The Only Good Worm is a Gummy Worm

From time to time the discussion of whether or not there are (or can be) good worms comes up, usually specifically in the context of program maintenance, updates and upgrades.

In fact, the idea of maintenance viruses goes back at least as far as Dr. Fred Cohen, who pretty much "wrote the book" on early viruses, almost literally. In fact, looking at his book "A Short Course on Computer Viruses" (in which he specifically discusses "benevolent viruses") again, I was struck by how far malware and anti-malware technologies today still reflect his ideas.

However, the idea of the benevolent maintenance worm, which last year resurfaced in a paper in which Microsoft researchers had an interest, has tended to meet with a chilly reception from the mainstream researcher community.

An event today really drove home the point about how bad a good worm could really be.

 We had an unfortunate false positive event this morning at ESET. A synchronization error allowed a new heuristic module to be released along with a new signature update. Each worked great on its own, but together they created false positives on some Windows operating system files. Both components went through QC, but not together. We’ve got that process fixed now.

The problem was spotted almost immediately, and within ten minutes the faulty update was removed from the download site, thereby preventing 95% of our users from encountering a problem. As for the other 5%, many of those people never knew there was a problem because the next update replaced the quarantined files on all versions of our products except for version 2.7. We have also issued a new tool to help anyone who needs assistance, and that also works on all versions, including 2.7. Our people in tech support can provide the tool upon request, and, of course, tech support is free for all ESET customers.

So, what does it really mean, when we say that 95% of our users were unaffected? Unfortunately, It means that there were still a couple of million users who did encounter the problem. A couple of million users in 10 minutes, and this was done without the help of a worm. The Slammer worm infected 90% of all vulnerable connected computers in 10 minutes. No matter how good the intent, there will be problems with software from time to time. With a faulty signature we can turn off the source almost instantly and it goes no farther. With a worm, well, you know what breaks loose. Don't just think Slammer, think Code Red, Blaster, and many, many mass mailers (some of which are still very much current).

 No matter how good the intent, self-replicating code is not a good idea for a distribution mechanism. There is always a better alternative for distribution.

So, you may wonder, how do we get our updates out to a couple of million users in ten minutes or less without the benefit of a tame worm? Ironically, by a mechanism analogous to that used to update zombie PCs in a botnet. But we'd like to think that's a case of the malware community taking ideas from us, rather than vice versa.

Randy Abrams & David Harley
ESET Research Team