Security news
Security news18 August 2005
Sophos comment: Why "good worms" are a bad idea
By Paul Ducklin, Head of Technology, Asia Pacific, SophosLabs
Some in the media have reacted to the recent Zotob worm outbreaks by reinventing the idea of "good worms". The discussion usually goes like this:
Young Lion: Hey, this virus X spreads really well. So let's use a similar virus to spread the patch against X and save the world!
Old Salt: Good idea. Then you can write a third virus to patch your second virus, and a fourth to patch your third, and that will keep you busy enough not to have any more stupid ideas for long enough to let me get on with some proper work.
YL: Oh, but *my* virus will be a good virus. It will spread lightly, infect gently, and act only from the highest motives.
OS: And it will, of course, request consent, and adapt itself to the exigencies of every admin's network, and work on all language versions of the operating system, and with all other security software, and in the presence of other viruses, and without ever misbehaving?
YL: Oh no! I mean, yes, it will work 100% fine, but of course it won't ask for permission. The idea is to save the world automatically. This is the 21st century, my ageing friend!
OS: So you will retain control of it at all times?
YL: Oh yes! I mean, no, of course not. The idea is to save the world automatically. This is the era of the iPod, old buddy, not the age of Aquarius.
OS: And how to you propose to test it?
YL: I've already tried it out on my own PC!
OS: Korean?
YL: What?
OS: Korean. You tested it on Korean versions. Two bytes per character, you know. Or sometimes three. Or four. And Hebrew. The system DLLs put all the buttons the other way around. And your logging naturally supports both common forms of Chinese script. And it works if you have a Vista prerelease. And it correctly recognises old Digital Alpha boxes. Sorry, Digital really was the age of Aquarius. I sort of lost track of time after Jimi Hendrix gave up live gigs.
YL: Alpha?
OS: Alpha. As in CPU, not as in male. No matter. Just put your name and phone number in your virus so people can call you if it goes wrong. As long as you give free support, they probably won't ask for the maximum sentence on the unauthorised access and unauthorised modification charges. Virus writers don't often get more than two years. You'll be out in 14 months if you do what you're told. Best cut off that daggy hairdo, though.
YL: Mate, you're losing me here.
OS: You're not wrong.
It is the control, the consent and the testing which just are not possible in a virus, and that is why good worms are a bad idea. Patching can be effectively and rapidly automated without the need to risk yet another virus to save the day.
Some have asked: "Given the choice between the vaccine or chickenpox, which would you prefer?". This is the wrong question.
The "good worm" proposed above is not a vaccine (which does not spread by itself), it is another piece of virulent code. So the question should ask: "Vaccine, or a genetically modified chickenpox which will spread to other people but shouldn't do any harm even though we had to put it together in something of a hurry, or real chickenpox -- which would you prefer?"
Go for the vaccine, and take it in your own time, with your own informed consent, under conditions which suit you just fine, from a registered healthcare professional.
About the author
Paul Ducklin joined Sophos from the South African Council for Scientific and Industrial Research in 1995.
He has held a variety of roles within Sophos, including heading up Sophos's global technical support operations, before becoming Head of Technology, Asia Pacific.
One of the world's leading virus experts, Paul has given papers and presentations at various industry events including Virus Bulletin, ICSA and AVAR conferences. He has also written several articles on the virus threat and is a respected industry spokesperson.
