Are worms actually good for security?

Are worms actually good for security?

Summary: You've probably heard by now that the Zotob worm is rampaging through business and organizations with computers running the Windows 2000 operating system, but could this actually be good for security?  The way that I see it, any computer worm that doesn't actually delete or steal any data is the cyber equivalent of biological immunization.

TOPICS: Malware

You've probably heard by now that the Zotob worm is rampaging through business and organizations with computers running the Windows 2000 operating system, but could this actually be good for security?  The way that I see it, any computer worm that doesn't actually delete or steal any data is the cyber equivalent of biological immunization.

Two years ago, a fast moving worm called Blaster rampaged through the Internet and forced every company in the world to take prompt action to harden their network and thoroughly patch all of their Windows systems.  Since most people simply used Windows Update on all of their client and server systems, it actually had a much broader immunization effect.  This immunization effect isn't something that's just theoretical, it actually resulted in a sharp drop in the number of confirmed hacker defacements on Zone-H shown in a report posted here.  This report actually showed Windows servers being hacked significantly less than Linux servers, which seems to validate the theory that worms actually strengthen security like colds strengthen our immune systems.

While the Zotob worm can't be considered a "vaccine" since it was created with malicious intent to wreak havoc, it is equivalent to getting a nasty case of chickenpox that temporarily knocks you out of commission but you recover from it immunized from all future attacks.  The Zotob worm is effectively forcing IT departments to do a systematic and thorough patch on all vulnerable systems which is exactly how a biological system would react.  Had there been a well-engineered "good" worm that was designed to eliminate side-effects such as rapid reboots and network flooding, this would have been the equivalent of a vaccine.  Such a worm would be able to infect computers, install the patch, instruct the host to infect 10 more computers or wait for a timeout before deleting itself safely without all the nasty side-effects of the bad worm.

Every time I've mentioned the possibility of a good worm to my colleagues in the IT world, I usually got very negative feedback.  Their typical reaction would be something like "well I'll put up some firewall rules to block it from patching my systems because it might break some of my applications".  Ironically, this was exactly the affect I was hoping for.  If the threat of the good worm forced action that would result in the blockage of the good worm or more importantly the bad worm, would that be such a bad thing?  If the good worm did get through because of inaction, the bad worm would have gotten through just as easily only with much more severe side-effects.  Even more of a concern is the fact that hackers use these types of vulnerabilities to commit even worse crimes.  Given the choice between the vaccine or chickenpox, which would you prefer?

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Cowpox

    was the "good worm" for smallpox - so its been done before. Actually what you say is not really possible - the self-replicating nature of worms is THE factor that you want to stop. It is this nature that floods networks - which would be very hard to regulate.

    We should thank our lucky stars that worm/virus writers are non-malicious! There has yet to be a mass worm that destroys data on purpose - yet that capability has ALWAYS existed.
    Roger Ramjet
  • With a probe you wouldn't need a worm...

    ... clogging systems.

    The concept may be dangerous fior enterprises because of the applications, as suggested to you. But home users are much less likely to have nonstandard software that would suffer from installing a patch.

    A probe installing a trojan which downloads programs to scan and patch...

    That's really Windows update, reworked for those who don't use updates at all. And that's a miserably high portion of the population.
    Anton Philidor
  • Petty theft prevents grand theft?

    Maybe, but that doesn't mean shoplifters shouldn't be punished.

    People of European ancestry have increased immunity to bubonic plague, due to repeated epidemics over a 500-year period (the first killed a quarter of the population of Europe), but that doesn't mean that we should be thankful for those epidemics, or the huge suffering they caused our ancestors, nor does it mean we should regret the improvements in sanitation that finally brought the plague under control.

    Yes, the Internet's immune system is getting plenty of exercise of late, but don't expect the worm writers to get any praise for it (nor is it deserved). Worm writers do it for the challenge or for profit (selling control of zombies is getting to be lucrative), not to increase computer security. If caught, they should be punished severely, not thanked.
    John L. Ries
    • Technically

      Your reaction to petty theft could be what stop you from getting the rug stolen from under your feet.

      Still that is the way of things. People often know prior to being harmed that harm could happen but they do nothing to prevent said harm until harm is proven to happen.

      This is classic in physical security. You can tell the boss that that the jewels in the font window are risk to theft and they will refuse to implement a security system. But the second those jewels are stolen via breaking the window you time how long it takes for bars to go up with a stop watch.

      So is this good? In a perfect world I'd say no but since we live in a world of imperfection sometimes it takes the nasty to get people into action.
    • No disagreement there

      "Worm writers do it for the challenge or for profit (selling control of zombies is getting to be lucrative),"

      Actually, good worm writers who do it for sale try to keep their worm under the radar so that the anti-virus companies don't counter it. They don't do a sloppy job like Zotob where the SMTP code doesn't even work.

      "If caught, they should be punished severely, not thanked."

      Never suggested otherwise.
  • By the way.

    Bill Gates made the point that Microsoft products will be the most secure because they have been attacked most often. Same reasoning.

    Microsoft may not be open source, but there are apparently millions of eyes looking for holes in the software. More people checking for errors than review Linux, I suspect.
    Anton Philidor
    • Same idea, only vendor embedded

      What you're suggesting is mandating windows update. The problem is Microsoft can't enforce that and people will disable that "feature".

      A "good" worm would be independent of the vendor.
  • Are worms actually good for security?

    Thank you for being politically incorrect, and pointing out the truth. I have long held thet there could, and should be, what you call a "Good" Worm.

    Ron Rahav
    • It's a pragmatic view

      For those businesses who don?t want the good worm, they only need to take some simple counter measures. Then the good worm wouldn?t touch their network and neither would the bad worm. It would also make them a lot more hack resistant.

      The only people that complain are those who don't patch their networks and don't take any other counter measures.
  • Yes worms are good for security.

    Good for security vendors, that is. Worms will evolve and there will surely be another "big one" in the future. Based on that assumption, our collective security efforts to stop worms only really protects us from the past.
    IT Scion
    • Wrong

      If personal firewalls were implemented with the proper access controls, it would stop past and most future worms.
      • Okay then

        Explain to me how this one got through? Didn't the past already tell us to use our firewalls and tighten them up? Sure but did it stop this one? I stand by my words. The past only heals us from past threats. For every lock there is a pick. And if I am wrong then there is no need for a good worm.
        IT Scion
        • This one got through on networks that didn't learn

          I can assure you that the infected computers didn't have personal firewalls installed. Most business (especially those still running Windows 2000) don't have personal firewalls installed and buying a third party solution costs as much as upgrading to Windows XP.

          The past didn't heal us from this threat because many businesses haven't learned from the past. The good worm would have softened the blow for most of these infected businesses like a vaccine would; instead they got a case of the chickenpox.
  • Re: Worms good for Security?

    "The way that I see it, any computer worm that doesn't actually delete or steal any data is the cyber equivalent of biological immunization."

    You forget all the systems that are infected by
    a worm like code red hammer the hell out of the Internet even if they don't delete your data or
    damage your system because of a firewall they
    clog up bandwith and make life miserable for everyone.

    The only good worm is the big fat juicy one in
    my yard I use for fishing in the summer :)
    • Did you miss something?

      I said that Zotob is like the chickenpox where it completely disables you for days. A well designed good worm or "vaccine" would be careful not to slam your Internet connection.
  • No worm is a good worm

    I'm having a hard time understanding the point? Does MS understand the flaws in the code? And more than that, a worm is able to write itself in to ensure it's operation. Like writing and saving an exe file to root and writing an autorun key to the registry. It can open ports and start services and send a broadcast to other computers on the network instructing them to act on the worm.

    Of course this is a short and some what lame explanation. But this is how it works. Even to execute the abort shutdown prosses. Like a root execution free for all.

    I'm anti-Microsoft for a good reason. I don't mind them making money at all. In fact aside from the design, it's a nice looking and feature rich OS. It's very easy to use (to some extent). Try and be a typicl end user and figure out how to shutdown unwanted processes. Ask somebody what LSASS is? Does it need to be running?

    Lastly, MS to too hush hush about things. Like to save it's own butt or something. One has to dig and dig to understand what a running process does and if it needs to run for something else to work?

    We may have an idea of "how" the worm gets in and that it replicates. The reason it can't infect a different version of the OS is because it can't execute all the processes that it can on another.

    Please expand.
    • A worm hunter?

      How about (maybe stupid?) a process that activates a pop-up warning. "A PROCESS WANTS TO WRITE TO A ROOT FILE!! dopy.exe. is this ok yes or no?"

      "Service FTP wants to start. is this ok yes or no?"
      How about a verbose explanation of a process? How about an explanation of all the process this newly installed application will use to operate.

      Something that gives a verbose explanation of what is going on with your system and why? Based on a history of the applications you use.

      Remember this. The "Bad" guys spend hours pounding on a system connected to their lan and chat about it with others. They pound on a system until it brakes. It doesn't always matter when the exploit was announced.
  • Are Apologists Good for Technology?

    Open letter to George

    Hot on the heels of Worm Wars. George Ou has offered a novel
    idea. Worms are like a flu shot. Each new problems decelerates
    the runaway train and provides some immunization. It's hard to
    dissagree with this.

    I find the timing interesting though. It just so much more
    damage control and cognitive dissonance in an arena that that
    has surely seen enough of it.

    Perhaps the question should be "is downtime, lost productivity,
    and paranoia good for business under any circumstances" No?

    Then the next question is, who bought and paid for the wrong
    Harry Bardal
    • Open reply to Harry

      "It's hard to dissagree with this."

      You just answered your own question.
  • Individual versus Social Rights

    It is the responsibility of governments, as empowered by their people, to judge the dynamic tension between individual and social rights to choose policies.

    It is an individual right to control the use of their property (information system or bunge cord).

    It is a social right to control the use of property by individuals when that use empowers society (sale of radio spectum...) or endangers society (shuts down or otherwise interferes with the public Internet).

    Any vigilante that unilaterally takes away the rights of individuals to control their property (update their information systems in a way that meets their needs) is a criminal and should (meaning a moral judgement on my part) be handled that way.