Endpoint Protection

When Good Intentions Go Bad 

05-16-2007 03:00 AM

The use of self-propagating programs for legitimate purposes is one of those ideas that just refuses to die.

In the 1978, researchers at Xerox Palo Alto Research Center (PARC)created worms that performed tasks that included system monitoring andwake up calls. However, in one case, the Xerox PARC ‘good’ worms thatwere supposed to run on a small set of machines, instead replicateduncontrollably across the network and started crashing machines.Fortunately, the Xerox PARC researchers had an independent terminationmechanism in the worm that enabled them to kill all copies of the wormon the network. Unfortunately, they still had 100 dead machines.

Since then, others have proposed using ‘good’ worms for purposessuch as compressing all files on a network, battling against ‘evil’worms, patching vulnerabilities, and looking for ways around Internetcensorship systems.

Unfortunately, people occasionally put these theories into practice.

Recently, we added detection for W32.Uisgon.A.The author of W32.Uisgon.A appears to have been a computer sciencestudent who wanted to collect samples of viruses that were beingbrought into his college by USB sticks.

So he wrote a program that copies suspected virus samples to aWindows share and a ‘good’ worm to propagate his program. The wormcopies itself to network shares and USB sticks and runs the samplecollector from a remote Windows share.

Eventually, he intended to terminate the worm by replacing the sample collector on the Windows share with a fixtool.

However, his design resulted in the worm infecting machines outsidehis university and well beyond his control. In particular, USB sticksweren't just plugged into computers within his university network, butcomputers outside the university as well causing his worm to spreaduncontrollably. Once the worm began spreading outside the university hehad no way to terminate them as he had no way of accessing them.

The end result is a ‘good’ worm that is infecting computer networksin-the-wild and is no better than the ‘bad’ worms it was supposed tocatch.

The student has written a long apology about his mistake. Partially translated from Chinese, he wrote:
"I created it only to help teachers clean up viruses and performresearch... I was unable to control its self-destruction, and it hasbrought trouble for many people and has not been a good influence, forthis I am deeply ashamed of myself. I hope everybody can forgive myerror!"

Unfortunately, his apology is too late as the worm now has a life ofits own. Debate has gone on for a number of years about 'good' worms,but Symantec considers that term to be an oxymoron. A worm is a wormand by its nature of self-replication, we considered them malicious.This student didn't need self-replication; if he had the authority torun his code on all those machines, he could have installed his filegathering program on each machine and achieved the desired result.

Instead, he just added one more worm into the world, the exact problem he was trying to solve.

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.