August 17th, 2005
Are worms actually good for security?
You’ve probably heard by now that the Zotob worm is rampaging through business and organizations with computers running the Windows 2000 operating system, but could this actually be good for security? The way that I see it, any computer worm that doesn’t actually delete or steal any data is the cyber equivalent of biological immunization.
Two years ago, a fast moving worm called Blaster rampaged through the Internet and forced every company in the world to take prompt action to harden their network and thoroughly patch all of their Windows systems. Since most people simply used Windows Update on all of their client and server systems, it actually had a much broader immunization effect. This immunization effect isn’t something that’s just theoretical, it actually resulted in a sharp drop in the number of confirmed hacker defacements on Zone-H shown in a report posted here. This report actually showed Windows servers being hacked significantly less than Linux servers, which seems to validate the theory that worms actually strengthen security like colds strengthen our immune systems.
While the Zotob worm can’t be considered a "vaccine" since it was created with malicious intent to wreak havoc, it is equivalent to getting a nasty case of chickenpox that temporarily knocks you out of commission but you recover from it immunized from all future attacks. The Zotob worm is effectively forcing IT departments to do a systematic and thorough patch on all vulnerable systems which is exactly how a biological system would react. Had there been a well-engineered "good" worm that was designed to eliminate side-effects such as rapid reboots and network flooding, this would have been the equivalent of a vaccine. Such a worm would be able to infect computers, install the patch, instruct the host to infect 10 more computers or wait for a timeout before deleting itself safely without all the nasty side-effects of the bad worm.
Every time I’ve mentioned the possibility of a good worm to my colleagues in the IT world, I usually got very negative feedback. Their typical reaction would be something like "well I’ll put up some firewall rules to block it from patching my systems because it might break some of my applications". Ironically, this was exactly the affect I was hoping for. If the threat of the good worm forced action that would result in the blockage of the good worm or more importantly the bad worm, would that be such a bad thing? If the good worm did get through because of inaction, the bad worm would have gotten through just as easily only with much more severe side-effects. Even more of a concern is the fact that hackers use these types of vulnerabilities to commit even worse crimes. Given the choice between the vaccine or chickenpox, which would you prefer?
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
