1	The Coming Age of Defensive Worms (The History of Good Worms) David J. Meltzer CTO, Intrusec
2	Preface This is a subset of a complete presentation entitled “The Coming Age of Defensive Worms”. This portion of the presentation deals only with the history of good worms. The complete presentation will be presented live (see the final slide for details) and made available online thereafter.
3	Why? “I don't know whether a good worm can be safe and effective, but this merits serious technical study.” - Martha Stansell-Gamm (May 26, 2003)¹ Chief, Computer Crime and Intellectual Property Section, U.S. Department of Justice
4	What Will You Learn? The history of good worms The problems with defensive worms How defensive worm problems are solved Possible evolutionary steps
5	The Question Will anyone in charge of a large network ever willingly launch a worm on their own network to protect it?
6	Worm Reality A new exploit just came out. You have 5,000 vulnerable systems. The worm is coming. What do you do?
7	The Worm Antidote It fixes all the systems on your network. It does it faster than the worm can spread. It only ‘infects’ your own systems. Do you run it?
8	Which Worm Do You Want?
9	What Will You Learn? The history of good worms The problems with defensive worms How defensive worm problems are solved Possible evolutionary steps
10	“Good Worms” A Worm, BUT… A “beneficial” payload BUT Still… Disruptive to networks Runs without permission Requires clean-up ILLEGAL
11	What Do “Good Worms” Do? Scan Listen Exploit Patch Disinfect
12	Timeline of “Good Worms”
13	Case Study: AntiADM^3,14 Released 5/98 Written by Max Vision ADMworm Response: Scans, Patches, Backdoors Scans for systems vulnerable to iquery named hole Exploits remote system Patches iquery hole (upgrades named) Installs a backdoor Installs itself on system
14	Case Study: Millenium² Discovered 8/15/99 Written by Mixter⁴ Multiple Linux Vulns: Scans, Patches, Backdoors Scans for systems vulnerable to 5 remote linux holes Exploits remote system Patches 5 linux vulns Installs a backdoor Sends notification to hotmail address of infection Installs itself on system
15	Case Study: Cheese⁵ Discovered 5/01 Unknown Author Lion Worm Response: Scans, Disinfects Scans for systems infected by Lion Installs itself using backdoor left by Lion Removes Lion backdoor from system
16	Case Study: Code Green⁶ Code Released 9/1/2001 Written by Der HexXer Code Red Response: Scans, Disinfects, Patches Scans for systems infected with CodeRed Exploits ISAPI vuln on infected systems Removes CodeRed from system Installs Q300972 Hotfix on system Installs itself on system
17	Case Study: CRClean⁷ Code Released 9/1/2001 Written by Markus Kem Code Red Response: Listens, Disinfects, Patches Listens for CodeRed to attack it Exploits ISAPI vuln on CodeRed attackers Removes CodeRed from system Patches ISAPI vuln on system Installs itself on system
18	Industry Thinking on “Good Worms” “Generally Not Well Regarded” – eEye⁸
19	Industry Thinking on “Good Worms” - Continued “The idea of a patch worm is a nice thought, but it is not a solution…” - CERT⁹
20	Industry Thinking on “Good Worms” - Continued “You cannot predict what’s going to happen. You don’t know what the impact is going to be if it’s altered. It’s never an alternative.” – Trend Micro¹⁰
21	Industry Thinking on “Good Worms” - Continued “-What about the traffic it takes up? -What about the boxes that don't patch properly, don't make it back after reboot, or took down etrade in the middle of a trading day? -How does your worm know when it's done? -Maybe I don't want my box patched, the patch broke my app -How do I tell your good worm apart from the original bad worm, or the other worm which looks like the good worm, but is really a bad worm? -How about people like us who track attack data, and you just skewed the heck out of it? When does www1.whitehouse.gov get to come back? If there's still A worm around on the 1st, which one is it? -Do we really want an Internet-sized game of corewars?” - Ryan Russell¹¹
22	Industry Thinking on “Good Worms” - Continued “Visions of bots floating around in the ether waging mighty, but invisible, battles belong in books such as Neal Stephenson's "The Diamond Age," not on production Internet servers.” – Timothy Dyck¹²
23	Industry Thinking on “Good Worms” - Continued “… Worms are inherently uncontrollable, meaning that good worms will cause traffic problems and spread out of control. This is true of most worms today, but that's only because no one has designed a legitimate, well-coded and peer-reviewed good worm…” – eWeek¹³
24	/. Wisdom “The only question raised here is, am I really going to trust this "helpful" worm or others like it to fully patch up my box properly?” “Two wrongs may not make a right, but I would think in this case they would at least be somewhat better than just the one wrong” “Worms like this wouldn't exist or be news if more sysadmins would do their job instead of playing Quake, looking at pr0n, or IRC'ing all day...” “Automatic (or even semi-automatic) patching is the dumbest idea on Earth.”
25	References 1. Stansell-Gamm, Martha. “Good Worms Not Mature”, May 26, 2003. URL: http://www.eweek.com/article2/0,3959,1109605,00.asp 2. Vision, Max. “Origin and Brief Analysis of the Millennium Worm”, Sept, 1999. URL: http://www.whitehats.com/library/worms/mworm/index.html 3. Poulsen, Kevin. “Max Vision: FBI pawn?”, May 8, 2001. URL: http://www.securityfocus.com/news/203 4. Mixter. “mw06.tgz”, September 23, 1999. URL: http://packetstormsecurity.nl/groups/mixter/mw06.tgz 5. Barber, Bryan. “Cheese Worm: Pros and Cons of a Friendly Worm”, July 21, 2001. URL: http://www.sans.org/rr/papers/36/31.pdf 6. Hexxer, Der. “CodeGreen beta release”, September 1, 2001. URL: http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0575.html 7. Kem, Marcus. “CRClean.zip”, September 1, 2001. URL: http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0577.html 8. Permeh, Ryan & Coddington, Dale. “Decoding and Understanding Internet Worms”, November 21, 2001. URL: http://www.blackhat.com/presentations/bh-europe-01/dale-coddington/1 9. Houle, Kevin. Quoted in “Cheese worm: A Linux fixer-upper? By Robert Lemos”, May 16, 2001. URL: http://news.com.com/2100-1001-257748.html?legacy=cnet 10. Hartmann, Joe. Quoted in “’Cheesy’ Fix-It Worm Patches Security Flaws By Jay Lyman”, May 18, 2001. URL: http://www.newsfactor.com/perl/story/9869.html 11. Russell, Ryan. “Re: Mitigating some of the effects of the Code Red worm”, July 20, 2001. URL: http://www.securityfocus.com/archive/1/198283/2002-12-02/2002-12-08/0 12. Dyck, Timothy. “Thanks, but we don’t want your Cheese (worm)!”, June 30, 2001. URL: http://www.freeos.com/printer.php?entryID=4233 13. Rapoza, Jim. “Up With Good Worms”, April 21, 2003. URL: http://www.eweek.com/article2/0,3959,1037004,00.asp 14. Vision, Max. Personal interview with Max Vision, August 17, 2003.
26	More to Come… For the remainder of this presentation, come see it live at… ToorCon September 26 – 28, 2003 San Diego, CA http://www.toorcon.org