« Access For Sale: A New Class of Worm | Main | The Case for Using Layered Defenses to Stop Worms »

The Myth of the "Good Worm"

Over on a 'dot net junkies' blog I spotted a resurgance of the idea of a "good worm". The good worm theory pops up every now and then, usually pushed forward by someone who sees a current storm and recognizes that the world needs a solution to this problem. This problem moves so fast that the solution must move just as fast. A counter worm is a natural conclusion to come to. This ideas was even put forth this summer in Slate:

The only way to stop MyDoom might be to out-hack the hackers. In the past, "white hat" programmers have launched viruses that expose security holes without causing destruction in an attempt to make computer users more security-conscious. Last year, one programmer took the next step. As the Blaster worm circled the globe, the do-gooder released a worm called Nachi that infiltrated the same security hole as Blaster. But Nachi wasn't a Blaster variant, it was a Blaster antidote: It erased copies of Blaster it found on PCs it invaded, then downloaded and installed a Windows update from Microsoft to secure the computer against further Blaster (and Nachi) attacks. Ingenious! There was only one problem: Nachi overloaded networks with traffic, just like Blaster had.

One thing Paul fails to note, that Nachi was worse than Blaster in terms of network destruction.

The potential for help from a good good worm is nothing more than a myth. The Welchia worm, which was designed to remove the Blaster worm, caused more damage to Navy IP systems than Blaster did owing to it's mechansm of detecting available hosts (ping flood the network). Research measurements I helped take and analyze (also presented at NANOG, October 2003) show that the Nachi/Welchia worm which appeared a week after Blaster did little to stop blaster. It was global filtering that helped with that.

Why are "good worms" a bad idea? Simple, and we can refute many of the key points raised in this 1999 argument in their favor:

  1. Lack of Control. Any worm almost always fails to do anything but spread as far and wide as it can. If you try and control where it goes you typically fail. The only control you have is over the vulnerable software or configuration element you're abusing in the first place. The natural argument seems to be "attack the backdoor of the worm", as the Dabber worm (it attacked Sasser's backdoor). However, this winds up failing in light of polymorphic worms, worms which can be tweaked to control their backdoor port, and sites that filter this new "service".
  2. Recognition Difficulty. AV software, which is specially designed to do this sort of thing, routinely fails to detect variants. How can an amatuer expect to do this?
  3. Resource Wasting. Look at the Netsky/Bagle/Mydoom wars from the spring of 2004 to see how messy this gets ... The Welchia example from above is another example.
  4. Compatibility Problems. This is actually your biggest risk. Virus and worm authors can afford to trash systems, their goal allows it. The goal of a good worm is to "do no harm" and restore order. However, this is difficult, even in well tested configurations, simply due to the complexity problem. This rarely works.
  5. Effectiveness. Data that we've collected (still waiting to publish it ..) shows that Nachi wasn't effective against Blaster. These things simply fail to work.
  6. Unauthorised Data Modification.
  7. Copyright and Ownership Problems. These two are related, not so much by copyright but by authorzation and ownership. Despite the best of anyone's possible intentions, it's still unauthorized use and access of resources. It's against the law in many countries. It's against the law for a reason, and intentions don't matter.
  8. Responsibility. Ultimately the responsibility for the host lies with it's manager, and responsibility of ingress and egress traffic lies with the network managers. The use of "good worms" attempts to usurp that responsility without accepting the responsibility of fixing introduced problems. Again, did the Welchia author(s) stand up to accept responsibility for network disruptions from their creation? No. You simply haven't had reason to trust anyone to do this.

While this sort of thing may seem reasonable even in a controlled environment (ie a corporate network), consider this: you already have legitimate access to the system, so use it to your advantage. Install AV agents that are constantly updated, filter inbound and outbound traffic and payloads, and be ready to disconnect disruptive sytsems if you can.

The good worm is actually a myth and is likely to cause more problems than it's worth. Don't buy into it. Fighting speed with speed is one thing, but don't fight fire with fire.

November 7, 2004 in counterworms, editorial | Permalink
Tell others: digg submit | del.icio.us this | Reddit

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8345595b269e200d8343c544b53ef

Listed below are links to weblogs that reference The Myth of the "Good Worm":

Comments

The "good" worm/virus notion is pretty darn old, but it is surprising that it crops up more and more in commentary, not just among IT pundits, but among noted security resarchers. To wit, illustrating both the dated notion of the argument, as well as a noted researcher speaking is Fred Cohen's "A Case for Benevolent Viruses" http://vx.netlux.org/lib/afc05.html

I've got to agree with Jose though, most of the 'good worms' we've seen have not helped. From personal experience, nachi/welchia caused far more harm than the rpc worms it sought to patch against; and other 'benevolent' worms (e.g. codeblue counter to codered) never seemed to get any kind of distribution so as to make it worthwhile; the fact that we still see codered infected hosts to this day, and yet even when released, codeblue occurrences were minimal is clear evidence of this.

That's not to say that better defense mechanisms aren't needed; but generally this just feels like whoever is writing it is barking up the wrong tree if their intention is to use it as a defense mechanism. For whatever reason it brings up an analogy of someone dying of thirst drinking seawater to quench it.

Posted by: grey | Nov 10, 2004 12:45:15 PM

I'm not sure what the hold-up is... maybe they have re-thought their stance on how this is going to actually make the company any money. Or perhaps their lawyers pointed out the liability of providing agents a platform to stick their feet in their mouth. Whatever it is, it's hardly something I'd claim as being "Well done".
www.jebshouse.com

Posted by: Jeb Simons | Apr 24, 2008 6:36:57 PM

Of course, I’ d like to believe that I now know so much better. More than a decade later, I know that having harmless crushes (without expecting them to blossom into something deeper) is healthy; that first loves rarely last forever (but that you can remain friends with them after); that everyone makes promises they can’ t keep or says stuff they don’ t mean, and that the truth varies from person to person; that liking someone means you HAVE to care who he is, where he’ s from, and what he did BEFORE you...

Posted by: earn extra money | Jul 20, 2008 12:22:09 AM

Post a comment