Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: Bening Worms (Cosmin Stejerean)
From: "Stejerean, Cosmin" <cstejere () cti depaul edu>
Date: Sat, 14 May 2005 11:42:18 -0500

I think you are going a little overboard with this kind of response. The guy
had a couple of questions about "benign worms." If you are going to provide
some useful feedback then go ahead and do it. If you are going to write an
insulting email you should probably think twice about it.

More comments about specific parts of your email. If you don't care for the
comments you should read the last part of the email as it is a little more
relevant to the topic.

k k wrote:

I am an academic researcher.  ...

One so well-versed in the area of which you enquire and with such a 
relevant academic record that you hide behind a Hotmailaddress?

Yeah, right...

I often write emails from my gmail address when posting to lists for various
reasons. One, I don't want SPAM in my work inbox. Second, it makes it clear
that my views are my views alone and it usually prevents questions such as 

"Do these Purdue academics share your views of 'benign worms?'  "

...  I benefited a lot during my previous 
interaction at the full disclosure list on a different topic and now, I
here to get some input on benign worms.

There are no benign worms.

I'm not denying that it is not actually possible to design such, but 
once you've put _all_ the safety checks and other requirements in place 
to fulfill any vaguely sane and "widely acceptable" notion of benign 
worm" you'll have designed something massively more complex and 
convoluted than any existing patch management system.

That was the only intelligent part of your email. Everything else you should
have left out.

If you don't think that's the case then you are not much of 
_researcher_, "academic" or not.  If you don't believe that, please 
sensibly refute (in the true academic sense) a few of the arguments 
against the possibility of "good viruses" in Vesselin Bontchev's papers 
on the topic.

You would have looked a little more intelligent if instead of insulting him
you would have wrote something like "Please read Vesselin Bontchev's papers
on the topic of benign viruses"

There is debate surrounding whether releasing benign worms such as Nachi
Welcha, ...

You know, I've heard them called an awful lot of things but the word or 
notion of "benign" was never one of them...

Are you _sure_ you're an academic?


You must really hang out in very limited circles.  The only folk in 
favour of such releases are miscreants with severely impaired ethical 
development.  Most of them still get kicks pulling wings off flies.

I don't think that was at all necessary.

...  But network administrators can still 
create benign worms for their need (not necessarily Nachi or Welcha) and 
release them in their domain to patch systems.

1. Do people do that?  Or at least, have you considered it?

   Please see the last part of this email for an answer to this question.

2. If yes, under what conditions would you do that?

   You would probably only do something like this in case of an emergency.
In most cases there are a lot better ways to patch management than spreading
a worm of your own.

3. If not, what prevents you from doing that?

   There is a lot of risk associated with this. Exploits can be unstable and
crash production machines or have other undesirable side effects which in
most organizations can cost you your job.

Do these Purdue academics share your views of "benign worms"?  Might 
their intellectual and academic achievements in their collective 
decades of research in closely relevant areas more than slightly 
outweigh your twenty minutes musing over a term paper topic?

Like I mentioned before, this is why he probably used his hotmail address.
If he thought he was 100% right he wouldn't have emailed the list. He was
trying to get feedback on his idea without needing to be insulted.


I would like to make a few comments about the topic. The idea to use
"aggressive" techniques to "patch" computers is not new at all. This is
usually only done to patch computers that are infected. It is one of the
concepts of evil honey pots (http://cansecwest.com/csw04/csw04-Oudot.pdf) to
attack attackers. If the attacker is a computer infected with a worm that
you can write a program that will detect this attack and then attack back in
order to remove the initial worm. This has been done in practice with Honeyd
to fight the Blaster worm. You can read about it at 


You can also read more about active defense at

If I recall properly Stanford also used similar techniques to get rid of MS
Blast on their networks especially from laptop machines that were infected.
They had no administrative control over those machines yet the machines
posed a threat and the threat had to be eliminated.

Perhaps the best example of how this was used and why it should be done this
way unless it's an emergency is the problem with the Xerox researches in
1978 that used worms to automate tasks on their network. The code was
corrupted and over 200 machines crashed.

Nachi can also crash machines and although it has a good intention it is not
generally welcomed by anyone on their machines. If you are going to do such
a thing make sure you limit the worm to only scan machines in your IP range
and set a time/date when the worm will expire and remove itself. Make sure
you test it well in a lab before you release it on your network.

Cosmin Stejerean

Attachment: smime.p7s

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]