I doubt anybody seriously considers it
There's 3 basic setups:

1) You don't have a lot of machines. You don't *need* a worm to update 5 or 10
boxes, just walk to each and do it.

2) You have a lot of machines that aren't under your direct administrative control
(for example, an ISP or a university). You can't deploy a worm, because those
boxes aren't yours to screw around with - worming them could get you arrested
for hacking and/or end up liable for any damages caused if a machine glitches
during the patch.

3) You have a lot of machines under your control that you need to update.
You don't need a worm - there's plenty of tools like "Push an update via
an AD policy" and so on, and you should be using those.

On Fri, 13 May 2005 11:13:03 CDT, k k said:
(Yes, even the best of us hit 'send' too soon sometimes ;)
Oh? Who has lined up on the "it's a good idea" side of the room?

I suspect that "There is debate" means either:

1) The same sort of people who are still debating if the world is round or flat.

2) Ass-wipe academics who probably have never even *tried* to patch their
own systems, but feel qualified to talk about doing it to other people without
their prior informed consent. Given that most academics agree that "prior
informed consent" is a Good Thing, it will be a true ass-wipe (even for an academic)
who thinks doing it without consent is a wise idea.

3) Somebody thinks that somebody else saying "Yeah, it would be a good idea, except
this long list of reasons its's bad" indicates a debate.

Yes, there's quite likely overlap between the groups.

Adding self propagation features to any program is problematic at best.
A good example of what can happen is the Nachi worm (a.k.a., MSBlast.D
and Welchia), which probably caused more havoc inside corporate networks
than the original MSBlast (a.k.a. Blaster worm) because of its
over-aggressive attempts at propagation.

http://news.com.com/Worm+double+whammy+still+hitting+hard/2100-1002_3-5066875.html

All one has to do, in fact, is go back to the original incident where
the term "worm" was first used and you can see the danger. Two
researchers at Xerox PARC decided to use a worm to update experimental
Ethernet drivers and ended up disrupting the entire network and crashing
all their nodes. The research was done in the late 70s and the paper was
publish in 1982.

http://news.com.com/Year+of+the+Worm/2009-1001_3-254061.html

Another good example is the Trend Micro update snafu that caused clients
to suck up 100 percent of CPU time. While the individual nodes did not
infect others, cleanup involved many, many nodes, similar to cleaning up
after a worm.

A better approach is an automated scanning and patch system (this is
more akin to the Trend Micro--or for that matter, any antivirus
company--update situation) or a system that sends out exploits for
various holes and, if a system is rooted, updates that system. Then, if
something goes wrong, you only have one system to shut down and fix the
programs on, rather than cleaning your entire network.

HP has played around with an exploit-node-type network.

http://news.com.com/HP+aims+to+throttle+Net+threats/2100-7349_3-5163633.html

Infecting other machines with even a "beneficial" worm is illegal if you
are not the owner of the machine. Infecting a network that you have
ownership over with a "beneficial" worm is generally a bad thing,
because the network effects of self propagation are hard to gauge and
small errors can easily turn into big problems.

Just wait until we start playing around with programming genes of
organisms that self replicate.

http://www.securityfocus.com/news/11082

-R

Well, obviously it's been done. You mentioned two examples. Both of them
caused significant network disruption in and of themselves.
None. Not even on my own network and not even if I'd coded it to stay
within our /16. Too many things could go wrong.
Any worm/virus, regardless of intent, is still illegal -- and I don't
think I can get a DSL line in jail.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

No. It's lunacy. Worms spread through security holes. They are
by-definition uncontrolled. If you have known security holes on a system,
you should be fixing that, not relying on it for software updates.

The worms you are describing are well-intentioned mistakes. Modifying
somebody else's system without their permission is unethical, and if
they're your own systems, you should have way, way better techniques
in place for dealing with upgrades than that.
I would employ this technique if:

- I were off my medication and drinking my way through a quart of gin,
or
- I really, really wanted to lose my job.

No sysadmin their right mind would employ the technique you describe
if they wanted to stay in that line of work.
The fact that it naked, gibbering insanity.

First off, lets get something straight: Neither of your two examples was
in any way "benign". Both of these cost carriers and their customers
*billions* of dollars. Many of us spent weeks with little to no sleep
cleaning up the mess these "benign viruses" created.
I don't know where you've been looking, but the only place I've seen the
ethics of this "seriously debated" is in middle schools and the like.
There is no serious question that this is a hostile act, and cannot
logically be considered "ethical" under *any* conceivable circumstances.
You actually know admins that write viruses to do their patching? Sorry,
but I think you're full of shit. If you're not, then these "admins" need
to be immediately given a boot in the balls, followed by an unemployment
benefit. Why would an *administrator*, someone with FULL rights to the
machine, use such a device to place patches???
--
Yours,

J.A. Terranson
***@mfn.org
0xBD4A95BF

"What this country needs is a good old fashioned nuclear enema."


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

One so well-versed in the area of which you enquire and with such a
relevant academic record that you hide behind a Hotmailaddress?

Yeah, right...
There are no benign worms.

I'm not denying that it is not actually possible to design such, but
once you've put _all_ the safety checks and other requirements in place
to fulfill any vaguely sane and "widely acceptable" notion of benign
worm" you'll have designed something massively more complex and
convoluted than any existing patch management system.

If you don't think that's the case then you are not much of
_researcher_, "academic" or not. If you don't believe that, please
sensibly refute (in the true academic sense) a few of the arguments
against the possibility of "good viruses" in Vesselin Bontchev's papers
on the topic.
You know, I've heard them called an awful lot of things but the word or
notion of "benign" was never one of them...

Are you _sure_ you're an academic?

Oh wait -- of course you are! Some of the whacky, distant outfields of
abstract intelligentsia are the only places the notions of "good
viruses" and "benign worms" have ever been seriously considered
(apologies in advance to Fred, but I think deep down even he accepts
that at the level of real-world practicality, there can be no such
thing as a "good" virus).
You must really hang out in very limited circles. The only folk in
favour of such releases are miscreants with severely impaired ethical
development. Most of them still get kicks pulling wings off flies.
Why would any semi-intelligent sys-admin who, by definition has
administrative rights over what s/he is allowed control of and does not
have such rights over that which s/he does not have control of, bother
with something as haphazard and potentially dangerous should something
go wrong with it?

Much better that s/he use the arsenal of system administration, patch
management, change control, monitoring, policy enforcement and so on
tools than arse around with some exploit code that is largely untested
and try to glue all the cotrols and restrictions onto it to meet that
reasonable standard of benevolence alluded to above.

...

I see the originating IP in your message is a machine in the "mgmt"
domain at purdue.edu. Rather than tossing your odd-ball notions around
in the Management department, did you consider talking to serious
computer security researchers, such Spaf and his fellow academics and
their students over in CS? Have you even heard of CERIAS -- The Center
for Education and Research in Information Assurance and Security?

http://www.cerias.purdue.edu/

Or the COAST (Computer Operations, Audit, and Security Technology)
project?

http://www.cs.purdue.edu/

Do these Purdue academics share your views of "benign worms"? Might
their intellectual and academic achievements in their collective
decades of research in closely relevant areas more than slightly
outweigh your twenty minutes musing over a term paper topic?


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/