October 6th, 2005 03:22 PM
'Beneficial' Network Worms
Considering nearly every /. article eventually makes it here, sorry if this has been posted already.
Convinced that businesses will use nonmalicious worms to cut down on network security costs, a high-profile security researcher is pushing ahead with a new framework for creating a "controlled worm" that can be used for beneficial purposes.
Dave Aitel, vulnerability researcher at New York-based Immunity Inc., unveiled a research-level demo of the "Nematode" framework at the Hack In The Box confab in Kuala Lumpur, Malaysia, insisting that good worms will become an important part of an organization's security strategy.
Anyone else think this sounds useless? I feel like someone is trying to make a name for themself with this concept...
It needs it's own language?
The concept includes the use of "Nematokens," servers that are programmed to only respond to requests from networks cleared for attacks and the NIL (Nematode Intermediate Language)
that can be used as a specialized and simplified "assembly for worms."
If you have control of your network, why would you need to haul your patches around on an exploit? If you know where your machines are, why would you need worm methodology to find them?
"We already have an engine that takes exploits and turns them into worms and does it in a way that allows you to inject control mechanisms into that. That's something that will appeal to businesses.
October 6th, 2005 03:34 PM
A "nonmalicious worm" is an oxymoron IMO ...
Experience is something you don't get until just after you need it.
October 6th, 2005 04:10 PM
27 October 1980, a status message virus that was accidentally made and propagated, brought ARPANET to a total standstill.
From Here: http://www.geocities.com/lois_wolf/N...Termpaper2.htm
The road to hell is paved with good intentions.
IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com
October 6th, 2005 04:25 PM
I was just going to post, I thought the first worm coded was supposed to be a benificial program to automate network tasks, but got of control.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
October 6th, 2005 04:55 PM
Thanks for the great link, milner, and a great read.
I heard of this approach before, somewhere, maybe here. I still think it is a doomed concept. All that will happen is that this tool will be used to create more effective, more powerful malware. Didn't they look at the current crop of malware packages? Many have hijacked legitimate security programs (psec.exe, for one) to leverage exploits. What makes them think their product will be treated any differently?
Aitel is trying to "change the way people think." Unfortunately, his efforts are directed at the wrong people.
EDIT: Whoops, I wasn't watching closely.
October 6th, 2005 05:27 PM
Wasn't it the Welchia worm/virus originally created to find and patch those machines that were or could be infected by the MSBlast virus? In other words, it was intended to be a so called "good" worm. The Welchia did more harm than the MSBlast in my opinion, simply because of the enormous amount of traffic it generated and it is still out there, I see it with the home users that VPN into the office(a whole different rant entirely).
There are two rules for success in life:
Rule 1: Don't tell people everything you know.
October 6th, 2005 05:38 PM
Steve sums up the whole point very nicely.
Originally posted here by steve.milner
The road to hell is paved with good intentions.
I honestly have never HEARD of Immunity Inc. Looking at their site, it's a pretty small org. Their bios show some decent credentials, but nothing to get all atwittered over.
This sounds a LOT like marketing hype leveraging the media sensationalism of worms to sell a half-baked idea. For example, you get some CIO with more executive than technical experience, tell him gloom and doom tales of Nimda, Code-Red, Slammer, and the like until (s)he's nearly in tears, then explain how your "new technology" can "use the same vectors of attack that these mean old nasty hacker worms use" to "fix" all of your problems.
What about the impact of this "benevolent worm" on network performance? How can you really control a self-propogating piece of code? Yes, yes, reporting back to some centralized management server, I read the piece...but what happens when that code get's into a network that is NOT white listed...the infected client keeps asking for authorization, until told "no"? What happens if your centralized servers are DoS'd...intentionally or not...what happens if... what about when...
No, I see way, WAY too many things that can go wrong with this. I don't believe their team subscribes to the KISS methodology, and I would have to vote a "HIGHLY DOUBTFUL" if asked if this could be effective.
But hey, I've been wrong before. Once...or twice...maybe.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
October 6th, 2005 07:24 PM
Hmm. i don't really think stopping worms with worms is a good idea. Most
of the time it will lead to a DoS condition in the network.
October 6th, 2005 08:31 PM
I think that I was reading about this befour in time.
I think actualy that it can be somthing, may be good, but.....
But what will be with AV's and ASpy's?
Best way can be is just to sniff for network for new file extension, // look for ports and changes in policy
// too far away outside of limit