, SecurityFocus 2008-02-18
Story continued from Page 1
The inability to control self-propagating programs and the penchant for small errors to turn into big ones, makes worms an unwise choice for distributing patches, said Jose Nazario, senior security researcher at Arbor Networks and the author of Defense and Detection Strategies against Internet Worms.
"For me still, one of the biggest limitations is risk," Nazario said. "I am far more concerned about unwanted interactions between the existing software and the patches."
Large companies regularly find unwanted compatibility issues between patches and the applications they run on their network, he said. Allowing the full automation of patches could cripple a network before the company's information-technology managers can react.
Previous papers by Microsoft's Vojnovic show that the researcher recognizes a key problem in fighting self-propagating malicious code: Worms move faster than companies can currently patch. While Microsoft finds that about 80 percent of IP addresses appear to the company's Windows Update service on the first day that a patch is released, the researcher has found that any countermeasure to an actively spreading threat has to be developed and deployed more quickly than the worm spreads.
In his latest paper, Vojnovic uses real data from the Windows Update network and from the spread of the Witty worm to study various spreading strategies. The research found that a self-spreading program with no prior knowledge of the networks it intends to infect can still adopt an infection strategy that is nearly optimal. The strategy: Scan the full set of target networks until a vulnerable system is found, switch to scanning the network which holds the vulnerable system a limited number of times, and if another vulnerable system is not found, go back to scanning the full range of networks randomly.
While many antivirus researchers look at any use of self-propagation as bad, Microsoft's Vojnovic argued that if the technology has benefits, then the company could develop it to help customers.
"In general, spreading the information in epidemic style fashion may have benefits in terms of the speed of propagation and resilience," he said in the e-mail interview. "In the context of epidemic-style patch dissemination, Microsoft will always let customers decide whether a particular security update is appropriate for them and their computing environment. We give customers choices in deployment technologies and allow them to decide if, when, and how theyd like to apply security updates."
While Microsoft maintains that no product plans are in the works, even offering it to customers is irresponsible, Authentium's Sandilands told SecurityFocus.
"I think that responsible people should not be writing worms," he said. "The thing about a worm is that it infects your machine without your say so and does what it wants without your knowledge. There have been viruses that have tried to do that in the past and have caused a lot of problems."
The Microsoft paper is co-authored by two other Microsoft researchers, Thomas Karagiannis and Christos Gkantsidis, and a graduate student from Carnegie Mellon University, Varun Gupta. Messages e-mailed to Gupta requesting an interview were not answered.
CORRECTION: Microsoft's Vojnovic stressed that using the mechanics of worm propagation for distributing patches is only being investigated as a possibility. The first paragraph of the article was updated to reflect this.
If you have tips or insights on this topic, please contact SecurityFocus.