Friendly 'worms' could spread software fixes

Friendly 'worms' could spread software fixes
Friendly 'worms' could spread software fixes 

By Tom Simonite news service
14 February 2008

Microsoft researchers are hoping to use "information epidemics" to 
distribute software patches more efficiently.

Milan Vojnovic and colleagues from Microsoft Research in Cambridge, UK, 
want to make useful pieces of information such as software updates 
behave more like computer worms: spreading between computers instead of 
being downloaded from central servers.

The research may also help defend against malicious types of worm, the 
researchers say.

Software worms spread by self-replicating. After infecting one computer 
they probe others to find new hosts. Most existing worms randomly probe 
computers when looking for new hosts to infect, but that is inefficient, 
says Vojnovic, because they waste time exploring groups or "subnets" of 
computers that contain few uninfected hosts.

Smart strategies

Vojnovic's team have designed smarter strategies that can exploit the 
way some subnets provide richer pickings than others.

The ideal approach uses prior knowledge of the way uninfected computers 
are spread across different subnets. A worm with that information can 
focus its attention on the most fruitful subnets infecting a given 
proportion of a network using the smallest possible number of probes.

But although prior knowledge could be available in some cases a company 
distributing a patch after a previous worm attack, for example usually 
such perfect information will not be available. So the researchers have 
also developed strategies that mean the worms can learn from experience.

In the best of these, a worm starts by randomly contacting potential new 
hosts. After finding one, it uses a more targeted approach, contacting 
only other computers in the same subnet. If the worm finds plenty of 
uninfected hosts there, it keeps spreading in that subnet, but if not, 
it changes tack.

Spreading the load

"After it fails to reach new uninfected hosts a fixed number of times in 
a row, say 10, it moves on to find new groups using random sampling," 
explains Vojnovic. This approach performs almost as efficiently as the 
strategies using prior knowledge.

Because no central server needs to provide and coordinate all the 
downloads, Software patches that spread like worms could be faster and 
easier to distribute because no central server must bear all the load. 
"These strategies can minimise the amount of global traffic across the 
network," Vojnovic says.

The research has a second potential benefit. "If we understand how 
future worms might be capable of spreading, we can design better 
countermeasures," says Vojnovic. For example, some of the new strategies 
would flatten the usual spike in overall network activity that can give 
away software worm attacks, but instead they would be revealed by spikes 
in local traffic.

'Perfect worm'

Chuanyi Ji at Georgia Tech, University, US, is also interested in 
designing a "perfect worm". As well as revealing weaknesses of networks, 
such a worm could rush out defensive software patches faster than an 
attacking worm can spread, she says.

Ji has examined records of previous worm attacks, and says there is 
evidence that some already use similar if less refined tricks to those 
developed by the Microsoft team.

For example, the Blaster worm preferentially tries to infect local 
computers, like one of Vojnovic's worms. "We may see improvements to 
these kind of strategies appearing in future, so it is good to 
investigate the worst they could do," says Ji.

A paper on the Microsoft research will be presented at the 27th 
Conference on Computer Communications (INFOCOM) in Arizona, US, in April 

Subscribe to InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods