Some in the media have reacted to the recent Zotob worm outbreaks by
reinventing the idea of "good worms". The discussion usually goes
like this:
Young Lion: Hey, this virus X spreads really well. So
let's use a similar virus to spread the patch against X and save
the world!
Old Salt: Good idea. Then you can write a third virus to
patch your second virus, and a fourth to patch your third, and that
will keep you busy enough not to have any more stupid ideas for
long enough to let me get on with some proper work.
YL: Oh, but *my* virus will be a good virus. It will
spread lightly, infect gently, and act only from the highest
motives.
OS: And it will, of course, request consent, and adapt
itself to the exigencies of every admin's network, and work on all
language versions of the operating system, and with all other
security software, and in the presence of other viruses, and
without ever misbehaving?
YL: Oh no! I mean, yes, it will work 100% fine, but of
course it won't ask for permission. The idea is to save the world
automatically. This is the 21st century, my ageing friend!
OS: So you will retain control of it at all times?
YL: Oh yes! I mean, no, of course not. The idea is to
save the world automatically. This is the era of the iPod, old
buddy, not the age of Aquarius.
OS: And how to you propose to test it?
YL: I've already tried it out on my own PC!
OS: Korean?
YL: What?
OS: Korean. You tested it on Korean versions. Two bytes
per character, you know. Or sometimes three. Or four. And Hebrew.
The system DLLs put all the buttons the other way around. And your
logging naturally supports both common forms of Chinese script. And
it works if you have a Vista prerelease. And it correctly
recognises old Digital Alpha boxes. Sorry, Digital really was the
age of Aquarius. I sort of lost track of time after Jimi Hendrix
gave up live gigs.
YL: Alpha?
OS: Alpha. As in CPU, not as in male. No matter. Just put
your name and phone number in your virus so people can call you if
it goes wrong. As long as you give free support, they probably
won't ask for the maximum sentence on the unauthorised access and
unauthorised modification charges. Virus writers don't often get
more than two years. You'll be out in 14 months if you do what
you're told. Best cut off that daggy hairdo, though.
YL: Mate, you're losing me here.
OS: You're not wrong.
It is the control, the consent and the testing which just are
not possible in a virus, and that is why good worms are a bad idea.
Patching can be effectively and rapidly automated without the need
to risk yet another virus to save the day.
Some have asked: "Given the choice between the vaccine or
chickenpox, which would you prefer?". This is the wrong
question.
The "good worm" proposed above is not a vaccine (which does not
spread by itself), it is another piece of virulent code. So the
question should ask: "Vaccine, or a genetically modified chickenpox
which will spread to other people but shouldn't do any harm even
though we had to put it together in something of a hurry, or real
chickenpox -- which would you prefer?"
Go for the vaccine, and take it
in your own time, with your own informed consent, under conditions
which suit you just fine, from a registered healthcare
professional.
About the author
Paul Ducklin joined Sophos from the South African Council for
Scientific and Industrial Research in 1995.
He has held a variety of roles within Sophos, including heading
up Sophos's global technical support operations, before becoming
Head of Technology, Asia Pacific.
One of the world's leading virus experts, Paul has given papers
and presentations at various industry events including Virus
Bulletin, ICSA and AVAR conferences. He has also written several
articles on the virus threat and is a respected industry
spokesperson.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.