Results 1 to 9 of 9

Thread: 'Beneficial' Network Worms

  1. #1

    'Beneficial' Network Worms

    http://www.eweek.com/article2/0,1895,1867317,00.asp

    Convinced that businesses will use nonmalicious worms to cut down on network security costs, a high-profile security researcher is pushing ahead with a new framework for creating a "controlled worm" that can be used for beneficial purposes.

    Dave Aitel, vulnerability researcher at New York-based Immunity Inc., unveiled a research-level demo of the "Nematode" framework at the Hack In The Box confab in Kuala Lumpur, Malaysia, insisting that good worms will become an important part of an organization's security strategy.
    Considering nearly every /. article eventually makes it here, sorry if this has been posted already.

    Anyone else think this sounds useless? I feel like someone is trying to make a name for themself with this concept...

    The concept includes the use of "Nematokens," servers that are programmed to only respond to requests from networks cleared for attacks and the NIL (Nematode Intermediate Language) that can be used as a specialized and simplified "assembly for worms."
    It needs it's own language?

    "We already have an engine that takes exploits and turns them into worms and does it in a way that allows you to inject control mechanisms into that. That's something that will appeal to businesses.
    If you have control of your network, why would you need to haul your patches around on an exploit? If you know where your machines are, why would you need worm methodology to find them?

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    A "nonmalicious worm" is an oxymoron IMO ...
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    27 October 1980, a status message virus that was accidentally made and propagated, brought ARPANET to a total standstill.

    From Here: http://www.geocities.com/lois_wolf/N...Termpaper2.htm

    The road to hell is paved with good intentions.

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  4. #4
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    I was just going to post, I thought the first worm coded was supposed to be a benificial program to automate network tasks, but got of control.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  5. #5
    Thanks for the great link, milner, and a great read.

    I heard of this approach before, somewhere, maybe here. I still think it is a doomed concept. All that will happen is that this tool will be used to create more effective, more powerful malware. Didn't they look at the current crop of malware packages? Many have hijacked legitimate security programs (psec.exe, for one) to leverage exploits. What makes them think their product will be treated any differently?

    Aitel is trying to "change the way people think." Unfortunately, his efforts are directed at the wrong people.



    EDIT: Whoops, I wasn't watching closely.

  6. #6
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    Wasn't it the Welchia worm/virus originally created to find and patch those machines that were or could be infected by the MSBlast virus? In other words, it was intended to be a so called "good" worm. The Welchia did more harm than the MSBlast in my opinion, simply because of the enormous amount of traffic it generated and it is still out there, I see it with the home users that VPN into the office(a whole different rant entirely).
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  7. #7
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by steve.milner
    The road to hell is paved with good intentions.
    Steve sums up the whole point very nicely.

    I honestly have never HEARD of Immunity Inc. Looking at their site, it's a pretty small org. Their bios show some decent credentials, but nothing to get all atwittered over.

    This sounds a LOT like marketing hype leveraging the media sensationalism of worms to sell a half-baked idea. For example, you get some CIO with more executive than technical experience, tell him gloom and doom tales of Nimda, Code-Red, Slammer, and the like until (s)he's nearly in tears, then explain how your "new technology" can "use the same vectors of attack that these mean old nasty hacker worms use" to "fix" all of your problems.

    What about the impact of this "benevolent worm" on network performance? How can you really control a self-propogating piece of code? Yes, yes, reporting back to some centralized management server, I read the piece...but what happens when that code get's into a network that is NOT white listed...the infected client keeps asking for authorization, until told "no"? What happens if your centralized servers are DoS'd...intentionally or not...what happens if... what about when...

    No, I see way, WAY too many things that can go wrong with this. I don't believe their team subscribes to the KISS methodology, and I would have to vote a "HIGHLY DOUBTFUL" if asked if this could be effective.

    But hey, I've been wrong before. Once...or twice...maybe.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  8. #8
    Senior Member
    Join Date
    Jun 2003
    Posts
    188
    Hmm. i don't really think stopping worms with worms is a good idea. Most
    of the time it will lead to a DoS condition in the network.

  9. #9
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    I think that I was reading about this befour in time.

    I think actualy that it can be somthing, may be good, but.....

    But what will be with AV's and ASpy's?

    Best way can be is just to sniff for network for new file extension, // look for ports and changes in policy
    // too far away outside of limit

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •