Uh-oh. It happened again. On Saturday, Jan. 25, major portions of the Internet got hosed by a worm. The culprit this time was named "SQL Slammer," a worm that attacked Microsoft SQL Server 2000 systems by exploiting yet another buffer-overflow vulnerability. This little gem hit hard, sucking up bandwidth and CPU cycles to bring the Net to a crawl throughout the world. Heck, the worm even shut down access to a major bank's ATM network, certainly a cause for concern.
In the last few years, we have faced an avalanche of increasingly nasty worms. Indeed, in the history of the Internet, worms like SQL Slammer have caused the widest spread damage of any computer attack technique. For the uninitiated, worms are automated attack tools that spread via networks. A worm hits one machine, takes it over and uses it as a staging ground to scan for and conquer other vulnerable systems. Using this process, worms propagate across a network on an exponential basis.
After nearly every major worm attack, someone on an Internet security mailing list proposes turning the tables on worms using so-called "ethical worms." Instead of suffering through the rapid spread of a malicious worm while keeping our fingers crossed that system administrators will deploy fixes in time to stem the tide, these folks argue that we could deliberately release ethical worms to deploy patches. According to this argument, we could harness the breeding power of worms to spread software patches rapidly throughout the world. Using this technique, some people think we could beat malicious worms at their own game.
So, are ethical worms a viable solution in battling malicious worms? If we take a bite from this apple, will we keep the doctor away for another day? Or, will we just find a half-eaten rotten worm? In my opinion, ethical worms are just too risky given the limited benefits they can offer.Ethical worms could break applications
One of the biggest concerns about ethical worms is the damage they could unintentionally do as they spread through networks and install patches. Even if they propagate flawlessly and install patches effectively, ethical worms could close a security hole that a particular application needs in order to function properly. Some applications are dependent on the fact that the underlying operating system or server software operates in a particular way. If this behavior is changed by a security patch, the application itself could break. Until the application is fixed, the result of applying the patch is a denial-of-service attack.Tremendous liability and control concerns
Because they'd break some applications, ethical worms open huge potential exposures to legal liability. Suppose some well-meaning security researcher releases an ethical worm, trying to help the world by fixing a devastating, simple-to-exploit hole. If this ethical worm damages my systems, I would likely blame the security researcher, regardless of the purity of his intentions. Similarly, if a vendor or antivirus company releases an ethical worm, bringing down a Web server hosting my million-dollar-an-hour macaroni-and-cheese-home-delivery e-commerce business, I may be able to sue the vendor for damages.
Furthermore, if an ethical worm takes over my machine, inoculates it and uses my system to patch other systems, shouldn't I have some say in the details of my system's involvement in this process? Otherwise, this worm is using my bandwidth to distribute patches to other machines of people I don't even know. If your ethical worm hacks into my system, even with noble purposes, you've still attacked the integrity of my machines. If someone broke into a house to put locks on the doors, the homeowners would still feel violated.Undermining technical controls
Suppose, however, that instead of just releasing an ethical worm and letting it spread, we build an ethical-worm distribution system using digital signatures so all patches could be authenticated before they are installed. Such an ethical-worm distribution system would likely include several components, such as:
- Systems for creating and testing ethical worms
- Systems for injecting properly formed ethical worms into the Internet
- The ethical worms themselves, as well as code that distributes them
- Ethical worm helper systems, the first set of machines that receive the worm and help it spread
- Software to receive the worm and act as a docking station, installed on individual machines around the world
- Digital signature verification software, built on top of a Public Key Infrastructure
Each one of these components would be a very juicy target for an attacker. If any element of this system could be compromised, the attacker could hijack the ethical-worm distribution system, using it to deploy malicious software. If the attacker could break into such a system, our ethical-worm distribution system could be used to very efficiently disable the Internet.
Sucking up bandwidth just when we need it most
Additionally, an ethical worm could suck up major bandwidth on the Internet as it spreads. Even if the worm spreads efficiently, the Internet will see a spike in bandwidth consumption. If the ethical worm is racing against a malicious worm, we'll have two worms competing on the Internet for bandwidth, only exacerbating our performance and reliability problems. Usually, network performance under increasing bandwidth begins to drop linearly as more and more traffic is loaded on the network. After this linear drop occurs for a while, as traffic continues to increase, performance reaches a breaking point. By exhausting bandwidth at a very critical time, the ethical worm could push the Internet over a performance cliff.
Further, even if an ethical worm itself works flawlessly, it still cannot outrun the extremely rapid spread of many modern-day worms, especially if zero-day exploits are included in the worm. A zero-day exploit is a new attack against a vulnerability never seen before. To create an ethical worm that stops a malicious zero-day worm, the good guys must first discover the flaw, create a fix for the vulnerability and then develop an ethical worm to spread the fix. Only after all of that occurs could an ethical worm even be launched, spreading its fix across the Internet. Of course, in the time it takes the good guys to get their act together and even discover the zero-day flaw, the malicious worm will have thoroughly conquered the Internet. Therefore, despite their speed, ethical worms are guaranteed to lose the race against a malicious worm spreading efficiently using zero-day exploits. If we are guaranteed to lose the race, ethical worms just don't make sense.
So, while ethical worms may at first glance seem like an interesting distributed solution for handling malicious worms, they in fact cause more problems than they solve. In the end, the legal liability issues are paramount. Would you want to risk the wrath of thousands of lawyers sharpening their knives to sue you for an ethical worm gone awry, just to help spread some patches on the Internet? Wise software companies and security researchers shouldn't expose themselves to such a risk.
About the author
Ed Skoudis is the author of the book Counter Hack: A Step-by-Step Guide to Computer Attacks and Effective Defenses You can contact Ed at firstname.lastname@example.org, or submit your question to him via SearchSecurity.com's Ask the Expert.
This was first published in January 2003