The paper, Sampling Strategies for Epidemic-Style Information Dissemination, investigates the best way to propagate information or code on a subdivided network, such as the Internet. One of the authors -- Milan Vojnovic of Microsoft Research in Cambridge, U.K. -- described an aim of the study as developing a way for software patches to be distributed faster and with less load on a single server, according to an article appearing Thursday in the online edition of the U.K.-based NewScientist magazine.

While the concept of a beneficial worm is not new, it remains controversial and security professionals quickly panned the idea.

"There is nothing like a 'friendly' worm," Robert Sandilands, director of antivirus for security firm Authentium, wrote on the company's Virus Blog on Friday. "If you look at the history of 'attempts' to do this you will see that they always caused more problems than they fixed. Even if that is not enough motivation then just looking at the ethical issues surrounding the writing of malware you would think that responsible people would avoid it."

In an e-mail interview, Microsoft's Vojnovic stressed that the purpose of the research is to investigate means of distributing information to a network, not necessarily to create practical "good" worms.

“My focus is fundamental research on improving the efficiency of data distribution of all types across networks, and isn’t limited to certain scenarios or types of data, but investigating underlying networking techniques," Vojnovic stated. "Using understanding from the field of epidemiology is one of the methods that we’re investigating in this area, and we hope that our research will help inform future computer science research and networking technology."

The topic of whether self-propagating code can have beneficial uses has cropped up every few years among researchers in the security community. In 2006, researcher David Aitel of security firm Immunity suggested that a sufficiently restricted self-propagating program could be used to find machines in a network that lack a certain patch and fix them. In 2004, Hewlett-Packard researchers suggested using malicious code -- though, not necessarily worm-like code -- to infect machines as a way of patching the systems or notifying the users that they needed to patch.

Many of the ideas can trace their roots back to a paper written by antivirus researcher Vesselin Bontchev, who concluded in 1994 that 'good' viruses are possible, but that the safeguards and limitations on the programs would mean that the resulting code would not resemble what most people considered a virus.

Attempts at creating 'good' worms have failed, many times because the writers did not adopt the safeguards outlined in the Bontchev paper. In 1982, prior to Bontchev's work, two Xerox Palo Alto Research Center (PARC) researchers John Shoch and Jon Hupp coined the term 'worm' for a program that spread around their 100-computer network updating drivers. A flipped bit in the program caused the resulting worm to spread uncontrollably and clog the network.

In an incident that draws significant parallels, the Welchia worm -- a variant of the MSBlast, or Blaster, worm -- had seemingly been created to fix the vulnerability exploited by the MSBlast worm, but had serious programming errors that caused the program to aggressively scan for new hosts. The resulting worm had a larger impact on many of the networks it infiltrated than the MSBlast worm itself, effectively shutting them down.

The inability to control self-propagating programs and the penchant for small errors to turn into big ones, makes worms an unwise choice for distributing patches, said Jose Nazario, senior security researcher at Arbor Networks and the author of Defense and Detection Strategies against Internet Worms.

"For me still, one of the biggest limitations is risk," Nazario said. "I am far more concerned about unwanted interactions between the existing software and the patches."

Large companies regularly find unwanted compatibility issues between patches and the applications they run on their network, he said. Allowing the full automation of patches could cripple a network before the company's information-technology managers can react.

Previous papers by Microsoft's Vojnovic show that the researcher recognizes a key problem in fighting self-propagating malicious code: Worms move faster than companies can currently patch. While Microsoft finds that about 80 percent of IP addresses appear to the company's Windows Update service on the first day that a patch is released, the researcher has found that any countermeasure to an actively spreading threat has to be developed and deployed more quickly than the worm spreads.

In his latest paper, Vojnovic uses real data from the Windows Update network and from the spread of the Witty worm to study various spreading strategies. The research found that a self-spreading program with no prior knowledge of the networks it intends to infect can still adopt an infection strategy that is nearly optimal. The strategy: Scan the full set of target networks until a vulnerable system is found, switch to scanning the network which holds the vulnerable system a limited number of times, and if another vulnerable system is not found, go back to scanning the full range of networks randomly.

While many antivirus researchers look at any use of self-propagation as bad, Microsoft's Vojnovic argued that if the technology has benefits, then the company could develop it to help customers.

"In general, spreading the information in epidemic style fashion may have benefits in terms of the speed of propagation and resilience," he said in the e-mail interview. "In the context of epidemic-style patch dissemination, Microsoft will always let customers decide whether a particular security update is appropriate for them and their computing environment. We give customers choices in deployment technologies and allow them to decide if, when, and how they’d like to apply security updates."

While Microsoft maintains that no product plans are in the works, even offering it to customers is irresponsible, Authentium's Sandilands told SecurityFocus.

"I think that responsible people should not be writing worms," he said. "The thing about a worm is that it infects your machine without your say so and does what it wants without your knowledge. There have been viruses that have tried to do that in the past and have caused a lot of problems."

The Microsoft paper is co-authored by two other Microsoft researchers, Thomas Karagiannis and Christos Gkantsidis, and a graduate student from Carnegie Mellon University, Varun Gupta. Messages e-mailed to Gupta requesting an interview were not answered.

The paper is available on the Internet and will be presented at the IEEE INFOCOM 2008 Conference in April.

CORRECTION: Microsoft's Vojnovic stressed that using the mechanics of worm propagation for distributing patches is only being investigated as a possibility. The first paragraph of the article was updated to reflect this.

If you have tips or insights on this topic, please contact SecurityFocus.