A Worm By Any Other Name Is…An Information Epidemic?

February 18th, 2008 Leave a comment Go to comments

Virus
Martin McKeay took exception to some interesting Microsoft research that suggested that the similar methodologies and tactics used by malicious software such as worms/viri, could also be used as an effective distributed defense against them:

Microsoft researchers are hoping to use "information epidemics" to distribute software patches more efficiently.

Milan Vojnović
and colleagues from Microsoft Research in Cambridge, UK, want to make
useful pieces of information such as software updates behave more like
computer worms: spreading between computers instead of being downloaded
from central servers.

The research may also help defend against malicious types of worm, the researchers say.

Software
worms spread by self-replicating. After infecting one computer they
probe others to find new hosts. Most existing worms randomly probe
computers when looking for new hosts to infect, but that is
inefficient, says Vojnović, because they waste time exploring groups or
"subnets" of computers that contain few uninfected hosts.

Despite the really cool moniker (information epidemic,) this isn’t a particularly novel distribution approach and in fact, we’ve seen malware do this.  However, it is interesting to see that an OS vendor (Microsoft) is continuing to actively engage in research to explore this approach despite the opinions of others who simply claim it’s a bad idea.  I’m not convinced either way, however.

I, for one, am all for resilient computing environments that are aware of their vulnerabilities and can actively defend against them.  I will be interested to see how this new paper builds off of work previously produced on the subject and its corresponding criticism.

Vojnović’s team have designed smarter strategies that can exploit the way some subnets provide richer pickings than others.

The
ideal approach uses prior knowledge of the way uninfected computers are
spread across different subnets. A worm with that information can focus
its attention on the most fruitful subnets – infecting a given
proportion of a network using the smallest possible number of probes.

But
although prior knowledge could be available in some cases – a company
distributing a patch after a previous worm attack, for example –
usually such perfect information will not be available. So the
researchers have also developed strategies that mean the worms can
learn from experience.

In
the best of these, a worm starts by randomly contacting potential new
hosts. After finding one, it uses a more targeted approach, contacting
only other computers in the same subnet. If the worm finds plenty of
uninfected hosts there, it keeps spreading in that subnet, but if not,
it changes tack.

That being the case, here’s some of Martin’s heartburn:

But the problem is, if both beneficial and malign
software show the same basic behavior patterns, how do you
differentiate between the two? And what’s to stop the worm from being
mutated once it’s started, since bad guys will be able to capture the
worms and possibly subverting their programs.

The article isn’t clear on how the worms will secure their network,
but I don’t believe this is the best way to solve the problem that’s
being expressed. The problem being solved here appears to be one of
network traffic spikes caused by the download of patches. We already
have a widely used protocols that solve this problem, bittorrents and
P2P programs. So why create a potentially hazardous situation using
worms when a better solution already exists. Yes, torrents can be
subverted too, but these are problems that we’re a lot closer to
solving than what’s being suggested.

I don’t want something that’s viral infecting my computer, whether
it’s for my benefit or not. The behavior isn’t something to be
encouraged. Maybe there’s a whole lot more to the paper, which hasn’t
been released yet, but I’m not comfortable with the basic idea being
suggested. Worm wars are not the way to secure the network.

I think that some of the points that Martin raises are valid, but I also think that he’s reacting mostly out of fear to the word ‘worm.’  What if we called it "distributed autonomic shielding?" 😉

Some features/functions of our defensive portfolio are going to need to become more self-organizing, autonomic and intelligent and that goes for the distribution of intelligence and disposition, also.  If we’re not going to advocate being offensive, then we should at least be offensively defensive.  This is one way of potentially doing this.

Interestingly, this dovetails into some discussions we’ve had recently with Andy Jaquith and Amrit Williams; the notion of herds or biotic propagation and response are really quite fascinating.  See my post titled "Thinning the Herd & Chlorinating the Gene Pool"

I’ve left out most of the juicy bits of the story so you should go read it and churn on some of the very interesting points raised as part of the discussion.

/Hoff

Update: Schneier thinks this is a lousy idea. That doesn’t move me one direction or the other, but I think this is cementing my opinion that had the author not used the word ‘worm’ in his analog the idea might not be dismissed so quickly…

Also, Wismer via a comment on Martin’s blog pointed to an interesting read from Vesselin Bontchev titled "Are "Good" Computer Viruses Still a Bad Idea?"

Update #2: See the comments section about how I think the use case argued by Schneier et. al. is, um, slightly missing the point.  Strangely enough, check out the Network World article that just popped up which says ""This was not the primary scenario targeted for this research," according to a statement."

Duh.

  1. T
    February 19th, 2008 at 08:57 | #1

    Apparently you're not easy to convince if you've actually read both Martin and Schneier's posts on this, so here's my shot at it:
    First of all, do you really think that calling it something other than a 'worm' will make it better?
    I imagine this is the same line of thinking that went into calling a law that allows you to spy unwarranted on citizens, the "Patriot Act".
    I'm pretty sure that even if you called it the "Super Automated American Patriot Shield Protection Jesus Soaring Eagle Freedom Apple Pie Defense System", the basic idea behind it is still exceedingly retarded.
    There are already worms that exhibit this behavior. They install a trojan and patch the exploit that let them in so that the worms of other botnets won't take over the machine.
    Would you say these are beneficial to the ecosystem as well? Or are they only half as beneficial as the Certified Microsoft Premium Live Worm ™ will be?
    There is absolutely no excuse for invading someone else's computer and changing the software on it. No matter how noble you think your intentions are. What about the people who actually have a customized OS and can't just install the latest patch until they test it thoroughly? You know, like every government workstation in the world?
    Are these people going to have to protect themselves against Microsoft, as well as Chinese hackers now?
    You're not just talking about one worm, with one patch here. You're talking about a continuous series of useless internet traffic that probes the ports of people's computers and try to patch them up.
    And how exactly is your system secure, in any sense of the word, if it can still spread worms to other computers? Is it going to spread a few worms out and THEN patch itself?
    After two years with this scheme we'll have 600 different worms constantly DDoS attacking all the Windows machines in the world looking for 1200 different exploits and trying to patch them on top of each other in no particular order.
    How are you going to manage the versions of all these patches, when a lot of them have to be applied in a very specific order, or are replaced by newer versions?
    Is one worm just going to drop a resident payload that waits for another worm of the right version to come patch a vulnerability that needs to be fixed first? Or do they contact a central database to download the fix? Which kind of defeats the whole purpose of distributing it in the first place.
    There's also the fact that patches occasionally kill systems when Microsoft releases a patch that disables Internet Explorer or some peripherals, or whatever else we've seen them do in the past. Exactly how long do you think an ecosystem like this is going to last?
    And that's just the technical side of it. I think you'll find that most countries actually have laws against hacking and compromising other people's computers. And with good reason.
    It'll be a lot easier to track down who the intruder is when the worm header says 'Microsoft'.
    I will leave you with this modern-day Zen koan, which is pretty much the question on every security researcher's mind:
    If a computer is spreading a Microsoft Worm to other computers, is it a compromised system or not?

  2. February 19th, 2008 at 10:44 | #2

    So, let's say for argument's sake, that a commercial product (Microsoft's or otherwise) used this distribution methodology within an ENTERPRISE of governed employees. Does that take the sting out of inflicting pain across the oppressed citizenry?
    Nowhere did I suggest or advocate (and I'm not sure Milan Vojnović did, either) that this sort of thing should be unleashed on the unsuspecting and uninformed global populous.
    That being said, what's the difference between deploying agents on every machine IN AN ENTERPRISE or utilizing this propagation mechanism instead? You bring up some good points regarding patch order, etc., but that's simply a programatic issue.
    Again, look at all the rhetoric you and emotional baggage you lumped into your argument: Patriot Act, spying, etc…
    If you look at neural network based self-organizing decision systems coupled with a self-propagating distribution system WITHIN AN ENTERPRISE, I'm still unconvinced that this is a bad idea.
    You might also want to check out the Network World article which suggests that ""This was not the primary scenario targeted for this research," according to a statement. http://www.networkworld.com/news/2008/021908-micr
    Sure, I'd agree that it would be a bad idea to simply couple the word "worm" with the thought of simply letting this sort of thing run rampant across the metaverse…but that's not what I'm really considering as part of my evaluation. And since I haven't see the paper yet (and neither are you) we're just debating from the gut at this point.
    Again, I've yet to reach a conclusion because I'm studying both sides of the argument.
    I maintain that despite your awesome product marketing ideas ("Super Automated American Patriot Shield Protection Jesus Soaring Eagle Freedom Apple Pie Defense System" is hysterical) you're looking at only one side of the equation.
    At least I know this isn't Kurt because you've capitalized the beginning of every sentence 😉
    /Hoff

  1. No trackbacks yet.