Turning the worm secures the computer
(New Scientist Via Thomson Dialog NewsEdge)WORMS, the enemy of PC owners and IT departments everywhere, are about to become a force for good. Beneficial worms will spread rapidly through networks and patch machines before a malicious worm can attack.
Since the first computer worm appeared in 1988, researchers have dreamed of deploying good worms to fight the bad ones. These would be programmed to invade a computer by exploiting the same weak points that bad worms use. But instead of delivering malicious software, the worms would close up the weak spot and so render the computer impervious to further attack. "We're talking about fighting fire with fire," says programmer David Aitel of the firm Immunity in Miami, Florida, who developed the worm.
These so-called "patching worms" have previously been used by virus-writing gangs to try to stop the spread of worms deployed by their rivals. Legitimate users have been wary of unleashing patching worms because they are difficult to control, raising fears that the originator would be liable if one were to crash computers it was not designed to patch. "Even if your intentions are good you are altering the behaviour of someone's machine without their consent," says Jose Nazario of the security firm Arbor Net, who runs a website called Worm Blog.
Aitel claims to have overcome this problem by programming the beneficial worms to visit only computers on a particular network. The worms, which he calls "nematodes", are programmed with a map of the network that tells them the range of IP addresses of all the machines they are allowed to invade. The first thing they do when they contact a potential beneficiary is to check whether the computer is in their range. If so they will invade; if not, they look for a new host.
Alternatively, the "polite" worms can be programmed to ask a central server for permission to invade. To ensure the infected computer always has access to that central server, Aitel suggests using the domain name system (DNS) server, which is responsible for translating domain names like newscientist.com
into their numerical IP address. All computers on the network must have access to the DNS server at all times, as they contact it each time they visit a web page. If equipped with suitable software, it could also tell the worm whether it was allowed to invade a machine with a particular IP address.
To allow programmers with no worm-writing experience to assemble their own worm, Aitel has developed a programming language called Nematode Intermediate Language (NIL), which breaks a worm down into smaller software modules. He presented it last week at the Black Hat Briefings federal conference in Washington DC.
The company hopes to start selling NIL modules within the next four years.
[ Back To TMCnet.com's Homepage ]