Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

White Hat worms - could they be used to speed up (exponentially!) distribution of security info?

By nhems in Technology
Fri May 18, 2001 at 01:10:25 PM EST
Tags: Software (all tags)

The Cheese Worm has been created to infiltrate vulnarable systems and fix them in the aftermath of the 1ion worm. This worm, although done in good faith, seems a tad invasive. What if worms could be employed to search online boxen, and notify the sys-admins that a backdoor exists etc. This could be the most efficient method of distributing security info, as we have all heard how fast these worms replicate. Even better, only those people with vulnerable systems get notified.

Read on..

After reading this post on that other site about the cheese worm which is infiltrating vulnarable linux systems, I got thinking.

If you follow the link to the story on cnet you'll see (or probably have) that kevin houle says 'such a patch worm' may not be good. i kinda agree with him, as with the various flavours out there, the cheese worm writer might unintentially do weird things to non-standard (read debian, etc) systems which store /etc files and suchlike in different locations.

Onwards, readers, to the point!

A worm that infects systems and tries to 'fix' problems may be a Bad Thing, and could very well fuel M$ FUD against free/open software ('malicious programs invading helpless systems under the guise of helping' etc). But self replicating worms _could_ be used in a standard and non-invasive fashion.

White Hat Worms (tm) could be be employed to spread over the net, and find backdoors into systems (*nix of course). Any systems which allow white hat worms to 'infiltrate' could have a /var/backdoors log file to which the worm writes to inform sysadmins that a backdoor has been detected. To handle the fact that there would be sys-admins who are the nervous type, if a user-space daemon is not running, then the worm would retreat end respect the sysadmins decision not to let worms on his system. the user-space daemon could also be the mechanism by which any non-malicious white hat worm could log information to the /var/* file.

You can (hopefully) see that this system would be an efficient method of eliminating backdoors across the web, and would ease the burden on any open-minded sys-admins, as any backdoors they have would probably be detected by the worm(s), and the sys-admin notified (via the daemon and maybe a gnome-applet?) of the backdoor, any fixes available and the web page they are obtainable at.

I'm not at the kernel-daemon hacking level yet, and it's not quite my area of interest. but it's an idea, i put it out there, to be used, discussed or abused, your choice.

cheers, nhems


Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure


Does this idea have any merit?
o Great idea, should be done (not me though!) 3%
o Yeah, could be done 8%
o Alright, but who cares? 4%
o Has merits, also has security issues of it's own 44%
o No one would touch it with a ten footer! 31%
o I'm a Windoze man, it's so secure I dont need security info, I just click [Next]..[OK] ;P 8%

Votes: 95
Results | Other Polls

Related Links
o Cheese Worm
o this
o that other site
o story
o Also by nhems

Display: Sort:
White Hat worms - could they be used to speed up (exponentially!) distribution of security info? | 63 comments (50 topical, 13 editorial, 0 hidden)
It's an interesting idea... (4.00 / 5) (#2)
by lucas on Thu May 17, 2001 at 07:59:00 AM EST

My concern is: what prevents Black Hat worms from being written to neutralize White Hat worms? It's plausible to have some sort of worm warfare where Black Hat worms can bury themselves even more elusively and wait for White Hat worms, which they can either mutate or neutralize.

I think it is a great idea and I hope that this particular incident inspires other people to write White Hat worms. As long as the source remains open and there is some sort of MD5 or checksum to verify that it is truly a documented White Hat worm that got through, I think it might be an interesting way to distribute a patch or a fix. I don't think it will fly, however, because the media would call it a virus and use words like "infection" that would imply that it was inherently evil.

Worm warfare (3.00 / 2) (#4)
by uXs on Thu May 17, 2001 at 08:12:35 AM EST

Yes ! Worm warfare would so cool :-)
Why does this make me think of Tron ?

And more seriously, if people are smart enough to install and maintain programs that check if the worms that get through are white enough, isn't it safe to assume that they're capable of maintaining a reasonably safe system without having to rely on these worms ?

What our ancestors would really be thinking, if they were alive today, is: "Why is it so dark in here?" -- (Terry Pratchett, Pyramids)
[ Parent ]
how this idea differs from 'cheese worm' philosoph (3.00 / 2) (#6)
by nhems on Thu May 17, 2001 at 08:20:26 AM EST

The worms I am suggesting would not be a form of neutralization of black hat worms (i.e. what the cheese worm does). They would be used more as a form of preventitive medicine, spreading as quick as the more nefarious worms do, hopefully getting to vulnerable hosts, and warning them of the security risks on their systems.

These worms would not infiltrate the system as such, but would communicate with a daemon, which listens on a certain port. The worm then sends the daemon a string, with all the relevant information on the backdoor, fixes, relevant websites etc. The daemon would be small, and only do a few things (such as write to a log file), thus ensuring it's security. The deamon could then send the worm onto other 'known' hosts who dont mind being scanned by friendly worms

The emphasis of this system is not to actually let worms into a system, as this is intrusive, but only to log information. The biggest problem I can see (and i see it now) is that fact that such a worm would (probably) actually need to be resident on a system to spread itself, huge security issue.

thx the comment
[ Parent ]
daemons (4.00 / 2) (#24)
by greycat on Thu May 17, 2001 at 12:29:31 PM EST

These worms would not infiltrate the system as such

Then how would the worm know that there is a problem?

but would communicate with a daemon, which listens on a certain port.

Most systems already have such a daemon running on port 25. It can be sent human-readable messages, as long as you prefix them with appropriate headers such as "HELO worm" and "MAIL FROM:<root@localhost>" etc.

[ Parent ]
Waste of bandwidth (1.80 / 5) (#3)
by hulver on Thu May 17, 2001 at 08:11:03 AM EST

Why should we waste bandwidth on people who can't be bothered to secure their system. Fsck em.
People who don't keep up to date with known security problems (the only sort you could write a white worm for) deserve everything they get.

Won't work (3.87 / 8) (#5)
by DesiredUsername on Thu May 17, 2001 at 08:19:49 AM EST

I voted this up because it's an interesting topic, but this implementation won't work, for one simple reason: Why can't a Black Hat worm use the same vector? Checking the entire system, writing to files and sending itself on is enough to do PLENTY of damage (at the very least it has privacy issues).

Authentication won't work because it's easy to fake (you don't have to crack PGP, you just have to find *one* person's private key to kill the whole system--or just BE that person). And if you eliminate untrusted parties to make auth work, you've lost the exponential part and brought us back to where we are now.

But how about a vastly scaled back system. Instead of the White Hat worm actually finding the backdoors, how about it just lets me know of anything new and tell me where I can find more information. It's still exponential, but now it's not active, just informative. Oh wait, we already have that: email.

Play 囲碁
Arg! (4.00 / 3) (#9)
by MisterX on Thu May 17, 2001 at 08:44:14 AM EST

Oooo... it makes me seethe when I spend half an hour crafting a wordy post only to find after posting it that some inconsiderate bugger has said everything I did, better than I did and in one third of the space.

Nicely done ;-)

[ Parent ]
missing the point! (none / 0) (#62)
by kubalaa on Tue May 22, 2001 at 07:29:50 PM EST

The objections to this are really frustrating. You ask, "why can't a black hat work use the same vector?" That's the POINT. That's how the worm spreads. It uses a vector which a black hat worm is ALREADY using, or will be using.

Everybody's whining, "Don't try and admin MY box for me or I'll sue your ass off!" If a white hat worm is able to get into your box, then you're an incompetent admin, your box is already vulnerable, and if it hasn't been exploited it's only a matter of time. Whether you LIKE it has nothing to do with it, the question is, is it possible for the worm to do more harm than good? And the answer is no, because it doesn't do anything that a black hat worm wouldn't, but it does stop a great deal of activity that black hat worms would do.

[ Parent ]

Cool idea (3.40 / 5) (#10)
by RangerBob on Thu May 17, 2001 at 08:47:55 AM EST

It's a cool idea, but I'm curious about the implementation though. The point of securing a system is to try to keep everything out, including the white worms. But if you leave it open enough so the good guys can get in, the bad guys can use the same route. Plus, you'd have to hope the the white worm would find and fix your machine before the bad guys do, and usually the good guys lag behind when things like this happen.

Too complex (3.50 / 6) (#12)
by Glacky on Thu May 17, 2001 at 09:25:59 AM EST

All the worm has to do is announce itself in the security log. Any sysadmins who care about their box being hacked would spot it, do a little research and (from other traces worms leave in logs and usually cover up once inside) patch it themselves.
I can see why automatically closing the backdoor as well might be a good idea, as there are far too many people who dont know/dont care and leave their system vulnerable. Less machines that can be suborned into being part of a DDoS attack is always a good thing. However not all admins want external programs messing with their machine.

This is the dilemma, do it for them or let them find out? I think we should encourage anyone running a *nix flavour to find out, and not turn them into mollycoddled sheep like a certain other 'operating system's users have become.

I don't know about this.. (4.42 / 7) (#13)
by tokage on Thu May 17, 2001 at 09:45:15 AM EST

Too high of a level of trust on too many unknown variables. Security is something that unless you -personally- implement, is not to be taken for granted. Much like assuming a gun to be unloaded - we all know, always assume it's loaded, unless you personally have just unloaded it. Not to mention, who would implement this worm? A software vendor? Do you want them trucking about in your system, promising to "honest injun" just fix everything then exit?

That's not to mention like several people have stated earlier, the level of complexity involved. Too many variables in individual users setup, different versions of software, etc. Conceivably a specific vendor who releases a specific product could send out something to periodically scan registered customers, but we already have a system that works. Email alerts and semi-clueful admins actually keeping up with patches.

Basically, I would never trust anything I cannot verify the source from(ie md5 sums, pgp signing, compiling from source code). That's just asking for trouble. It would be amusing, however, for someone to edit a released 'helpful' worm and cause it to do normal malicious stuff. No, this is just a new twist on an old problem, regardless of if it does any damage or not.

You better pray to God there's some Thorazine in that bag, otherwise you're in bad fucking trouble.

Agh (1.62 / 8) (#14)
by DeadBaby on Thu May 17, 2001 at 09:47:59 AM EST

A worm that infects systems and tries to 'fix' problems may be a Bad Thing, and could very well fuel M$ FUD against free/open software

Grow up.

"Our planet is a lonely speck in the great enveloping cosmic dark. In our obscurity -- in all this vastness -- there is no hint that help will come from elsewhere to save us from ourselves. It is up to us." - Carl Sagan
Understatement of the year (4.42 / 7) (#15)
by Anonymous 242 on Thu May 17, 2001 at 09:52:45 AM EST

This worm, although done in good faith, seems a tad invasive.
This is the cardinal problem of any white hat hacking, whether done programatically through a worm or script or the old fashioned way. The owner of the compromised box has no guarantee that the all the hacking has been done in a friendly manner. For most sysadmins, knowledge that someone or something broke into the system means wiping the disk and restoring from backup or at least byte for byte comparing executables to read only copies.

Unless a system of trust is in place, white hat worms have to be considered just as dangerous as the normal run of the mill worm.

Not to mention, more sophisticated white hat worms and the like would only encourage people to be more lax about security. Encouraging bad behavior is a bad idea. Personally, I think the press is doing a fabulous job in the way the current crop of worms is being reported. The articles I've read have always stated that these worms (to date) have only been affecting boxes without the latest security updates. This message needs to be sent out time and time again with dollar amounts attached to the time and damage sufferered by people hit by these things. People and corporations have got to learn to realize that security doesn't happen by mistake.

Lastly, consider bandwidth. By nature, worms hog up bandwidth. A successful worm (even it is a white hat) has the potential to bring a network to its knees. Consider the most recent variants of Outlook worms. Most of the damage inflicted has been to bringing down mail servers and clogging networks. It only takes is one little mistake (as in the Morris Internet worm) in logic to change what would be a relatively mild manner worm into something rather devestating.

Worms of any kind... (4.00 / 5) (#16)
by jd on Thu May 17, 2001 at 10:36:28 AM EST

...are a "Bad Idea(tm)". "Patch worms" are not -that- much better. (You only have to count the number of broken patches MS has released, over time, to see the chaos that such an animal could cause.)

IMHO, "internal vulnerability scanners", which operate by testing the logic of each piece of code, rather than checking against a static list of defects, would be much, much better.

eg: Scanner loads library A. It can grab the calls from the interface. It tries a mix of valid and invalid calls. Valid calls should produce valid answers. Invalid calls should -either- return error codes or crash, preferably the former.

The actual -values- don't need to be examined. All that's important is that the scanner detect a mis-handled case, memory leaks, or buffer overflows. Those three scenarios cover most of the security holes you're likely to get.

The logic would work like this: If A depends on nothing, and handles valid, invalid and extreme data correctly, =AND= does not address invalid areas of memory, =AND= does not leave areas of memory allocated, then A can be regarded as OK.

If B depends on A, and A is !OK, then B cannot be tested, is potentially insecure, and should be marked !OK. Otherwise, repeat the test done for A, on B.

Repeat for all libraries, mapping all OK and !OK code. Applications are harder, because it's much more difficult to produce "valid-ish" command-line parameters. However, applications dependent on one or more !OK libraries can still be marked as !OK.

Now, THIS would be useful. Furthermore, if RHN, or some similar tool, offered such a scan as an option, and relayed the results to the distribution HQ, then -REAL- fixes could be produced, tested and offered.

Opt-In (4.25 / 4) (#17)
by slambo on Thu May 17, 2001 at 10:46:56 AM EST

I think the only way an automatic update service would be accepted by the community at large would be one of opting in. You present a good idea at trying to find an opt-in for worms, but I think the bandwidth issues need to be addressed.

The only automatic method that I can see as viable among the security community is a subscription based distribution. The sysadmins would sign up for automatic patching with a service provider and sits back to let the SSP (Security Service Provider) do its thing.
Sean Lamb
"A day without laughter is a day wasted." -- Groucho Marx
Please, no (4.00 / 5) (#19)
by trhurler on Thu May 17, 2001 at 11:00:20 AM EST

If it wasn't opt-in, then it would be illegal in many places, and if it was opt-in, then just think of the authentication problems... this would be a whole new way to screw people over, and it wouldn't solve the primary problem. Most even halfass admins know they need to patch, but they don't have time - this won't help. In addition, bugs in the worms could well be worse than the holes they found. All around, not good, and if I found you running one against my network, you would not long have to doubt whether I was displeased.

And when you consider that Siggy is second only to trhurler as far as posters whose name at the top of a comment fill me with forboding, that's sayin
Open source (3.00 / 4) (#21)
by ucblockhead on Thu May 17, 2001 at 12:14:29 PM EST

If this is an open source program, it would be trivial to take the code for it and remove the code that "...would retreat end respect the sysadmins decision not to let worms on his system".

It would also be trivial for a black-hat worm to modify the system to add whatever files were used to do the above, rendering the white-hat worm useless.

So I'd say that this is a horrendous idea in that it a) won't work and b) will make it easier to write black-hat worms.
This is k5. We're all tools - duxup

Black hat worm (4.00 / 1) (#28)
by conraduno on Thu May 17, 2001 at 01:51:55 PM EST

However, while this would make it easy to hack a good worm into a bad worm, if someone was going to make a black hat worm for, say, the latest wu vulnerability, they easily could regardless. Sure now it would be easier, the worm code is already written, but if someone really wanted to put a worm like that in wild, then they would. The hope about a white hat worm is that it would be released well before a black hat worm, so it would be able to fix as many hosts as possible before someone let a black worm loose. This is not unrealistic... generally someone who finds a hole gives a number of days/weeks for the company to fix the hole before reporting it on bugtraq or wherever, and during this time before the worm is made public they could release the white hat worm. By the time people realize what has happened, they are already patched.

But is this a good thing? I'm not sure. It seems like a good idea to me, but I'm not sure how comfortable I feel with worms poking around my system without my knowledge.
[ Parent ]
Privacy (3.50 / 2) (#29)
by conraduno on Thu May 17, 2001 at 01:57:51 PM EST

heh replying to myself...

Actually I think I just realized why I wouldnt like this. Security wise I think this could be a good idea, but in terms of privacy it absolutely would not. If a somewhat unscrupulous company released a worm that, after patching your system, reported back to them what software you where running, how many users you had, etc... I've seen too many companies abuse "customer information" to trust them with that. Allowing companies free roam of your networks with worms is a slippery slope.
[ Parent ]
yeah, agree (3.00 / 1) (#41)
by nhems on Fri May 18, 2001 at 03:17:08 AM EST

a 'white hat worm' would probably be written in response to a known flaw in a program, or in respone to a worm already out there infecting systems. The emphasis is not on the worm fixing your system, but notifying the sysadmin that there is a hole. surely a 'good' worm finding a hole in your defence, and telling you about it, is better than a black worm finding you formatting your HD and moving on.
[ Parent ]
Worms Don't Wear White Hats (3.20 / 5) (#22)
by greycat on Thu May 17, 2001 at 12:21:48 PM EST

Any systems which allow white hat worms to 'infiltrate' could have a /var/backdoors log file to which the worm writes to inform sysadmins that a backdoor has been detected.

We already have that: the postmaster alias. Failing that, you can email root.

What would make this proposed piece of software a "worm"? A "worm" that doesn't propagate itself to new hosts isn't a worm, and if all your proposed software does is write to a log file on the target system, I don't see how it would propagate itself.

Even if this "Cheese Worm" is benign (which may or may not be the case), it's not a good idea to send these programs out. A person with malicious intent will modify it to do Bad Things(tm) -- and if the "good worm" can get in, then so can the "bad worm". And how do you tell which worms are the bad ones? Would you ask them? Insert WIzard of Oz quote here....

+1 Section.... (3.33 / 3) (#31)
by minusp on Thu May 17, 2001 at 03:04:38 PM EST

This does need to be discussed, even if the discussion is to roundly SHOUT IT DOWN!


Anybody caught trying to "fix" my machines "for my own good" will find themselves on the receiving end of a dedicated ping-server! They will have every mail account they know about signed up for every pr0n-a-day scam on the net! I'll... I'll... oh, I need to go lie down.

Remember, regime change begins at home.
i _dont_ mean these worms should fix your system (3.00 / 1) (#39)
by nhems on Fri May 18, 2001 at 03:02:53 AM EST

i dont propose these worms 'fix' your system. Merely write a log file on your computer through a small, robust daemon (or through a port, as Sapien points out in his comment) read Sapiens comment, as this was what I _meant_. Obvoiusly my communication skills _suck_, as nobody seems to get my point.
[ Parent ]
Yeah, but... (3.00 / 1) (#43)
by minusp on Fri May 18, 2001 at 08:39:33 AM EST

I do get your point, now, and perhaps mine was less than clear... If I don't ASK to be portscanned, or otherwise vulnerability tested, BEFORE (and immediately before) it happens, ie., if I don't know and expect it to be happening NOW, such action _will_ be considered hostile, and responded to appropriately. Minor traceable stuff shall be subject to the above mentioned penalties (particularly the pr0n-a-day thingie, LOL), really serious attempts shall result in the offender being signed up for MSN for two years...

OTOH, if there was some sort of opt-in to a trusted community sort of arrangement... maybe. Not sure I'd like to leave a port hanging open just for receiving vulnerability messages - "Hey, you got a port open at ****, where we just posted this message" kind of thing.

Remember, regime change begins at home.
[ Parent ]
cool stuff (3.40 / 5) (#33)
by Seumas on Thu May 17, 2001 at 04:27:48 PM EST

This is certainly nothing new (not even remotely), but it's still a very cool concept. I'd be ticked off if I were the 'victim' (be it as a personal user or a system admin or whatever capacity one might be in) of it, but it's worth discussion -- as long as nobody gets the dumn idea to go around deploying it. The last thing you need is some misguided do-gooder distributing a worm that knocks out a virus but fouls up your OS (especially if you're distributing the antidote across a Windows system which, of course, would really be the prime environment for this anyway).
I just read K5 for the articles.
Save me! (4.14 / 7) (#35)
by Tatarigami on Thu May 17, 2001 at 05:43:45 PM EST

As a tech support agent, the idea of white hat worms fills me with fear.

I can easily imaging a black hat worm popping up later on and telling one of my sweet, innocent users "Hi, I'm a worm! But don't worry -- I'm the good worm you've read about on CNN.com."

"Oh," says my user. "That's nice. I guess I don't have to run a virus scan or phone the helpdesk, then."

Never underestimate a user's ability to passionately believe in whatever will require the least amount of effort on his part.

ouch! (none / 0) (#48)
by khallow on Fri May 18, 2001 at 09:04:08 PM EST

"Oh," says my user. "That's nice. I guess I don't have to run a virus scan or phone the helpdesk, then."

I hadn't thought of that little angle. That'll be a real mess.

Never underestimate a user's ability to passionately believe in whatever will require the least amount of effort on his part.

I believe this should be included in that vast body of "law" (Murphy's Law, Finagle's Factor, etc).

Stating the obvious since 1969.
[ Parent ]

Another arrow in the quiver. (4.20 / 5) (#36)
by misterluke on Thu May 17, 2001 at 08:09:31 PM EST

Anyone considering writing a white hat worm should start, first off, by sending out a standard virus alert to anyone who cares. There is already an infrastructure built up to ensure this information gets out to anyone competent and conscientious enough to find it, which should really be anyone who gets money to look after a system with internet access. Writing a white hat worm will not help those people to any measurable degree. It will, however, help those who are borderline competent or borderline conscientious ( and I must honestly include myself in that last group ) find out about the latest security hole without finding out all the damage that's possible in the worst possible way.

Basically, I like the idea, but I think it'd best be used in conjunction with standard virus reporting practices to pick up any stragglers the worm comes across. Lots of people don't upgrade virus software until after they've been hit, and a benevolent kick in the ass might not be such a bad thing for them. Whether anyone capable of writing an effective white hat worm will take pity on said stragglers enough to just warn them and not wipe out their 10 gigs of hard fought pr0n and email while they're at is another question, though.

How about... (4.20 / 5) (#37)
by Sapien on Thu May 17, 2001 at 09:12:56 PM EST

... rather than using a worm for the actual patch, the worm is merely a way of spreading the advisory for a particular vulnerability.

A fearful sysadmin could choose to close the port on which the worm enters, however others could choose to have a client running on that port. The client would receive the advisory, log it, connect to the certified URL contained in the advisory, and download and install the patch. This could be done very easily using authentication, thereby preventing any black hat from creating a fake "advisory".

The worm would only propagate from computers which have the port open, and of those only the ones that needed the patch. As fewer and fewer unpatched computers are found the worm will naturally become extinct.

Just an idea...

this is _exactly_ what i mean to say (3.00 / 1) (#38)
by nhems on Fri May 18, 2001 at 02:51:26 AM EST

this little comment sums up the crux of my article. Maybe my writing is a little ambiguous, everyone seems to have the wrong idea of what i'm suggesting. Youve summed it up exactly (what I was thinking of, anyway).
[ Parent ]
But can you trust it? (none / 0) (#51)
by brion on Sat May 19, 2001 at 12:05:45 AM EST

This sounds great, but... What happens if we get a black hat worm masquerading as a white hat worm? Pops in, drops a message in /var/log/backdoor, and while it's there installs another backdoor!

If it's warning about a legitimate existing known vulnerability (perhaps imitating the behavior of a genuine white hat worm mentioned in the official advisory), then the poor sysadmin might not suspect there's been another compromise, because the worm is believed to be trustable. Patching the warned hole leaves the secret backdoor open, so any response less than complete system reinstallation leaves you open to danger.

In the real world, people sometimes get robbed by criminals masquerading as police (or, for that matter, actual corrupt police). If you get into the habit of letting anyone who wears a uniform and flashes a badge root through your home, don't be surprised if sooner or later some of them turn out to be less than professional and help themselves to your possessions.

Chu vi parolas Vikipedion?
[ Parent ]
An older, better version of a WH Worm. (3.75 / 4) (#40)
by Apuleius on Fri May 18, 2001 at 03:03:26 AM EST

It's called an email. You fill it with details of a security problem, and then you send it off to lists like Bugtraq and Bugtraq::whateversoftware. The mailing list servers then multiply it by thousands and spread it to interested people.

Best of all, this kind of worm is more difficult to use for stealth blackhat actions. (Pardon my coleric tone today, please.)

There is a time and a place for everything, and it's called college. (The South Park chef)
Sigh. (4.33 / 6) (#42)
by Inoshiro on Fri May 18, 2001 at 04:33:08 AM EST

Any sysadmin worth their salt will not have a system which can be broken into so easily. At the very least, they will patch the vulnerabilities before the worms get a chance te bo modified for them. Plus, the same sysadmins would not tollerate outside control of missian critical systems. These aren't PKI signed updates pushed by your OS vendor (although, as Verisign has shown, the PKI people are easy to dupe anyways) -- these are uncontrolled patches and code put in place by unknown agents for an unkown cause.

The only people who will be affected are the same amateurs who can't be bothered to patch their insecure daemons, or audit their systems in the first place. It'll be just like the VBS viruses I see floating around which map shares and copy themselves around (I still fail to see why so few ISPs block these insecure services that a home/residential user should not be using).

[ イノシロ ]
That's a great way to land in jail. (3.75 / 4) (#44)
by marlowe on Fri May 18, 2001 at 12:32:44 PM EST

Never try to help folks who don't want to be helped, unless you're damn sure you won't get caught.

-- The Americans are the Jews of the 21st century. Only we won't go as quietly to the gas chambers. --
Let's say it was a biological "good" vir (3.50 / 2) (#45)
by Jman1 on Fri May 18, 2001 at 02:55:05 PM EST

Say a scientist invented a virus that could invade your body and, if you are vulnerable to say, this year's strain of the flu, get your body to generate the proper response so that you are immune to it. Sure, it sounds like a good idea and we might actually need something like that if we are ever faced with a terrible outbreak of a virus (say, I don't know, HIV) but wouldn't you be really nervous about having it released?

It exists... (none / 0) (#52)
by locke baron on Sat May 19, 2001 at 03:36:44 AM EST

Genetecists use viruses to insert genetic material, for example to create disease-resistant plants. So, this kind of thing already exists (in labs, anyway)
Micro$oft uses Quake clannies to wage war on Iraq! - explodingheadboy
[ Parent ]
White Hat Worms? No such thing. (2.50 / 2) (#46)
by Ruidh on Fri May 18, 2001 at 03:01:44 PM EST

No one should be sending code out into the wild to make changes to my system. Period. It's irresponsible and we shouldn't get used to seeing it happen.

I just hope that any such "White Hat" is sufficiently secure in the rightness of his cause that he puts his name right into the code. That way I know exactly who to sue.

"Laissez-faire is a French term commonly interpreted by Conservatives to mean 'lazy fairy,' which is the belief that if governments are lazy enough, the Good Fairy will come down from heaven and do all their work for them."
fun (3.50 / 2) (#47)
by anonymous cowerd on Fri May 18, 2001 at 08:48:21 PM EST

I think it's great. I want to see this; y'all get to work! Conscience-bound people who are smart enough to write stuff like this would undoubtedly enjoy - and dammit, that's what life is all about, enjoyment - the over-my-head challenge and pleasure of composing these nifty wormies, sans those tedious inward recriminations from their super-egos, and transcending the boredom of that worn-out same-old thrill-o-transgression that motivates your ordinary destructive virus hack. And think of the altschul virus-hackers; wouldn't this new challenge revivify their classic but bored field of endeavor? A win-win situation! (I was once made to sit through a Dale Carnegie course.)

You could stage super-hero vs. super-villain battles! watched netwide, in real time, by millions! just like that arena scene at the end of the paper book Snow Crash... After they triumph, your whitehat virii could write a log file named silver.bullet, or better yet a big capital Z (like Zorro, see) in /etc, meaning, "I was here, to save the day! gallop, gallop, gallop..." Think too of the somber and portentious drama of those truncated, aborted log files, when the overpowered, overrun whitehat fails, falls in combat...

Hell, it can be done, so that means it's going to be done, so we might as well enjoy it. As fragile as all our stuff is, it's a good thing really that malicious vandalism isn't more popular as a hobby; the way things are and the way people seem to feel, you'd think everybody'd be doing it.

Yours WDK - WKiernan@concentric.net

stint grits
darts file
gratis ways to fit tins
dapper angle
ill apple
-Barbara Baracks

"feral" AI (3.00 / 1) (#49)
by khallow on Fri May 18, 2001 at 09:11:52 PM EST

This is a significant step towards "feral" AI's (a la Dan Simmon's "Hyperion" novels - see below), IMHO. As others have noted, a virus or worm that is useful (or appears to be useful) to a user is much more likely to survive. With a large supply of these things and some sort of evolution capability, I think we'll eventually see true intelligence since that would be a significant advantage in such a program.

Some may have read the "Hyperion" novels by Dan Simmons (sci fi). Several of the important characters are AI's that evolved from old 20th century viruses and worms.

For those who may recall this post (or something similar) from the other site, I can recycle my posts if I want to. :-)

Stating the obvious since 1969.

The Morris Worm (4.00 / 2) (#50)
by Solipsist on Fri May 18, 2001 at 09:27:40 PM EST

The very first worm was a white hat worm (sort of). Morris found an stack overflow in the finger server and wrote a worm to exploit it. The worm was not meant to do anything malicious, just demonstrate the problem, but it was not written quite right and ended up overloading some systems, taking them down. So while this might be a good idea in theory, bugs in these white hat worms could end up doing damage to people who never asked for it.

Good intentions, but some people don't give a rats ass about intentions.

White Hat Worm vs. Distributed 'push' technologies (4.00 / 1) (#53)
by hillct on Sat May 19, 2001 at 11:20:09 AM EST

So, how is this different than a distributed push technology?

We've seen server push technologies come and go, a couple years back. I think the only major player that remains is BackWeb and they've re-focused on the enterprise.

We've seen P2P technologies like Gnutella and others take off in recent months, spurred on by the woes of Napster.

This is the next logical evolutionary step. Decentralized, replicated P2P services (perhaps via subscription). Users can subscribe to a proactive antivirus service, whicg attempts to gain access to subscribers' computers. Upon gaining access, a log is written and a fix is delivered. There are two issues with this strategy. First, if there ever was a problem with any of the worms used, which caused inforeseen damage to a system, the company offering the service would loose all creadibility. Second, market forces would pressure such companies to actually create security holes for which the fix can them be offered, in order that the service can appear valuable to consumers, by reporting that "We have foxed A, B, and C today" in daily emails to the user, or through some other mechanism. The way the latter problem can be solved, is by providing the service only as a subscription where regadless of how many fixes are applied, the fee paid is the same.

Realistically though, AntiVirus services would e the only ones that would really resemble the work model we've seen of late. Other services would probably make use of a client much as BackWeb does. The difference might be, that users can create their own content channels to be shared with other users, much as the RDF format allows content syndication. Furthermore, the service might use an inteligent caching system reminiscent of FreeNet, or perhaps Akanai where content can be cached redundantly in order to preserve service in the case of outages, and increase performance in retrieval. The difference between this and FreeNet is that the content would remain under the control of the creator, where they have the ability to update and or remove the material (which would occur over one or two replication cycles).

Eventually, these technologies will merge. I have no idea what the result might look like but the above are just a few of the possibilities.

--Got Lists? | Top 31 Signs Your Spouse Is A Spy
mu (none / 0) (#54)
by kmself on Sat May 19, 2001 at 06:14:00 PM EST

Unask the question.

The point isn't that there are white hat and black hat worms, it's that slacking admins are leaving the door open to whoever cares to come knocking.

I'm inclined to think that white-hat worms are a good thing, though I wouldn't want them on my own system. So I keep up with security updates to see that this doesn't happen. I don't particularly care what they do for the systems they target so much as I like the fact that they're closing holes on the Net that cause problems I do have to deal with -- spam, distributed attacks, proxy platforms for same.

If you don't clean up your own mess, you're either going to have someone exploit the fact or clean it up for you. Either way you've little choice.

Karsten M. Self
SCO -- backgrounder on Caldera/SCO vs IBM
Support the EFF!!
There is no K5 cabal.

Doomed (2.00 / 1) (#55)
by grahamsz on Sun May 20, 2001 at 07:44:49 AM EST

If the worm operates without an opt-in system then i'd not be impressed. I would consider anything that makes changes to my configuration black-hat. Whether it's intentions are good i've seen enough applications writing files to the wrong places to believe that a worm could do any better.

The only people this might benifit are those who get a cable modem, an old 486, install redhat and mandrake, the 3 line ip masquerade guide and leave their box untouched.

If it were opt in then it would also fail. If you had to make a concious effort to opt-in then the only people that would are those who believe they have rock solid security would sign up. And for anyone thats up to date with bugtrak this is pointless.
Sell your digital photos - I've made enough to buy a taco today
I can't see any way to do this (4.00 / 2) (#56)
by itsbruce on Sun May 20, 2001 at 08:11:01 AM EST

That wouldn't be easily exploitable by Black Hats. Simple as that.

--I unfortunately do not know how to turn cheese into gold.

Doing it the legal way... (4.00 / 1) (#57)
by Imran on Sun May 20, 2001 at 05:23:29 PM EST

Legal issues shouldn't get in the way of a good idea. White hat worms won't work for open source software, but proprietary software is an entirely different matter the software company could alter their licence to allow the company to alter the software while it is on your hardware.

Imagine the situation, a major security hole is found in your software, once it becomes public thousands if not millions of your customers will have their servers attacked, defaced or rooted. Within hours of you announcing your fix crackers are exploiting the holes in machines yet unpatched. You've ended up in a situation which isn't good for you or your customers.

The solution is easy, launch a worm which patches the hole and then relaunches to find other local vulnerable machines. The worm will spread at an exponential rate, you'll automatically deal with every machine which is registered with you as running your software. Six hours later you make a public fix available, once the crackers have reversed the fix and developed an expolit it's too late, virtually every machine with the hole would be fixed.

TickleTux Hangman 0.3.0 (For Windows and Linux) http://tickletux.sourceforge.net/
Too risky..... (none / 0) (#61)
by Trickster on Mon May 21, 2001 at 08:46:13 PM EST

I think giving software vendors (open source or closed source does not matter) the right to modify thier software while it's on your hardware is very bad idea. They can then quietly change a feature you use just because they did not like the previous implimentation/there was a problem with it and scew up your whole infrastructure.

For example, you have servers from one vendor and workstations from another with completely different oses (let's say, MS on the servers and *nix on the workstations). The workstations authinticate users on the servers and everything works beautifully. Then one Saturday morning MS releases a patch which breaks the authentication procedure and quitely "fixes" your servers.Add to this a thousand or two users....

In general, I think white hat worms is a not bad idea only if they check for a problem and if they find something report to the admin.

[ Parent ]
People don't have a choice (none / 0) (#63)
by Imran on Wed May 23, 2001 at 06:05:18 PM EST

If Microsoft included it in their licence then I doubt they would loose many customer. Especially when compared to the number of customers they loose due to website defacement and admin level server exploits.
TickleTux Hangman 0.3.0 (For Windows and Linux) http://tickletux.sourceforge.net/
[ Parent ]
Harm minimisation is what its all about (4.00 / 1) (#58)
by ereiamjh on Sun May 20, 2001 at 10:16:25 PM EST

All worms are bad, but some are less bad than others. So, if you can't stop the behaviour, then encourage the less bad form of the behaviour.

Accepting that one day a worm/virus may find an exploit in to your box, why not give the writers a less harmful way to express themselves once they've got root? Have a directory named '/var/IWasHere/' or '/var/TheSysadminOnThisBoxIsIncompetentSeeInsideForDetails/' and hope it never gets a file in it.

Like many others... (3.00 / 1) (#59)
by PhoenixSEC on Mon May 21, 2001 at 09:51:24 AM EST

I don't particularly like the idea of 'fixes' being applied to my machines automatically.

I also don't like the idea of people trying to root my system just to let me know it's possible.

I've signed up for some security news alerts (e.g., http://www.sans.org/sansnews (no affiliation)).

I'm assuming most (if not some) people who would be reading this article have heard of the site; a harmless, opt-in way of distributing news of holes to sysadmins (or end-users, if they're so inclined).

I believe they even have an address to send in warnings.


Is a cracker that helps any better than ... (3.66 / 3) (#60)
by sabaka00 on Mon May 21, 2001 at 07:24:43 PM EST

Is a cracker that helps any better than a cracker that hurts?

This is exactly the question many security personnel are asking themselves with the new Cheese worm. The Cheese worm basically patches up the backdoor that the 1i0n worm created and then looks for more 1i0n worm cracked machines. Even though it does close the backdoor, it is generally thought that once a system is cracked, it cannot be resecured in any other way than wiping the disks and starting over.

Assuming that the worm is written well enough that it always does exactly what it is supposed to do, I feel a patcher worm is a good thing for the Internet.

The systems that the Cheese worm is breaking into are already wide open due to the 1i0n worm. After finding an open system, a cracker could use it to mask their identity during further attacks, but after the Cheese worm has patched a system, it becomes significantly harder for a cracker to use a 1i0n worm infected system for attacking other computers.

Since it is impossible for the cracked systems to be resecured until the system's disks are wiped and everything reinstalled, the administrators of 1i0n infected systems have nothing to lose from the Cheese worm patching their system. Furthermore, bandwidth usage of the scans by the Cheese worm is similar to the amount used by 1i0n worm scans. The Cheese worm simply increases the security on the systems it invades.

Considering it has been 3 months since the 1i0n worm was released, it is fair to assume that systems still infected by the 1i0n worm have administrators that do not plan to fix the systems in the near future.

While it is illegal to access another computer without authorization (IANAL), the Cheese worm does help the internet as a whole become a better place by limiting the number of open systems for less experienced crackers to use for attacks. Still, the Cheese worm sets a dangerous precedent if widely accepted as a positive contribution to the field of security because that sounds like the security community is saying it is okay for a cracker to take over a person's computer as long as the cracker's heart is in the right place.

In case you are wondering, this is a write up I had planned to put on either kuro5hin.org or one of the Linux security sites, but after seeing this article, I decided to just put my write up here.

White Hat worms - could they be used to speed up (exponentially!) distribution of security info? | 63 comments (50 topical, 13 editorial, 0 hidden)
Display: Sort:


All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!