I have to strongly second Klaus Brunnstein's comments in comp.risks concerning http://www.cpsc.ucalgary.ca/News/virus_course.html

As a researcher who has analyzed existing worm strategies and developed novel strategies (warhol worms, metaserver worms) and plausible defenses, I find the notion of actual virus and worm writing as part of the educational and research process both abhorrant and of effectively NO value.

For evaluating propigation behavior, simulation, "on-paper" evaluations, and analysis of previous worms can tell us effectively all we need to know: How worms and viruses spread, how they interact with many existing and possible defenses, and some requirements (such as automatic reactions) required to build robust defenses.

Simulation predicted the possibility of very fast worms and many of the requirements for automated defenses. Paper analysis insures that I will never run KaZaA myself (the recent vulnerability
could be used to take out all supernodes in probably less than <2 minutes). And analysis gives us a treasure-trove of what works well for malicious coders, such as how to cross firewalls and enter local Windows domains.

There are some suprises which come up, such as Slammer/Sapphire's speed, but these are second-order effects. Sapphire was still a scanning worm, so automated defenses which could stop a 1 hour scanning worm should stop a Sapphire-esque worm. Likewise, there are numerous other techniques Hitlisting & permutation scanning, topological, metaserver) which can create worms that spread to all vulnerable hosts in roughly the same timeframe.

Likewise, to evaluate the defenses themselves, existing attacks can often been used as long as the defense hasn't been
pre-trained. For worms which exploit security vulnerabilities, such as Code Red, these are no longer threats, as effectively all vulnerable machines have been patched and effectively all of the remaining machines are infected.

And, if existing attacks, paper design, and simulation are all insufficient to evaluate a defense-mechanism, the best solution is to create daemon programs which run on test machines and who's behavior
(eg, system calls, network communication) MIMICS the behavior of a worm when communicating with other copies of the program, as such program can not spread beyond the test machine.

There is room for a good course on malicious code and defenses, but it need not, and should not, include construction of
self-propigating programs (worms or viruses).

I do not need to write worms to understand the problem, construct, and evaluate defenses.


[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/164/20281#20281