Slashdot Mirror
Good Network Worms Made Simple
grabbag writes "Dave Aitel is pitching new technology to create "nematodes," or beneficial network worms for use in large businesses. The idea is to set up a new language and structure to create "strictly controlled" good worms on the fly. A research-type demo was given as the Hack in the Box conference where Aitel talked about a world where "strictly controlled" nematodes are used by ISPs, government organizations and large companies to show significant cost savings."
Distributed processing capabilities and distributed network monitoring capabilities would be great, but who gets jurisdiction over what governments/companies are allowed to execute code on my PC?
Isn't the problem with most worms the network traffic it causes by spreading, not the payload? I'm not sure how they plan on keeping something that's designed to spread from spreading too quickly.
Bradley Holt
So how is the unsuspecting pc (user) supposed differentiate between worms and "nematodes"? This is an interesting idea but best not let out of the lab.
Also, how does this chap expect to get these things to work on *nix environments? does he propose "benevolent" rootkits?
-if at first you don't succeed, stay the heck away from paragliding.
Be nice to have worms that watch for machines all the sudden opening ports that they never have before, all the sudden opening up multicast or what not, or even finding that bad machine sending out bad frames on the network.
I can see a lot of flexibility with this, particularly if they are written in some sort of open source scripting language. I guess what I'm getting at is that they could be sort of like an open source distributed IDS/IDP system.
Granted you can do all these things now with a mix of expensive monitoring tools and a lot of config work with tools like ethereal and mrtg and big brother/big sister, etc. But this might be an easier way to do the same thing.
neato
This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
It's a very worthy goal, but they need to be extremely careful in the coding. One accidental (or malicious) tweak and these worms could overwhelm network resources, DoS the system, or damage valid systems (autoimmune disease).
Two wrongs don't make a right, but three lefts do.
Rather than constructing a framework around the idea of building "beneficial" worms that work through the same exploits as real worms, and having to respond to security problems by passing around a disinfectant worm by the same (newly dicovered) vectors as the bad worms roaming your network, wouldn't it be a lot easier to fix the operating systems, networks, and the policies applied to them, such that you don't have a malicious worm problem to begin with?
11*43+456^2
... will these worms produce Spice?
So government worms can be beneficial? What government? The US? the Chinese?
"Beneficial" according to what point of view? Does the owner of the system get any say in this? If he does, why do we need a worm instead of a normal program that can be voluntarily installed?
If not, then this is just a normal malware worm with added propaganda and spin.
)9TSS
Can we keep them as pets? Give them an interesting little worm gui to show you have a worm squirming around the different computers on your network. People in the company will just love to talk about how they seen bob pop up on their computer for a few.
In my day we called the 'ants'. An idea created by some chap at BT over here in Blighty.
"Old idea,
New name,
15 minutes of fame."
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
This sounds to me like they're fighting the symptoms, not the problem. Worms can only spread successfully because of the sorry state of software security. If we fix that, we will not only get rid of worms, but also of other problems, such as targeted attacks for information theft. Using better languages to write software in can eliminate the bulk of security problems we're currently seeing. Security through diversity and not relying on known insecure software also help.
Please correct me if I got my facts wrong.
The worm IS the Spice... the Spice IS the worm
Easy, according to RFC 3514, the bad worms would set the evil bit in the IP header, and the good worms would not. The admins could probably have just filtered traffic by detecting those evil bits, but I think having a visual display of the good worms vs the bad worms would be more exciting.
Of course, sooner or later, the good worms are going to turn into bad worms themselves and then we'll all be screwed.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
http://catless.ncl.ac.uk/Risks/16.28.html#subj3
Open Source Drum Kit, LPLC deve board - mjhdesigns.com
Why not just run the centralized scanning tools that you mentioned?Why would I want to infect my switches and routers with this? I already have SNMP. Spanning tree kicks in almost instantaniously.The only way a worm would do that would be if it had infected the problem machine (in which case, why not just run a firewall on it) or if it had infected your switchs/routers.
Why not just write the app to run on those in the first place? Why make it a worm?What "expensive" tools?
All you'd need is SNMP and the knowledge to setup your firewall correctly and a machine to receive the syslog messages from your firewall and parse them.
It's far more efficient to have the choke points do the monitoring than to have worms running around on your network.
Worms are only useful for spreading crap to machines you don't control. Once you have control there are so many more efficient ways to push code to them or monitor them.
Skinner: Well, I was wrong. The lizards are a godsend.
Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
Skinner: No problem. We simply unleash wave after wave of Chinese needle snakes. They'll wipe out the lizards.
Lisa: But aren't the snakes even worse?
Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
Lisa: But then we're stuck with gorillas!
Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.
--> Insert Funny Sig Here
They're trying to find a secure implementation of Windows.
However, Windows seems to be impervious to this. It just lies there with slime oozing between its legs. (Painst an attractive picture of the kind of fucker who spreads viri, worms and other creepy crawlies.)
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Exactly! But its worse than that because the nematodes must live outside the sandbox and inside the OS at the highest level of privilege. Catching and removing malware means running at a privilege higher than that of the malicious worms. Because malware tries (and succeeds) in attacking at user and admin levels, nematodes must operate even higher levels. Otherwise the malware can simply deactivate the nematode system (just as some current viruses deactivate antivirus apps).
But nematodes' existence at high privilege levels makes that the ultimate target for malware writers. NASTY!
Two wrongs don't make a right, but three lefts do.
This goes against my attitude that an "opt in" service is better than an "opt out" service.
wakeup Neo!
1. Learn how to code a worm ...
2. Create a "worm creation toolkit"
3. Create a GUI for the toolkit
4. Find a good buzz name such as "nematodes"
5. Feed the press with your buzz words
6. Sell your product to entreprises
7.
8. Profit!
Theese guys are just black hats that want to profit from a technology only useful to black hats.
Have a look to http://www.agentland.com/ for 'smart' programs that can do good.
I've heard of security experts stopping some worms which received their updates from geocity sites but placing an update on the geocity site that removed the worm and locking the original creator for accessing the site. The worm in effect, downloaded updates that cleaned itself.
Although this seems like a good idea, I can't imagine pushing out worms that are beneficial. Why? Because you're still leaving the security exploit in place! Unless the beneficial worm closes the exploit, and in that case why not just release a patch in a safe an controlled manor?
Are we starting to confuse patching, a process every good security administrator should be familiar with, with "good worms"
Worms have a horrid tendancy to get out of control. I wrote one to modify some settings on my LAN. In 3 months time it had persecuted a national WAN. Fortunately it din't try to do anything that could not be fixed reasonably quickly, and I was eventually able to kill the blighter off using self extermination code. But a net worm, is NOT A GOOD WAY OF UPGRADING. the little beasies have a habit of getting out of control, no matter what you do.
(yes I was young and stupid when I wrote the code in question and learned much from it)
A sig is placed here
To display how futile
English Haiku is
OK.. So we have some good worms which help admins. Now what if some cracker hacks into the Nematode network? He will be virtually owning the network! This can be very dangerous if an important (even not so important) network is hacked a advance mechanism.