Microsoft slammed for 'stupid' friendly-worm idea

Reminiscent of the "good" Nachi worm unleashed in 2003, Microsoft researchers have touted the idea of "friendly worms" to issue software patches, which has been labelled "stupid" by security experts.
Written by Tom Espiner, Contributor

Reminiscent of the "good" Nachi worm unleashed in 2003, Microsoft researchers have touted the idea of "friendly worms" to issue software patches, which has been labelled "stupid" by security experts.

In a research paper entitled Microsoft's Sampling Strategies for Epidemic-Style Information Dissemination, the software giant looks at optimising the dissemination of data over a large-scale network by sampling computers in a subnet or IP address block -- a similar technique to that used by worms -- to identify computers that contain a known vulnerability.

"My focus is fundamental research on improving the efficiency of data distribution of all types across networks, and isn't limited to certain scenarios or types of data but investigating underlying networking techniques," Milan Vojnovic, researcher at Microsoft UK, told ZDNet.com.au sister site ZDNet.co.uk.

"Using understanding from the field of epidemiology is one of the methods that we're investigating in this area, and we hope that our research will help inform future computer science research and networking technology," he said.

However security expert Bruce Schneier said the concept of using worm-like techniques to distribute software patches is "stupid".

"Patching other people's machines without annoying them is good; patching other people's machines without their consent is not," wrote Schneier in a blog post.

"A worm is not 'bad' or 'good' depending on its payload. Viral propagation mechanisms are inherently bad and giving them beneficial payloads doesn't make things better. A worm is no tool for any rational network administrator, regardless of intent," added Schneier.

If Microsoft were to venture down this path of so-called "good worms", it would be revisiting old territory covered in 2003.

The 2003 worm dubbed W32.Welchia, W32/Nachi and Worm_MSBlast.D, was one such example of a "good worm" turned bad. Nachi downloaded a patch for Windows from Microsoft's Web site.

The "good worm" became a pest and claimed the UK police computer systems along with over 500,000 victims.

Back then, Oliver Friedrichs, who was the senior manager for Symantec's security response centre, was one of numerous experts that said worms were not a good way to distribute patches.

"I don't necessarily think whenever you infect someone's systems, install software and reboot the computer that that is a good thing ... It still tries to propagate; it is still attacking people over the Internet," he said at the time.

Even today, the field of "computer epidemiology" sparks excitement and caution in the security industry.

"I believe this is an exciting and important area of research. The more complex and interconnected our information systems become, greater understanding of how code spreads in this ecosystem will undoubtedly be invaluable in better protecting our information ecosystem against malicious intent (worms included)," said Nishad Herath, security researcher at McAfee's AvertLabs.

However Herath also said the method is "extremely risky" because of the impact on user expectations of how to manage software updates.

"Forcing software updates (via good worms), without adequate user consent or proper user education as to why these updates are necessary, will only open the door to a culture where users will become accustomed to such unverifiable "automatic updates", making it easier in the end to spread malware masquerading as 'good worms'," said Herath.

"As always, the devil may well be in the details of the implementation, but still, [it's] very risky all the same," he added.

However, echoing Schneier's blog comments, IBRS security analyst, James Turner, said the technique may have a place for consumers, who are bad at maintaining their software.

"This is potentially fantastic for home users, who are notoriously bad at maintaining their security," said Turner.

Turner agreed that this method of distribution would present major problems when ensuring patches come from a trusted source. But this may also present an opportunity for Microsoft to change the permission model it uses for consumers.

"Potentially Microsoft could make this a setting when you set up your account by asking the question, 'Do you want Microsoft to patch your machine on the fly'," said Turner.

However, Turner believes the ramifications for corporate users could be dire.

"In terms of corporations, this would be a nightmare, not least because of the change control issues. Microsoft is so keen to get people running on the latest version but it hasn't always done a quality control assessment against the customised apps that organisations are running," said Turner.

"Those customised apps could have been taking advantage of aspects of the software that gets changed by one of these worms," he added.

Editorial standards