[SCADASEC] Friendly 'worms' could spread software fixes

Fri Feb 15 07:40:29 CST 2008

** MODERATOR'S NOTE:  Just remember...many of your companies *use* Microsoft products.  This is your 'future'.  Do you really want this???

> http://technology.newscientist.com/article/dn13318-friendly-worms-could-spread-software-fixes.html
> 
> By Tom Simonite
> NewScientist.com news service
> 14 February 2008
> 
> Microsoft researchers are hoping to use "information epidemics" to 
> distribute software patches more efficiently.
> 
> Milan Vojnovic and colleagues from Microsoft Research in Cambridge, UK, 
> want to make useful pieces of information such as software updates 
> behave more like computer worms: spreading between computers instead of 
> being downloaded from central servers.
> 
> The research may also help defend against malicious types of worm, the 
> researchers say.
> 
> Software worms spread by self-replicating. After infecting one computer 
> they probe others to find new hosts. Most existing worms randomly probe 
> computers when looking for new hosts to infect, but that is inefficient, 
> says Vojnovic, because they waste time exploring groups or "subnets" of 
> computers that contain few uninfected hosts.
> 
> 
> Smart strategies
> 
> Vojnovic's team have designed smarter strategies that can exploit the 
> way some subnets provide richer pickings than others.
> 
> The ideal approach uses prior knowledge of the way uninfected computers 
> are spread across different subnets. A worm with that information can 
> focus its attention on the most fruitful subnets infecting a given 
> proportion of a network using the smallest possible number of probes.
> 
> But although prior knowledge could be available in some cases a company 
> distributing a patch after a previous worm attack, for example usually 
> such perfect information will not be available. So the researchers have 
> also developed strategies that mean the worms can learn from experience.
> 
> In the best of these, a worm starts by randomly contacting potential new 
> hosts. After finding one, it uses a more targeted approach, contacting 
> only other computers in the same subnet. If the worm finds plenty of 
> uninfected hosts there, it keeps spreading in that subnet, but if not, 
> it changes tack.
> 
> 
> Spreading the load
> 
> "After it fails to reach new uninfected hosts a fixed number of times in 
> a row, say 10, it moves on to find new groups using random sampling," 
> explains Vojnovic. This approach performs almost as efficiently as the 
> strategies using prior knowledge.
> 
> Because no central server needs to provide and coordinate all the 
> downloads, Software patches that spread like worms could be faster and 
> easier to distribute because no central server must bear all the load. 
> "These strategies can minimise the amount of global traffic across the 
> network," Vojnovic says.
> 
> The research has a second potential benefit. "If we understand how 
> future worms might be capable of spreading, we can design better 
> countermeasures," says Vojnovic. For example, some of the new strategies 
> would flatten the usual spike in overall network activity that can give 
> away software worm attacks, but instead they would be revealed by spikes 
> in local traffic.
> 
> 
> 'Perfect worm'
> 
> Chuanyi Ji at Georgia Tech, University, US, is also interested in 
> designing a "perfect worm". As well as revealing weaknesses of networks, 
> such a worm could rush out defensive software patches faster than an 
> attacking worm can spread, she says.
> 
> Ji has examined records of previous worm attacks, and says there is 
> evidence that some already use similar if less refined tricks to those 
> developed by the Microsoft team.
> 
> For example, the Blaster worm preferentially tries to infect local 
> computers, like one of Vojnovic's worms. "We may see improvements to 
> these kind of strategies appearing in future, so it is good to 
> investigate the worst they could do," says Ji.
> 
> A paper on the Microsoft research will be presented at the 27th 
> Conference on Computer Communications (INFOCOM) in Arizona, US, in April 
> 2008.
> 