lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri May 13 18:00:34 2005
From: lists at robertlemos.com (Rob Lemos)
Subject: Benign Worms

k k wrote:

> I am an academic researcher.  I benefited a lot during my previous
> interaction at the full disclosure list on a different topic and now,
> I am here to get some input on benign worms.
>
> There is debate surrounding whether releasing benign worms such as
> Nachi or Welcha, in general is ethical or not.  But network
> administrators can still create benign worms for their need (not
> necessarily Nachi or Welcha) and release them in their domain to patch
> systems.
>
> 1. Do people do that?  Or at least, have you considered it?
>
> 2. If yes, under what conditions would you do that?
>
> 3. If not, what prevents you from doing that?

Adding self propagation features to any program is problematic at best.
A good example of what can happen is the Nachi worm (a.k.a., MSBlast.D
and Welchia), which probably caused more havoc inside corporate networks
than the original MSBlast (a.k.a. Blaster worm) because of its
over-aggressive attempts at propagation.

http://news.com.com/Worm+double+whammy+still+hitting+hard/2100-1002_3-5066875.html

All one has to do, in fact, is go back to the original incident where
the term "worm" was first used and you can see the danger. Two
researchers at Xerox PARC decided to use a worm to update experimental
Ethernet drivers and ended up disrupting the entire network and crashing
all their nodes. The research was done in the late 70s and the paper was
publish in 1982.

http://news.com.com/Year+of+the+Worm/2009-1001_3-254061.html

Another good example is the Trend Micro update snafu that caused clients
to suck up 100 percent of CPU time. While the individual nodes did not
infect others, cleanup involved many, many nodes, similar to cleaning up
after a worm.

A better approach is an automated scanning and patch system (this is
more akin to the Trend Micro--or for that matter, any antivirus
company--update situation) or a system that sends out exploits for
various holes and, if a system is rooted, updates that system. Then, if
something goes wrong, you only have one system to shut down and fix the
programs on, rather than cleaning your entire network.

HP has played around with an exploit-node-type network.

http://news.com.com/HP+aims+to+throttle+Net+threats/2100-7349_3-5163633.html

Infecting other machines with even a "beneficial" worm is illegal if you
are not the owner of the machine. Infecting a network that you have
ownership over with a "beneficial" worm is generally a bad thing,
because the network effects of self propagation are hard to gauge and
small errors can easily turn into big problems.

Just wait until we start playing around with programming genes of
organisms that self replicate.

http://www.securityfocus.com/news/11082

-R


-- 
| robert lemos |
| editor-at-large, securityfocus | rlemos@...urityfocus.com |
| technology journalist | mail@...ertlemos.com |

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ