By definition a standard symbiotic relationship imparts benefits on both groups. It's arguable that existing worms/botnets could be considered symbiotic worms, even "friendly", in a sense. When you click on that Valentine's day attachment, and Storm pawns your machine, one of the first changes it makes, after establishing a command and control channel, is to somewhat harden the operating system so that other worms/viruses/trojans cannot infect the new captive. This is comparable to what Microsoft's friendly worms are going to do. Storm continues from there to look for more nodes and send out spam. If Microsoft is going to label their home-brewed malware a "worm", they have some intrusive (but not that unexpected) company. Let's hope they don't decide to spin some "friendly" mass-mailings into their worms as well.
The proposed Microsoft worms would only be beneficial for the worms in the sense that the hosts allow the worms to distribute themselves. Do the worms receive other benefits from being infected by the hosts? This could be like a reverse parasite, the worm infects and the host is parasitic on the worm (what is the standard biology term for this?). Other then the partial lack of symbiosis, what distinguishes our "friendly" worm from a Storm/Mega-D infection? (1) It's not sending out Spam/performing auxiliary illegal functions (2) It's distributor is known (3) It deactivates itself? (4) It's "friendly". Point (2) will give victims legal recourse and establish an amount of responsibility with the distributor, Microsoft, this appears to be a good thing.
I genuinely hope (3) is true, this seems like the most important aspect. But, when will it deactivate? After repairing the infected system? After the previous and infecting an additional N neighbors? And, how will it deactivate and how complete will this deactivation be? On a theoretical level, it seems like you should run into some analog of the halting problem here. Virus infects machine, repairs machine, uses control (a) to delete self, control (b) to delete control mechanism (a), mechanism (c) to delete mechanism (b)... we all know were this leads, no where. What am I overlooking in this analysis? Wouldn't a control channel be needed to delete any preexisting control channels? A potential solution would be to send a message to Windows Update's servers after cleaning the machine and to have the server remove the mechanism, or it seems like some one-way function could be used as well. Contacting a Windows server is very similar to a command and control channel. (Although it's likely hopeless) let's hope no one subverts this or related channels.
With respect to (4), "Let Us Just Pour Some Oil Down This Slide and Balance Our Cluster Bombs On Top Of It."
This could go very bad very quickly for whomever performs the researching, let alone for Microsoft, a company with such a history of vulnerability-less code. Is the lack of "Windows Genuine Update" worthy of repairing? There could be a flaw in the old version of Windows Update rationalizing this view. The worm infects the victim, updates the system software, and after the user reboots they're locked out because they do not have a genuine version of Windows, regardless of whether they pirated Windows or the machine they purchased came with a pirated version unbeknownst to them. Many variations on this theme are imaginable.
Slightly more insidiously, a patch is applied to Internet Explorer closing all previous vulnerabilities and opening a new vulnerability. Has Microsoft (or any company) consistently released patches that have not created new vulnerabilities? They have not, and it's not because they're not extremely skilled programmers, it's because that is usually not a software development requirement or possibility. Patch away if the patch is going to be accompanied with a proof theoretic verifier of the patched code that (by somehow avoiding all of the paradoxes Turing, Church, and others have pointed out) proves the invulnerability of the code, this is actually more realistic than it sounds. Until then, this could easily do much more harm than good, even if performed in the friendliest of manners.
Furthermore, the potential for subversion of the worm or control channels seems intolerably significant. Any of the nearly daily (hourly?) zero-day Microsoft exploits do enough damage as it is. Imagine what would be possible with a zero-day exploit that wormed it's way through. Imagine a modification to the worm making all Windows machines appear as though they need to be patched. Reverse engineering Microsoft code is trivial compared to reversing Skype's code, and both projects have already been done and are actively being enhanced. The way in which this problem is addressed will need to be brilliant or we'll see some brilliant attackers flourish.
What are the legal implications of releasing this worm or of even pursuing research in this direction? The courts have never been to knowledgeable in the area of data security and seem to err on the side of, "if it sounds possibly not good it's horribly bad." Recall the fines given for non-malicious use of an open public WiFi networks. Whether released by Microsoft, or the Russian Business Network (RBN), a worm is a worm like sarin is sarin. If Pfizer were researching sarin to develop a variant of the gas that would repair paraplegics I'm pretty sure that would be illegal (so maybe the previous is an absurd stretch). When Iran researches nuclear weapons for "peaceful" (sounds close to "friendly") use they receive attempted sanctions and threats of invasion (from the more irrational congressmen). Does it behoove the EFF to do the equivalent? In a metaphorical way I do think so.
U.S. laws likely do not allow a computer worm to be released into the wild by a private company, certainly not by an individual. Simply performing the research is arguably illegal as well. Looking abroad, a release is certainly illegal in Germany, and likely the research as well. KisMAC moved their servers to Switzerland after Germany ratified their new cyber security laws. I'd suspect the U.K. and Australia would be rather unfriendly to these "friendly" activities as well.
Would there be legal recourse for those infected with the worm? If it's egg patching (or simply infecting) your system it will require bandwidth. In many (most?) European countries internet connections are paid for on a bandwidth basis. Microsoft is then literally stealing a commodity that you have paid for when they infect you with their worms. Shouldn't they be required to remunerate you? The virus will also use other commodities, such as disk space and processor cycles, and will through these use electricity as well as ware down your equipment (to some degree). This seems to clearly fall under unauthorized use, although it is moving into a new frontier for these types of arguments and lawsuits (I cannot think of any related precedents?).
There's always the possibility of an accident. Does Microsoft expect to develop a worm with no impact on performance/other applications/other services? They do not know every line of code that has ever been written for their products so this will certainly be a problem. If they inadvertently crash another application, maybe a load balancer, they could bring down a server or a cluster. What if it belongs to a Broker/Dealer and financial records are lost? I could image damage in the USD billions being caused, or worse, it is a worm. And, whose pockets go deeper? Most corporations would love to sue Microsoft (ignoring the formidable legal defense team for a moment), the European Union and U.S. Federal/State governments certainly seemed to enjoy it, to some extent.
This would be a service/product to be released once P == NP, "black hats" have no profit incentive, computer security laws become internationally well defined, version control is perfected and "friend" is no longer a transient term. Unfortunately, I only see one of these things ever becoming true (you know which one I'm thinking of). Apparently, Microsoft want us to go into a future in which malware is our friend.
0 comments:
Post a Comment