Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Benign Worms
From: Rob Lemos <lists () robertlemos com>
Date: Fri, 13 May 2005 10:01:38 -0700

k k wrote:

I am an academic researcher.  I benefited a lot during my previous
interaction at the full disclosure list on a different topic and now,
I am here to get some input on benign worms.

There is debate surrounding whether releasing benign worms such as
Nachi or Welcha, in general is ethical or not.  But network
administrators can still create benign worms for their need (not
necessarily Nachi or Welcha) and release them in their domain to patch

1. Do people do that?  Or at least, have you considered it?

2. If yes, under what conditions would you do that?

3. If not, what prevents you from doing that?

Adding self propagation features to any program is problematic at best.
A good example of what can happen is the Nachi worm (a.k.a., MSBlast.D
and Welchia), which probably caused more havoc inside corporate networks
than the original MSBlast (a.k.a. Blaster worm) because of its
over-aggressive attempts at propagation.


All one has to do, in fact, is go back to the original incident where
the term "worm" was first used and you can see the danger. Two
researchers at Xerox PARC decided to use a worm to update experimental
Ethernet drivers and ended up disrupting the entire network and crashing
all their nodes. The research was done in the late 70s and the paper was
publish in 1982.


Another good example is the Trend Micro update snafu that caused clients
to suck up 100 percent of CPU time. While the individual nodes did not
infect others, cleanup involved many, many nodes, similar to cleaning up
after a worm.

A better approach is an automated scanning and patch system (this is
more akin to the Trend Micro--or for that matter, any antivirus
company--update situation) or a system that sends out exploits for
various holes and, if a system is rooted, updates that system. Then, if
something goes wrong, you only have one system to shut down and fix the
programs on, rather than cleaning your entire network.

HP has played around with an exploit-node-type network.


Infecting other machines with even a "beneficial" worm is illegal if you
are not the owner of the machine. Infecting a network that you have
ownership over with a "beneficial" worm is generally a bad thing,
because the network effects of self propagation are hard to gauge and
small errors can easily turn into big problems.

Just wait until we start playing around with programming genes of
organisms that self replicate.



| robert lemos |
| editor-at-large, securityfocus | rlemos () securityfocus com |
| technology journalist | mail () robertlemos com | 

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]