Slashdot Mirror

← Back to Stories (view on slashdot.org)

Good Network Worms Made Simple

Posted by samzenpus on from the what-could-go-wrong dept.

grabbag writes "Dave Aitel is pitching new technology to create "nematodes," or beneficial network worms for use in large businesses. The idea is to set up a new language and structure to create "strictly controlled" good worms on the fly. A research-type demo was given as the Hack in the Box conference where Aitel talked about a world where "strictly controlled" nematodes are used by ISPs, government organizations and large companies to show significant cost savings."

16 of 137 comments (clear)

  1. distributed processing by WiPEOUT · · Score: 4, Insightful

    Distributed processing capabilities and distributed network monitoring capabilities would be great, but who gets jurisdiction over what governments/companies are allowed to execute code on my PC?

  2. Problem by mysqlrocks · · Score: 5, Insightful

    Isn't the problem with most worms the network traffic it causes by spreading, not the payload? I'm not sure how they plan on keeping something that's designed to spread from spreading too quickly.

    --
    Bradley Holt
    1. Re:Problem by KiloByte · · Score: 3, Insightful

      Simple. Just don't include any spreading code in the payload; send the worm from your own machines.
      As these "nematodes" are supposed to be used only by large companies and ISPs, their owner already possesses the network, and thus can apply the exploits to valid targets only.

      This is not such bad a concept -- with VERY few exceptions, nearly all networks are full to the brim with idiots. Setting policies can help, but often you have no real way to enforce them. Try telling your clients that that Weather Bug or M$ Outlook is not something they should be using... But if you use controlled exploits right, you can fix the problems without having to deal with just the symptoms.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    2. Re:Problem by leuk_he · · Score: 3, Interesting

      nearly all networks are full to the brim with idiots.

      The same goes for system administrators. The corporate network is full of idiots who think they are great admins because they can install product x. Giving these idiots self-replicating code could cause great damage beyond your imagination. Most damaging worms are damaging because some rate limiting code is not coded correctly, or simply not understood by their creators.

      Note to BOFH who is reading this with me: no i do not mean YOU.

  3. Intelligent managed networks? by jeffs72 · · Score: 3, Informative
    It would be cool if you could have these worms each perform certain functions (one to better manage spanning-tree for instance, so when a link fails spanning tree rebuilds faster for example) with some sort of AI, or really even a really good base line vs current activity comparison machine, to intelligently manage WANs and LANs.

    Be nice to have worms that watch for machines all the sudden opening ports that they never have before, all the sudden opening up multicast or what not, or even finding that bad machine sending out bad frames on the network.

    I can see a lot of flexibility with this, particularly if they are written in some sort of open source scripting language. I guess what I'm getting at is that they could be sort of like an open source distributed IDS/IDP system.

    Granted you can do all these things now with a mix of expensive monitoring tools and a lot of config work with tools like ethereal and mrtg and big brother/big sister, etc. But this might be an easier way to do the same thing.

    neato

    --
    This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
  4. "strictly controlled" == hubris by G4from128k · · Score: 3, Insightful
    This sounds like a great way to create malware with privileges.

    It's a very worthy goal, but they need to be extremely careful in the coding. One accidental (or malicious) tweak and these worms could overwhelm network resources, DoS the system, or damage valid systems (autoimmune disease).

    --
    Two wrongs don't make a right, but three lefts do.
  5. Wouldn't it be easier to fix things? by photon317 · · Score: 4, Interesting


    Rather than constructing a framework around the idea of building "beneficial" worms that work through the same exploits as real worms, and having to respond to security problems by passing around a disinfectant worm by the same (newly dicovered) vectors as the bad worms roaming your network, wouldn't it be a lot easier to fix the operating systems, networks, and the policies applied to them, such that you don't have a malicious worm problem to begin with?

    --
    11*43+456^2
  6. Yes, but... by aurb · · Score: 5, Funny

    ... will these worms produce Spice?

    1. Re:Yes, but... by SimilarityEngine · · Score: 3, Insightful

      If so, that'd be cool - you might foresee security breaches before they even happened.

      --
      Those who can make you believe absurdities can make you commit atrocities. - Voltaire
  7. Beneficial worm?? by pesc · · Score: 4, Insightful

    So government worms can be beneficial? What government? The US? the Chinese?

    "Beneficial" according to what point of view? Does the owner of the system get any say in this? If he does, why do we need a worm instead of a normal program that can be voluntarily installed?

    If not, then this is just a normal malware worm with added propaganda and spin.

    --

    )9TSS
  8. Bob by FoxDude0486 · · Score: 3, Funny

    Can we keep them as pets? Give them an interesting little worm gui to show you have a worm squirming around the different computers on your network. People in the company will just love to talk about how they seen bob pop up on their computer for a few.

  9. New word, old idea. by mustafap · · Score: 3, Interesting


    In my day we called the 'ants'. An idea created by some chap at BT over here in Blighty.

    "Old idea,
    New name,
    15 minutes of fame."

    --
    Open Source Drum Kit, LPLC deve board - mjhdesigns.com
  10. Fighting the Symptoms, Not the Problem by RAMMS+EIN · · Score: 4, Insightful

    This sounds to me like they're fighting the symptoms, not the problem. Worms can only spread successfully because of the sorry state of software security. If we fix that, we will not only get rid of worms, but also of other problems, such as targeted attacks for information theft. Using better languages to write software in can eliminate the bulk of security problems we're currently seeing. Security through diversity and not relying on known insecure software also help.

    --
    Please correct me if I got my facts wrong.
  11. and here is a link by mustafap · · Score: 3, Informative

    http://catless.ncl.ac.uk/Risks/16.28.html#subj3

    --
    Open Source Drum Kit, LPLC deve board - mjhdesigns.com
  12. Worms infect a machine, then jump to the next. by khasim · · Score: 3, Insightful
    Why would you want to use a worm for that? A worm will install itself on each machine.

    Why not just run the centralized scanning tools that you mentioned?
    It would be cool if you could have these worms each perform certain functions (one to better manage spanning-tree for instance, so when a link fails spanning tree rebuilds faster for example) with some sort of AI, or really even a really good base line vs current activity comparison machine, to intelligently manage WANs and LANs.
    Why would I want to infect my switches and routers with this? I already have SNMP. Spanning tree kicks in almost instantaniously.
    Be nice to have worms that watch for machines all the sudden opening ports that they never have before, all the sudden opening up multicast or what not, or even finding that bad machine sending out bad frames on the network.
    The only way a worm would do that would be if it had infected the problem machine (in which case, why not just run a firewall on it) or if it had infected your switchs/routers.

    Why not just write the app to run on those in the first place? Why make it a worm?
    Granted you can do all these things now with a mix of expensive monitoring tools and a lot of config work with tools like ethereal and mrtg and big brother/big sister, etc. But this might be an easier way to do the same thing.
    What "expensive" tools?

    All you'd need is SNMP and the knowledge to setup your firewall correctly and a machine to receive the syslog messages from your firewall and parse them.

    It's far more efficient to have the choke points do the monitoring than to have worms running around on your network.

    Worms are only useful for spreading crap to machines you don't control. Once you have control there are so many more efficient ways to push code to them or monitor them.
  13. Obligatory simpsons quote by HansF · · Score: 5, Funny

    Skinner: Well, I was wrong. The lizards are a godsend.
    Lisa: But isn't that a bit short-sighted? What happens when we're overrun by lizards?
    Skinner: No problem. We simply unleash wave after wave of Chinese needle snakes. They'll wipe out the lizards.
    Lisa: But aren't the snakes even worse?
    Skinner: Yes, but we're prepared for that. We've lined up a fabulous type of gorilla that thrives on snake meat.
    Lisa: But then we're stuck with gorillas!
    Skinner: No, that's the beautiful part. When wintertime rolls around, the gorillas simply freeze to death.

    --
    --> Insert Funny Sig Here