20 February 2008, 11:23

Worm or Windows update?

Back in mid-2003, there were worms that closed security holes when Nachi went after Lovsan, also known as MSBlaster. Nachi entered Windows systems through a security hole, removed the MSBlaster worm if it was on the system, and then installed the security patch to close the hole in the RPC service. It then attempted to spread itself to other systems.

Apparently, Microsoft thought the idea was so great that its researchers have subsequently been seriously investigating this approach. If downloads from Microsoft's central servers could be distributed in this way, a great load would be taken off the servers. In addition, Microsoft believes that security updates would be distributed even faster. In their investigations, the researchers based in Cambridge have particularly been interested in seeing how quickly vulnerable systems can be identified in a network. Microsoft says that these benevolent worms are more intelligent than conventional worms. To begin with, they randomly look for a computer that is not infected in a LAN and try to penetrate other systems from there. In the process, the worm attempts to find groups with related IP address space. If it fails, it then tries its luck in another address range. Microsoft's researchers plan to present their findings at the 27th Conference on Computer Communications in April in the US. Team member Milan Vojnovic has already presented some of them online.

But at least one person thinks Microsoft's idea is a dud: Bruce Schneier. He says there is no such thing as good and bad worms, which makes Microsoft's entire approach "terrible". After all, in both cases users are denied choice: even benevolent worms enter systems through security holes. But if users are able to uninstall worms, the entire propagation mechanism would no longer work. Schneier says he can only assume that this is an attempt to find a replacement for Microsoft's current, inefficient software distribution system.