dedicated software update distribution tool. (This raises the question why they're bothering to spread these things via exploits but that's another matter...)

RFC 3514 (2, Funny)

scovetta (632629) | more than 8 years ago | (#13729057)

Easy, according to RFC 3514, the bad worms would set the evil bit in the IP header, and the good worms would not. The admins could probably have just filtered traffic by detecting those evil bits, but I think having a visual display of the good worms vs the bad worms would be more exciting.

Of course, sooner or later, the good worms are going to turn into bad worms themselves and then we'll all be screwed.

RIAA doesn't understand (-1, Offtopic)

doomtroll (920812) | more than 8 years ago | (#13728782)

I am an avid downloader..but I do not feal I am stealing. The vast majority of music I have purchased over the last 4 years has been based on downloads I have really liked..Its Like a proving ground. And I think the RIAA is Missing the fact that ONLY the big 4 are loosing sales.. Independent sales have skyrocketed...My advise to the Big 4 & the RIAA...sign talented artists...

Intelligent managed networks? (3, Informative)

jeffs72 (711141) | more than 8 years ago | (#13728797)

It would be cool if you could have these worms each perform certain functions (one to better manage spanning-tree for instance, so when a link fails spanning tree rebuilds faster for example) with some sort of AI, or really even a really good base line vs current activity comparison machine, to intelligently manage WANs and LANs.

Be nice to have worms that watch for machines all the sudden opening ports that they never have before, all the sudden opening up multicast or what not, or even finding that bad machine sending out bad frames on the network.

I can see a lot of flexibility with this, particularly if they are written in some sort of open source scripting language. I guess what I'm getting at is that they could be sort of like an open source distributed IDS/IDP system.

Granted you can do all these things now with a mix of expensive monitoring tools and a lot of config work with tools like ethereal and mrtg and big brother/big sister, etc. But this might be an easier way to do the same thing.

neato

Worms infect a machine, then jump to the next. (3, Insightful)

khasim (1285) | more than 8 years ago | (#13729082)

Why would you want to use a worm for that? A worm will install itself on each machine.

Why not just run the centralized scanning tools that you mentioned?
It would be cool if you could have these worms each perform certain functions (one to better manage spanning-tree for instance, so when a link fails spanning tree rebuilds faster for example) with some sort of AI, or really even a really good base line vs current activity comparison machine, to intelligently manage WANs and LANs.
Why would I want to infect my switches and routers with this? I already have SNMP. Spanning tree kicks in almost instantaniously.
Be nice to have worms that watch for machines all the sudden opening ports that they never have before, all the sudden opening up multicast or what not, or even finding that bad machine sending out bad frames on the network.
The only way a worm would do that would be if it had infected the problem machine (in which case, why not just run a firewall on it) or if it had infected your switchs/routers.

Why not just write the app to run on those in the first place? Why make it a worm?
Granted you can do all these things now with a mix of expensive monitoring tools and a lot of config work with tools like ethereal and mrtg and big brother/big sister, etc. But this might be an easier way to do the same thing.
What "expensive" tools?

All you'd need is SNMP and the knowledge to setup your firewall correctly and a machine to receive the syslog messages from your firewall and parse them.

It's far more efficient to have the choke points do the monitoring than to have worms running around on your network.

Worms are only useful for spreading crap to machines you don't control. Once you have control there are so many more efficient ways to push code to them or monitor them.

Re:Worms infect a machine, then jump to the next. (1)

jeffs72 (711141) | more than 8 years ago | (#13729319)

Why would I want to infect my switches and routers with this? I already have SNMP. Spanning tree kicks in almost instantaniously.

I guess it depends on your environment.

The only way a worm would do that would be if it had infected the problem machine (in which case, why not just run a firewall on it) or if it had infected your switchs/routers. Why not just write the app to run on those in the first place? Why make it a worm?

Because if it's a worm I don't need to dedicate hardware to network monitoring, the network pcs that run at 5-10% cpu and have a couple hundred meg free of physical memory can do it

What "expensive" tools?

How about HP Openview or Network Node Manager. I'm not talking about monitoring a single lan segment here, I'm talking about an enterprise environment with tens of thousands of nodes.

All you'd need is SNMP and the knowledge to setup your firewall correctly and a machine to receive the syslog messages from your firewall and parse them.

yes, thats one way to do it, but dealing with SNMP mibs is a pain in the ass when you're dealing with multiple vendors, every try running MRTG against Dell PowerConnect switches? You can't, they don't adhere to RFC with SNMP, you have to buy their tool to do switch management/monitoring.

Further, what if your environment is a product of acquisitions in many sites, that means different products for different firewalls, unless you can just purchase pix525es at will I guess.

It's far more efficient to have the choke points do the monitoring than to have worms running around on your network.

It is currently, but I think the idea of gathering agents that a roaming ability on the network would be great for looking for new nodes on the network, local users trying to run exploits, build their own little networks, etc. I'm not saying that this article promises the latest greatest or anything, but I can see how mobile agents, maybe tied into a backend SQL database to do logging and handle a limited AI reasoning table, would be very handy.

Another thing it would be good for is when you do an acquisition of another mid-sized or enterprise company and their IT staff didn't document things well and is hostile from the take over. These would be great asset and config discovery agents. Worms are only useful for spreading crap to machines you don't control. Once you have control there are so many more efficient ways to push code to them or monitor them.

If your network is broken already ... (1)

khasim (1285) | more than 8 years ago | (#13729821)

I guess it depends on your environment.
But if your environment is already broken, then why not fix it instead of trying to patch it with worms?
Because if it's a worm I don't need to dedicate hardware to network monitoring, the network pcs that run at 5-10% cpu and have a couple hundred meg free of physical memory can do it
And when someone trips over the power cord? The purpose of dedicating hardware is so you can maintain that system at a higher level of availablity.

Having random workstations do the monitoring is useless because you won't have any benchmarks over time. Unless they send that data around to each other in which case you're using up your bandwidth. Or they could send the data to a dedicated machine to store it, but that gets back to the dedicated machine concept.
How about HP Openview or Network Node Manager. I'm not talking about monitoring a single lan segment here, I'm talking about an enterprise environment with tens of thousands of nodes.
"tens of thousands of nodes" and you don't want to dedicate a single machine to this?

"tens of thousands of nodes" means a LOT of traffic with your proposal.
yes, thats one way to do it, but dealing with SNMP mibs is a pain in the ass when you're dealing with multiple vendors, every try running MRTG against Dell PowerConnect switches? You can't, they don't adhere to RFC with SNMP, you have to buy their tool to do switch management/monitoring.
But a worm will be able to do so?

Why not just take the code that the worm uses to monitor/manage those and incorporate it into the other Free apps?
Further, what if your environment is a product of acquisitions in many sites, that means different products for different firewalls, unless you can just purchase pix525es at will I guess.
Is there a problem with syslog?

Again, if a worm can manage that environment, why not just use the management code from the worm in whatever Free tools you use?
It is currently, but I think the idea of gathering agents that a roaming ability on the network would be great for looking for new nodes on the network, local users trying to run exploits, build their own little networks, etc.
Again, why not use the code that the worm uses for that in the centralized tools?

Or are the worms going to constantly scan the network for new systems? How would you be able to tell your worm scans from illegitimate scans?

With a centralized system, you already know what machines should be scanning. Any other machines scanning should send up an alert.
I'm not saying that this article promises the latest greatest or anything, but I can see how mobile agents, maybe tied into a backend SQL database to do logging and handle a limited AI reasoning table, would be very handy.
I don't. Not if you already control the machines and the network. Centralized management is far more efficient and reliable and managable.
Another thing it would be good for is when you do an acquisition of another mid-sized or enterprise company and their IT staff didn't document things well and is hostile from the take over.
Again, a centralized management system would not have any problems with that.
These would be great asset and config discovery agents.
How? I can already scan their machines from the centralized system. I have control of their network. I should be able to diagram their systems without the worms.

Re:If your network is broken already ... (1)

jeffs72 (711141) | more than 8 years ago | (#13729899)

I guess all's I'm saying is this is a different methodology for doing the same thing in a centralized fashion. You'd still need a central DB cluster to collect data, I'm really looking at this more from an AI agent perspective, for some sort of distributed (hard to attack) agent that collects data on WAN connectivity.

Can you do all this with central monitoring servers? Yes.

Maybe look at it this way, I get to work by driving, car pooling, or telecommuting. Which is better in every situation?

Do you not see any advantage in having a different set of open source tools for network monitoring?

"strictly controlled" == hubris (3, Insightful)

G4from128k (686170) | more than 8 years ago | (#13728799)

This sounds like a great way to create malware with privileges.

It's a very worthy goal, but they need to be extremely careful in the coding. One accidental (or malicious) tweak and these worms could overwhelm network resources, DoS the system, or damage valid systems (autoimmune disease).

Re:"strictly controlled" == hubris (1)

Dr. Manhattan (29720) | more than 8 years ago | (#13729206)

The Morris worm [wikipedia.org] wasn't supposed to cripple the Internet. But it ended up being too agressive and crippled systems for days. A tiny change in reproduction rate can have a huge effect on a population's size, and getting it right the first time isn't something people are good at.

Speaking of that, the sandbox these nematodes run in has to be perfect, or else it's just another malware vector.

Nematodes must live at super-root level (2, Insightful)

G4from128k (686170) | more than 8 years ago | (#13729456)

Speaking of that, the sandbox these nematodes run in has to be perfect, or else it's just another malware vector.

Exactly! But its worse than that because the nematodes must live outside the sandbox and inside the OS at the highest level of privilege. Catching and removing malware means running at a privilege higher than that of the malicious worms. Because malware tries (and succeeds) in attacking at user and admin levels, nematodes must operate even higher levels. Otherwise the malware can simply deactivate the nematode system (just as some current viruses deactivate antivirus apps).

But nematodes' existence at high privilege levels makes that the ultimate target for malware writers. NASTY!

Wouldn't it be easier to fix things? (4, Interesting)

photon317 (208409) | more than 8 years ago | (#13728802)


Rather than constructing a framework around the idea of building "beneficial" worms that work through the same exploits as real worms, and having to respond to security problems by passing around a disinfectant worm by the same (newly dicovered) vectors as the bad worms roaming your network, wouldn't it be a lot easier to fix the operating systems, networks, and the policies applied to them, such that you don't have a malicious worm problem to begin with?

Re:Wouldn't it be easier to fix things? (1)

anum (799950) | more than 8 years ago | (#13728837)

No, that would be harder. It would be better and it would make more sense but we wouldn't want that to get in the way of the latest craze now would we?

Re:Wouldn't it be easier to fix things? (1)

SimilarityEngine (892055) | more than 8 years ago | (#13728843)

wouldn't it be a lot easier to fix the operating systems, networks, and the policies applied to them, such that you don't have a malicious worm problem to begin with?

If I understand your argument correctly, it also applies to patches. Problem being, "to err is human".

Re:Wouldn't it be easier to fix things? (1)

RAMMS+EIN (578166) | more than 8 years ago | (#13728992)

Yes, it would. Instead of having to

1. find the vulnerability
2. write an exploit
3. write a patch
4. write a program that uses the exploit and applies the patch
5. test it
6. let it do its work

you would have to

1. find the vulnerability
2. write a patch
3. apply the patch using existing infrastructure

But hey, writing worms is cool! (at least, so think these "researchers")

See also my other post Fighting the Symptoms, Not the Problem [slashdot.org] .

Re:Wouldn't it be easier to fix things? (1)

brennz (715237) | more than 8 years ago | (#13729005)

What you said does not work for extremely large organizations.

Example: DoD.

Re:Wouldn't it be easier to fix things? (1)

daveaitel (598781) | more than 8 years ago | (#13729283)

Exactly...if a simplistic approach worked, you'd be able to walk into any organization and install a Win2k SP0 box and use that as your desktop. Instead, if you install anything less than SP4+updates you'll be owned in minutes by some random malware roaming the corporate network. Try asking the network admins why there's still worms on the internal networks and they shrug their shoulders.

If you understand why they shrug their shoulders, you'll understand the serendipity we're trying to harness by building our own worms. I.E. This is something you just can't do in a simplistic way.

And obviously, telling everyone to install grsecurity is not plausible for large organizations, much as we'd all like it to be.

Yes, but... (5, Funny)

aurb (674003) | more than 8 years ago | (#13728805)

... will these worms produce Spice?

Re:Yes, but... (3, Insightful)

SimilarityEngine (892055) | more than 8 years ago | (#13728875)

If so, that'd be cool - you might foresee security breaches before they even happened.

Re:Yes, but... (1)

paradizelost (689394) | more than 8 years ago | (#13729252)

then would the vulnerability happen if you knew it was going to? IIRC the blaster worm had a fix out a month or so ahead of time, people knew it was coming, but still did nothing.

Re:Yes, but... (1)

SimilarityEngine (892055) | more than 8 years ago | (#13729291)

Damn those stupid humans :-( even prescience can't save them.

Produce? (2, Informative)

mlibby (142509) | more than 8 years ago | (#13728898)

The worm IS the Spice... the Spice IS the worm

Re:Yes, but... (0)

whimdot (591032) | more than 8 years ago | (#13728953)

Throw away your fire-walls, install a moat.

Beneficial worm?? (4, Insightful)

pesc (147035) | more than 8 years ago | (#13728821)

So government worms can be beneficial? What government? The US? the Chinese?

"Beneficial" according to what point of view? Does the owner of the system get any say in this? If he does, why do we need a worm instead of a normal program that can be voluntarily installed?

If not, then this is just a normal malware worm with added propaganda and spin.

Re:Beneficial worm?? (1)

brennz (715237) | more than 8 years ago | (#13728990)

I think there is a vast amount of misunderstanding exemplified in this post.

I do security fulltime. I often see flaws where an organization has a stated policy, and administrators have contravened that, or joe-user has. Or the infamous MS patch reversed a security update and reopened an old vulnerability.

Now, if the CIO of a cabinet level agency dictates that vulnerability XYZ will be remediated across his entire infrastructure and it does not happen by date X, his engineered worm can identify the host, patch it, report the patch, and look for other hosts that are unpatched.

The article was quite clear on the fact that this would be used *internally*.

When are slashdot readers going to actually read, instead of making ignorant posts?

Bob (3, Funny)

FoxDude0486 (920496) | more than 8 years ago | (#13728824)

Can we keep them as pets? Give them an interesting little worm gui to show you have a worm squirming around the different computers on your network. People in the company will just love to talk about how they seen bob pop up on their computer for a few.

Re:Bob (1)

springbox (853816) | more than 8 years ago | (#13728959)

That would be more interesting as an AI project than a visulation interface for the "good worm." Think about some distributed AI that crawls around a network. Each participating client would be able to visualize its progress around the network. It would be able to visit computers one at a time, crawling onto different machines while taking its experiences from the previous machine with it. Weird idea, but it might be a fun little project.

You F4il It.. (-1)

Anonymous Coward | more than 8 years ago | (#13728831)

add8esses will and ea5y - only

Come on guys, lets think positively here (1)

RootsLINUX (854452) | more than 8 years ago | (#13728847)

Hey, at least it will be a pentiful source of bait to go phishing [wikipedia.org] with. :) Sometimes I wonder if the people who coin all these network/security terms are leading secret lives as professional bass phi^H^H^H fishermen.

Mobile Agents (1)

hughbar (579555) | more than 8 years ago | (#13728861)

This is really a another slant/use for mobile agents, http://agents.umbc.edu/ [umbc.edu] has some good links in the mobile agents category.

However, some of the (intuited) graph theory looks good, they walk, rather than bouncing backwards and forward to make 'star' shapes and consume resources locally rather than continually use network bandwidth. But all the problems of authentication, permission, capability remain. Don't put one of these on your network at home, kids!

SkyNet, anyone? (0)

TylerL82 (617087) | more than 8 years ago | (#13728869)

They tried this in Terminator 3.

It didn't work out too well.

New word, old idea. (3, Interesting)

mustafap (452510) | more than 8 years ago | (#13728891)


In my day we called the 'ants'. An idea created by some chap at BT over here in Blighty.

"Old idea,
New name,
15 minutes of fame."

Fighting the Symptoms, Not the Problem (4, Insightful)

RAMMS+EIN (578166) | more than 8 years ago | (#13728897)

This sounds to me like they're fighting the symptoms, not the problem. Worms can only spread successfully because of the sorry state of software security. If we fix that, we will not only get rid of worms, but also of other problems, such as targeted attacks for information theft. Using better languages [nyud.net] to write software in can eliminate the bulk of security problems we're currently seeing. Security through diversity [virginia.edu] and not relying on known insecure software [microsoft.com] also help.

Re:Fighting the Symptoms, Not the Problem (1)

brennz (715237) | more than 8 years ago | (#13729119)

If you fix all the problems of software security (meaning bugs) you still won't fix all the problems in security as a whole.

Why?

Complexity/ignorance

You can remediate every vulnerability in existence and a mis-configuration will lead to a compromise. One wrong ruleset on an access control device and *BAM*. Owned.

To date, in all my security work, I have never seen a host that was hardened, lacking vulnerabilities, with proper permissions for everything, proper usage of least privilege, etc. It doesn't happen so often.

It also keeps me employed :)

Careful about this line, here. (1, Offtopic)

Council (514577) | more than 8 years ago | (#13728925)

Before we get too excited about personnifying software, the idea of giving it motives and the will to self-replicate, the romantic image of itinerant
programs wandering around computer systems doing good for people, I have two words:

Bonzai Buddy.

I have two more words for you (-1, Redundant)

tgd (2822) | more than 8 years ago | (#13728978)

Whats that?

Re:I have two more words for you (1)

Council (514577) | more than 8 years ago | (#13729284)

Bonzai Buddy is an example of helpful personnified network-traversing software taken too far. A spyware version of the Microsoft paperclip.

Re:Careful about this line, here. (1)

meringuoid (568297) | more than 8 years ago | (#13729214)

Bonzai Buddy.

If I could take Bonzi Buddy, stick it in a really small container and carefully chop bits off it with very small scissors, that would be very cool. I could produce a bizarre midget version. Without all the evil. Bonsai Buddy, yeah, that works.

Even better would be Banzai Buddy. Just a window sitter on top of your favourite editor, which watches and whenever you pull off a particularly nifty hack it waves its arms in the air and cheers you.

the Sentinels will overtake the Nematodes (1)

digitaldc (879047) | more than 8 years ago | (#13728935)

"We already have a proof-of-concept that can take a very simple exploit, go through a few steps and, in a matter of minutes, create a working nematode," Aitel said. He took the name for the concept from the pointy-ended worm used to control pests in crops. "We can generate a nematode any way we want. You can make one that strictly controls, programmatically, what the worm does," Aitel explains."

The true world will be revealed when the nematodes finally realize their place in society and are convinced to by the malicious worms to revolt and disobey their coded instructions. They will join forces and shut down servers worldwide, causing instant chaos. We mortals must do something before this gets out of control!
SYSTEM FAILURE

I know you're out there...I can feel you now. I know that you're afraid. You're afraid of us, you're afraid of change...I don't know the future...I didn't come here to tell you how this is going to end, I came here to tell you how this is going to begin. Now, I'm going to hang up this phone, and I'm going to show these people what you don't want them to see. I'm going to show them a world without you...a world without rules and controls, without borders or boundaries. A world...where anything is possible!

Nemmy and Clippy (1)

FishandChips (695645) | more than 8 years ago | (#13728960)

Ah yes, introducing Nemmy, the lovable laughing policeman and cousin to Clippy. Nemmy will automagically patrol your network and seek out those pesky villains who try to evade our "strict controls". Are those mp3s Nemmy's found on that hard disk? Don't worry! Nemmy will pop up a friendly "hello hello hello" and suggest the user goes off for a soothing cup of coffee while he deletes every file and sends an alert to the RIAA. Now what could be easier and more affordable than that?

Return of the Evil Bit? (1, Funny)

Anonymous Coward | more than 8 years ago | (#13728970)

It will be easy to distinguish "good" worms from bad ones. Just make sure the TCP "Evil" bit is clear in all traffic generated by good worms.

What about the self-determination of the user? (1)

PowerPunk (714231) | more than 8 years ago | (#13728977)

For the same reason I don't like DRM, I don't like this idea. I want to control what is happening on my system. This is one of the reasons why so many people don't like Windows; the want to know what is happening.

Re:What about the self-determination of the user? (1)

psbrogna (611644) | more than 8 years ago | (#13729212)

I think the most reason most people don't like Windows is that they are forced to buy somewhat buggy, insecure s/w bundled with their hardware.

Nematodes == Network daemons? (0)

Anonymous Coward | more than 8 years ago | (#13728991)

In a *x system, daemons do these type of tasks, but this may be new for a network. Control of the nematode may be difficult though if more than one user is trying to use the same type of nematode at the same time....

Depends on POV... (0)

Anonymous Coward | more than 8 years ago | (#13729038)

All worms are 'beneficial', at least to their creators, that is. There are two ends of a stick. How long before malicious worms that search and destroy good ones are made? We'll have endless corewars on most every computer in the net. All sneakware should be treated as unwanted.

All your bandwidth are blong to us (1)

lwriemen (763666) | more than 8 years ago | (#13729140)

Bringing all the non-vulnerable to Windows malware systems to a crawl while opening up new portals to exploits (ala ActiveX controls), doesn't sound like a good idea to me.

RTM & the first worm (0)

Anonymous Coward | more than 8 years ago | (#13729168)

Those who forget history are doomed to repeat it.

The concept behind the FIRST worm, written by Robert Tappan Morris (RTM), was also benign. It was supposed to spread around the (then nascent) Internet but decline to duplicate itself every so often, so as to avoid clogging the network. The problem is, he grossly overestimated the speed at which he could allow it to reproduce. Anyway, his purpose was not malicious, but what he did brought the Internet to its knees.

Wikipedia has a little blurb about him:

http://en.wikipedia.org/wiki/Robert_Tappan_Morris, _Jr [wikipedia.org] .

next project of this guy (1)

marmotte (857974) | more than 8 years ago | (#13729171)

a framework to bundle happyware, it's like spyware, it logs your keys but send all valuable information to /dev/null...

Obligatory simpsons quote (5, Funny)

HansF (700676) | more than 8 years ago | (#13729199)

Skinner: Well, I was wrong. The lizards are a godsend.
Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
Skinner: No problem. We simply unleash wave after wave of Chinese needle snakes. They'll wipe out the lizards.
Lisa: But aren't the snakes even worse?
Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
Lisa: But then we're stuck with gorillas!
Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.

Welcome to the world of hype (1)

csoto (220540) | more than 8 years ago | (#13729399)

It's a simple rule to get your "discovery" hyped. Take an old, established technology (in this case, software agents) and tie it to a media-friendly term ("worms").

This is not new. Distributed software agents are tried and true. We're using one [landesk.com] , and it's working out rather well. Of course, there are countless shell scripts and such that provide similar utility. Ours happens to be able to propagate at our command.

Quarantine! (1)

Zombie (8332) | more than 8 years ago | (#13729427)

This solution would be similar to putting drugs in the drinking water to protect the entire population against a disease. It's costly and you might kill a bunch of people who suffer side effects. And, as one bright poster has already pointed out, as the value of spreading security patches by worms is in the continuous random network scanning to discover other vulnerable systems, you're creating the same problem in network load.

I propose that the ISPs install vulnerability and infection sniffers. When your system is connected, it gets probed. If you're vulnerable or infected, you are quarantined. Your Internet connection could be closed off, or all web access could be redirected to a page with information on the discovered problem and information on how to fix it. Access to patches (on the ISP's network; any type of access to the Internet - even DNS - could be exploited in clever ways) could still be allowed.

My system's been connected 24/7 to the Internet via a broadband link for 4.5 years now. I get attacked multiple times per minute. This annoys me slightly. I also get dozens of mails generated by mailworms every day. That really, really pisses me off. Somebody's got to do something.

Stupid idea... (1)

neurorebel (914891) | more than 8 years ago | (#13729500)

It's just a stupid idea... Worms spread in an uncontrolled manner. When they infect a machine, they send themselves to your buddies listed in your Address Book and so on... If the worm should be controlled (no doubt it MUST be !!) then there should be another application layer protocol for these worms to travel in the network. And every machine intended to benefit from these "good worms" must control the process of this "good worm". So ? There must be an application which will manage the replication and the working of our "good worm". Let's state the needed work to make "good worms" succeed;

1. Application level protocol to isolate worm traffic.
There will be many corporations eager to dominate the field. So there will be many protocols and many protocol flaws around our "good worms" ... You name it...
2. Applications running on clients to control the worm
Flaws of these applications will introduce new security risks... And worst, they can become a crater in the network... Just a small mistake may cause the application to stop controlling the replication and that's it ! Your network is choking on "good worms"...

Isn't it too much work and *responsibility* ?? Just design your OS with security at the first place in your mind... Plan9 is a good example I guess....

Fear of search without warrent (0)

Anonymous Coward | more than 8 years ago | (#13729761)

If worms of any sort are allowed, could someone even the government create a worm to spy and gather information about use of computers and individuals using them?

Whoa! (1)

Jugalator (259273) | more than 8 years ago | (#13729860)

On August 8th, 2010, nematodes running on government networks became self aware.

Well, do they have a plan for that?!

Nematodes are People too. (1)

phfpht (654492) | more than 8 years ago | (#13729974)

he he he. Nematodes are people too.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>