Slashdot Mirror
Good Network Worms Made Simple
grabbag writes "Dave Aitel is pitching new technology to create "nematodes," or beneficial network worms for use in large businesses. The idea is to set up a new language and structure to create "strictly controlled" good worms on the fly. A research-type demo was given as the Hack in the Box conference where Aitel talked about a world where "strictly controlled" nematodes are used by ISPs, government organizations and large companies to show significant cost savings."
Distributed processing capabilities and distributed network monitoring capabilities would be great, but who gets jurisdiction over what governments/companies are allowed to execute code on my PC?
Isn't the problem with most worms the network traffic it causes by spreading, not the payload? I'm not sure how they plan on keeping something that's designed to spread from spreading too quickly.
Bradley Holt
How about Network Immune System"? Using "good worm" or "Nematode" will confuse the PHBs or worse alarm them.
Ex. NET ADMIN: "Boss, I want to put a good worm on the system."
PHB (Hearing only the worm part):"No fucking way! No worms on my system!"
Evil people don't think they're evil. - George Lucas, Making of Ep III
So how is the unsuspecting pc (user) supposed differentiate between worms and "nematodes"? This is an interesting idea but best not let out of the lab.
Also, how does this chap expect to get these things to work on *nix environments? does he propose "benevolent" rootkits?
-if at first you don't succeed, stay the heck away from paragliding.
Be nice to have worms that watch for machines all the sudden opening ports that they never have before, all the sudden opening up multicast or what not, or even finding that bad machine sending out bad frames on the network.
I can see a lot of flexibility with this, particularly if they are written in some sort of open source scripting language. I guess what I'm getting at is that they could be sort of like an open source distributed IDS/IDP system.
Granted you can do all these things now with a mix of expensive monitoring tools and a lot of config work with tools like ethereal and mrtg and big brother/big sister, etc. But this might be an easier way to do the same thing.
neato
This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
It's a very worthy goal, but they need to be extremely careful in the coding. One accidental (or malicious) tweak and these worms could overwhelm network resources, DoS the system, or damage valid systems (autoimmune disease).
Two wrongs don't make a right, but three lefts do.
Rather than constructing a framework around the idea of building "beneficial" worms that work through the same exploits as real worms, and having to respond to security problems by passing around a disinfectant worm by the same (newly dicovered) vectors as the bad worms roaming your network, wouldn't it be a lot easier to fix the operating systems, networks, and the policies applied to them, such that you don't have a malicious worm problem to begin with?
11*43+456^2
... will these worms produce Spice?
So government worms can be beneficial? What government? The US? the Chinese?
"Beneficial" according to what point of view? Does the owner of the system get any say in this? If he does, why do we need a worm instead of a normal program that can be voluntarily installed?
If not, then this is just a normal malware worm with added propaganda and spin.
)9TSS
Can we keep them as pets? Give them an interesting little worm gui to show you have a worm squirming around the different computers on your network. People in the company will just love to talk about how they seen bob pop up on their computer for a few.
Hey, at least it will be a pentiful source of bait to go phishing with. :) Sometimes I wonder if the people who coin all these network/security terms are leading secret lives as professional bass phi^H^H^H fishermen.
Hero of Allacrost, a FOSS RPG for *NIX/*BSD/OS X/Win
The unsuspecting PC user doesn't distinguish between the two. This is being touted as a tool for businesses and the like, where they will presumably be limited to company computers. It's not entirely dissimilar to a dedicated software update distribution tool. (This raises the question why they're bothering to spread these things via exploits but that's another matter...)
The World Wide Web is dying. Soon, we shall have only the Internet.
This is really a another slant/use for mobile agents, http://agents.umbc.edu/ has some good links in the mobile agents category.
However, some of the (intuited) graph theory looks good, they walk, rather than bouncing backwards and forward to make 'star' shapes and consume resources locally rather than continually use network bandwidth. But all the problems of authentication, permission, capability remain. Don't put one of these on your network at home, kids!
On y va, qui mal y pense!
They tried this in Terminator 3.
It didn't work out too well.
I'm sure everyone remembers that beast. Its sole purpose was to spread, and in that it brought the internet to it's knees.
In my day we called the 'ants'. An idea created by some chap at BT over here in Blighty.
"Old idea,
New name,
15 minutes of fame."
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
This sounds to me like they're fighting the symptoms, not the problem. Worms can only spread successfully because of the sorry state of software security. If we fix that, we will not only get rid of worms, but also of other problems, such as targeted attacks for information theft. Using better languages to write software in can eliminate the bulk of security problems we're currently seeing. Security through diversity and not relying on known insecure software also help.
Please correct me if I got my facts wrong.
The worm IS the Spice... the Spice IS the worm
Before we get too excited about personnifying software, the idea of giving it motives and the will to self-replicate, the romantic image of itinerant
programs wandering around computer systems doing good for people, I have two words:
Bonzai Buddy.
xkcd.com - a webcomic of mathematics, love, and language.
"We already have a proof-of-concept that can take a very simple exploit, go through a few steps and, in a matter of minutes, create a working nematode," Aitel said. He took the name for the concept from the pointy-ended worm used to control pests in crops. "We can generate a nematode any way we want. You can make one that strictly controls, programmatically, what the worm does," Aitel explains."
The true world will be revealed when the nematodes finally realize their place in society and are convinced to by the malicious worms to revolt and disobey their coded instructions. They will join forces and shut down servers worldwide, causing instant chaos. We mortals must do something before this gets out of control!
SYSTEM FAILURE
I know you're out there...I can feel you now. I know that you're afraid. You're afraid of us, you're afraid of change...I don't know the future...I didn't come here to tell you how this is going to end, I came here to tell you how this is going to begin. Now, I'm going to hang up this phone, and I'm going to show these people what you don't want them to see. I'm going to show them a world without you...a world without rules and controls, without borders or boundaries. A world...where anything is possible!
He who knows best knows how little he knows. - Thomas Jefferson
Ah yes, introducing Nemmy, the lovable laughing policeman and cousin to Clippy. Nemmy will automagically patrol your network and seek out those pesky villains who try to evade our "strict controls". Are those mp3s Nemmy's found on that hard disk? Don't worry! Nemmy will pop up a friendly "hello hello hello" and suggest the user goes off for a soothing cup of coffee while he deletes every file and sends an alert to the RIAA. Now what could be easier and more affordable than that?
Las qué passoun
tournoun pas maï
It will be easy to distinguish "good" worms from bad ones. Just make sure the TCP "Evil" bit is clear in all traffic generated by good worms.
For the same reason I don't like DRM, I don't like this idea. I want to control what is happening on my system. This is one of the reasons why so many people don't like Windows; the want to know what is happening.
In a *x system, daemons do these type of tasks, but this may be new for a network. Control of the nematode may be difficult though if more than one user is trying to use the same type of nematode at the same time....
All worms are 'beneficial', at least to their creators, that is. There are two ends of a stick. How long before malicious worms that search and destroy good ones are made? We'll have endless corewars on most every computer in the net. All sneakware should be treated as unwanted.
Easy, according to RFC 3514, the bad worms would set the evil bit in the IP header, and the good worms would not. The admins could probably have just filtered traffic by detecting those evil bits, but I think having a visual display of the good worms vs the bad worms would be more exciting.
Of course, sooner or later, the good worms are going to turn into bad worms themselves and then we'll all be screwed.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
http://catless.ncl.ac.uk/Risks/16.28.html#subj3
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
Why not just run the centralized scanning tools that you mentioned?Why would I want to infect my switches and routers with this? I already have SNMP. Spanning tree kicks in almost instantaniously.The only way a worm would do that would be if it had infected the problem machine (in which case, why not just run a firewall on it) or if it had infected your switchs/routers.
Why not just write the app to run on those in the first place? Why make it a worm?What "expensive" tools?
All you'd need is SNMP and the knowledge to setup your firewall correctly and a machine to receive the syslog messages from your firewall and parse them.
It's far more efficient to have the choke points do the monitoring than to have worms running around on your network.
Worms are only useful for spreading crap to machines you don't control. Once you have control there are so many more efficient ways to push code to them or monitor them.
Bringing all the non-vulnerable to Windows malware systems to a crawl while opening up new portals to exploits (ala ActiveX controls), doesn't sound like a good idea to me.
Those who forget history are doomed to repeat it.
, _Jr.
The concept behind the FIRST worm, written by Robert Tappan Morris (RTM), was also benign. It was supposed to spread around the (then nascent) Internet but decline to duplicate itself every so often, so as to avoid clogging the network. The problem is, he grossly overestimated the speed at which he could allow it to reproduce. Anyway, his purpose was not malicious, but what he did brought the Internet to its knees.
Wikipedia has a little blurb about him:
http://en.wikipedia.org/wiki/Robert_Tappan_Morris
a framework to bundle happyware, it's like spyware, it logs your keys but send all valuable information to /dev/null...
Skinner: Well, I was wrong. The lizards are a godsend.
Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
Skinner: No problem. We simply unleash wave after wave of Chinese needle snakes. They'll wipe out the lizards.
Lisa: But aren't the snakes even worse?
Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
Lisa: But then we're stuck with gorillas!
Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.
--> Insert Funny Sig Here
how is this offtopic? I thougth the same thing (dave aitel ~ dave attell)
Bonzai Buddy is an example of helpful personnified network-traversing software taken too far. A spyware version of the Microsoft paperclip.
xkcd.com - a webcomic of mathematics, love, and language.
They're trying to find a secure implementation of Windows.
However, Windows seems to be impervious to this. It just lies there with slime oozing between its legs. (Painst an attractive picture of the kind of fucker who spreads viri, worms and other creepy crawlies.)
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
It's a simple rule to get your "discovery" hyped. Take an old, established technology (in this case, software agents) and tie it to a media-friendly term ("worms").
This is not new. Distributed software agents are tried and true. We're using one, and it's working out rather well. Of course, there are countless shell scripts and such that provide similar utility. Ours happens to be able to propagate at our command.
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
I propose that the ISPs install vulnerability and infection sniffers. When your system is connected, it gets probed. If you're vulnerable or infected, you are quarantined. Your Internet connection could be closed off, or all web access could be redirected to a page with information on the discovered problem and information on how to fix it. Access to patches (on the ISP's network; any type of access to the Internet - even DNS - could be exploited in clever ways) could still be allowed.
My system's been connected 24/7 to the Internet via a broadband link for 4.5 years now. I get attacked multiple times per minute. This annoys me slightly. I also get dozens of mails generated by mailworms every day. That really, really pisses me off. Somebody's got to do something.
Exactly! But its worse than that because the nematodes must live outside the sandbox and inside the OS at the highest level of privilege. Catching and removing malware means running at a privilege higher than that of the malicious worms. Because malware tries (and succeeds) in attacking at user and admin levels, nematodes must operate even higher levels. Otherwise the malware can simply deactivate the nematode system (just as some current viruses deactivate antivirus apps).
But nematodes' existence at high privilege levels makes that the ultimate target for malware writers. NASTY!
Two wrongs don't make a right, but three lefts do.
It's just a stupid idea... Worms spread in an uncontrolled manner. When they infect a machine, they send themselves to your buddies listed in your Address Book and so on... If the worm should be controlled (no doubt it MUST be !!) then there should be another application layer protocol for these worms to travel in the network. And every machine intended to benefit from these "good worms" must control the process of this "good worm". So ? There must be an application which will manage the replication and the working of our "good worm". Let's state the needed work to make "good worms" succeed;
... You name it...
1. Application level protocol to isolate worm traffic.
There will be many corporations eager to dominate the field. So there will be many protocols and many protocol flaws around our "good worms"
2. Applications running on clients to control the worm
Flaws of these applications will introduce new security risks... And worst, they can become a crater in the network... Just a small mistake may cause the application to stop controlling the replication and that's it ! Your network is choking on "good worms"...
Isn't it too much work and *responsibility* ?? Just design your OS with security at the first place in your mind... Plan9 is a good example I guess....
If worms of any sort are allowed, could someone even the government create a worm to spy and gather information about use of computers and individuals using them?
Having random workstations do the monitoring is useless because you won't have any benchmarks over time. Unless they send that data around to each other in which case you're using up your bandwidth. Or they could send the data to a dedicated machine to store it, but that gets back to the dedicated machine concept."tens of thousands of nodes" and you don't want to dedicate a single machine to this?
"tens of thousands of nodes" means a LOT of traffic with your proposal.But a worm will be able to do so?
Why not just take the code that the worm uses to monitor/manage those and incorporate it into the other Free apps?Is there a problem with syslog?
Again, if a worm can manage that environment, why not just use the management code from the worm in whatever Free tools you use?Again, why not use the code that the worm uses for that in the centralized tools?
Or are the worms going to constantly scan the network for new systems? How would you be able to tell your worm scans from illegitimate scans?
With a centralized system, you already know what machines should be scanning. Any other machines scanning should send up an alert.I don't. Not if you already control the machines and the network. Centralized management is far more efficient and reliable and managable.Again, a centralized management system would not have any problems with that.How? I can already scan their machines from the centralized system. I have control of their network. I should be able to diagram their systems without the worms.
On August 8th, 2010, nematodes running on government networks became self aware.
Well, do they have a plan for that?!
Beware: In C++, your friends can see your privates!
he he he. Nematodes are people too.
Wouldn't it be nice to have some starlings in the Central Park Shakespeare garden?
I'll bet we could use some rabbits here in Australia.
Wow, this kudzu would be great for stablizing soil.
These "nematodes" could really be useful.
"How to Do Nothing," kids activities, back in print!
"We should make a gun that only kills bad people."
Yeah... let's automate/simplify remote execution of code under the guise that it'll only be "used for good" and "by the right people." 8P
Diplomacy is the art of saying, "Nice doggie!" until you can find a rock.
The second, current, vaccine for Polio was a live virus vaccine (the first one was a dead virus vaccine). That is, it was a weakened Polio virus that was easy for the immune system to fight off.
What also happens is that the weakened vaccine is communicable. Some children who are not vaccinated catch the weakened virus from the children that are vaccinated, and the vast majority of them are also innoculated.
But a very small miniority of children who "catch" the weakened virus don't develop immunity fast enough to avoid actually contracting polio. This adverse effect was weighed against the benefit of the positive effects and the powers-that-be decided to accept the tradeoff.
Now we're entering a new era of the same situation with a live-virus flu vaccine, the chief benefit of which is that it is a nose-spray instead of a shot. People who don't want a shot of dead virus can get a nose spray of weakened virus.
But we also have a larger population of immune-compromised people--transplant patients and HIV patients, who are vulnerable to weakened viruses.
So, how does this analogy relate to the "beneficial worm" in cyberspace?
A beneficial worm would (a) only attack "vulnerable" systems, and (b) some of those "vulnerable" systems would actually get sick, offsetting the beneficial effect.
Who gets to decide whether the benefits outweigh the adverse effects?
This goes against my attitude that an "opt in" service is better than an "opt out" service.
The worm infects a machine, installs the payload and then the payload does the work.
For a worm to run, the machines have to be open to attack by other machines on the network. In a correctly designed network, the workstations would be better secured. Only the machines that the sysadmin has designated would be allowed to install software on the workstations.
All you're doing is deploying the tools to random machines from random machines on the network rather than centralizing them at one location.
At the worst, you have more code installed on more machines doing a lot more scans yet not providing more data than the centralized system.
At best, you have you have more code on a couple random machines doing more scans yet not providing more data than the centralized system.
With a centralized system, you get all the benefits of your concept, without the negatives of random machines installing software on each other, all for the cost of a dedicated box. Given that you can pick up a really cheap box for $200 (USD) I don't see the value of your approach.
Well, I get why you wouldn't currently see a lot of value, but take these 'worms' and get a year of open source guys playing with them and I think we'll see this morph a bit and add a lot of flexibility.
This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
wakeup Neo!
i think cfengine solves more of the problems than these "nematodes".
The payload will be the same application that can be run on a dedicated machine.
All you're recommending is that instead of a secured network with a centralized management box, the network will be unsecured and a worm will install the same apps on random machines.
The transport mechanism is as "flexible" as it is going to get. Any machine, anywhere on your network can be infected if you let it.
Which just leaves the worm's payload which is the monitoring applications and improving them will not result in any increases for your worm scenario that will not also be available for the dedicated box scenario.
It all comes down to one simple concept:
$200 dedicated box
vs
unsecured workstations and code being randomly installed on them.
That's one way to describe it. I always described it as an early experiment in human interfaces created by people who watched too much Max Headroom. I do have to admit that the fictional human interface where you talk to your computer and an animated face replies is an interesting idea. However, the primitive real-world attempts at this leave much to be desired. Some examples include Bonzai Buddy, Bob, Clippy (aka paperclip), and (the best of the bunch) Verbot.
Bonzai Buddy was, as you said, a spyware version of the Microsoft paperclip. I never used Bob. Clippy was amusing, but ultimately annoying. Verbot looks interesting, but I don't see a use.
And for the non-Windows people out there, *NIX has it's own characters. Microsoft Office is available for the Mac. OpenOffice has a character that shows up from time to time. Someone even made one of these for vi. It's called Vigor. Vigor claims to have all the problems and twice the bugs.
Request a Linux Shockwave player here: http://www.macromedia.com/support/email/wishform/
1. Learn how to code a worm ...
2. Create a "worm creation toolkit"
3. Create a GUI for the toolkit
4. Find a good buzz name such as "nematodes"
5. Feed the press with your buzz words
6. Sell your product to entreprises
7.
8. Profit!
Theese guys are just black hats that want to profit from a technology only useful to black hats.
Have a look to http://www.agentland.com/ for 'smart' programs that can do good.
In the olden days, a network of 100 computers could easily benefit from a worm warning users about something, repairing files, etc. etc. etc. But now... a 1,000,000 computer network could have issues with a good worm. Traffic, incorrect execution, accidents, etc.
That was actually the original idea behind worms, which, like so many other things, came from Xerox PARC
I've heard of security experts stopping some worms which received their updates from geocity sites but placing an update on the geocity site that removed the worm and locking the original creator for accessing the site. The worm in effect, downloaded updates that cleaned itself.
Although this seems like a good idea, I can't imagine pushing out worms that are beneficial. Why? Because you're still leaving the security exploit in place! Unless the beneficial worm closes the exploit, and in that case why not just release a patch in a safe an controlled manor?
Are we starting to confuse patching, a process every good security administrator should be familiar with, with "good worms"
Not sure how you get to your scenario from large businesses using worms internally.
Don't they ever watch SpongeBob?
But anything that can do, a well-behaved cleanly-managed patch server can do much better and you don't have to
I work for a Large Company which probably has 20,000 PCs managed by the IT department, running various versions of Windows. While the IT department are Clumsy and Evil, and any time they begin to resemble a competent organization their budget gets cut back again, they do run a number of patch server systems, most of which work much more reliably than they used to, and they run servers in most of the offices to handle printers and such. The anti-virus stuff gets queued from an internal server and Just Works, the monthly Microsoft Patch Tuesday stuff loads itself and runs, and if there are other problems that require us to install patches immediately that the central patch-tracking system can't forcefeed our machines, they'll send out an email telling everybody to run the install script.
If they didn't have a big honking network with many users working from home much of the time, they could cut their network load by downloading any software installs to local print servers, but it's usually not critical. A central server hits each user once across the WAN; a worm-based update has the possibility of sending just one copy to each office and only shoving lots of data to each machine once, but more realistic behaviour is that once something gets infected, it starts splattering all over the WAN and lots of machines in each office start splattering each other, so it's really not going to reduce WAN traffic significantly, and may crash LAN traffic.
And if you want to run a scanner-based system and don't want to hit everybody across the WAN, and don't have conveniently deployed servers everywhere, you can have a designated user in each building run the application, such as the Department Secretary or Local IT Grunt. It's much much cleaner than virusing everybody.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Worms have a horrid tendancy to get out of control. I wrote one to modify some settings on my LAN. In 3 months time it had persecuted a national WAN. Fortunately it din't try to do anything that could not be fixed reasonably quickly, and I was eventually able to kill the blighter off using self extermination code. But a net worm, is NOT A GOOD WAY OF UPGRADING. the little beasies have a habit of getting out of control, no matter what you do.
(yes I was young and stupid when I wrote the code in question and learned much from it)
A sig is placed here
To display how futile
English Haiku is
...will these nematodes be created by Intelligent Design, or Natural Selection?
OK.. So we have some good worms which help admins. Now what if some cracker hacks into the Nematode network? He will be virtually owning the network! This can be very dangerous if an important (even not so important) network is hacked a advance mechanism.
...creating a good worm that spreads like mad and automatically patches every "infected" pc with all patches avaliable for his os and software, so that it's always perfectly up to date. this would instantly fix most problems with viri and evil worms.
;))
of course i would recommend adding a plugin for it that also kills the IE and replaces it by firefox.
or it even kills windows at all and completely replaces it by linux.
i guess the normal user would not even see the difference when some of those lame windows-imitating windows manager themes would be used.
Any sufficiently advanced intelligence is indistinguishable from stupidity.