"A researcher has reopened the subject of beneficial
worms, arguing that the capabilities of self-spreading code could
perform better penetration testing inside networks, turning vulnerable
systems into distributed scanners.
The worms, dubbed nematodes after the parasitic worm used to kill
pests in gardens, could give security administrators the ability to scan
machines inside a corporate network but beyond a local subnet, David
Aitel, principal researcher of security firm Immunity, said at the Black
Hat Federal conference.
"Rather than buy a scanning system for every segment of your
network, you can use nematodes to turn every host into a scanner," he
said during an interview with SecurityFocus. "You'll be able to see into
the shadow organisation of a network - you find worms on machines and
you don't know how they got there."
The topic of whether self-propagating code can have a good use has
cropped up occasionally among researchers in the security
testing community. In 1994, a paper written by antivirus researcher
Vesselin Bontchev concluded that 'good' viruses are possible, but
the safeguards and limitations on the programs would mean that the
resulting code would not resemble what most people considered a virus.
Later attempts at creating 'good' worms have failed, however, mainly
because the writers have not adopted many of the safeguards outlined in
the Bontchev paper."
What do you think? A great technique for security testing software applications, IT systems and infrastructures? Not everyone agrees:
"On the other hand, the dangers inherent in self-propagating code are
hard to overcome, said Jose Nazario, senior security and software
engineer for network defense firm Arbor Networks.
"I still have my doubts that the controls he described are
effective enough," Nazario said. "He addressed how you shut the
nematodes down and how you make sure they don't infect other networks,
but he hasn't addressed machine instability and the danger when people
carry laptops across network boundaries."
Nazario, the author of Defense and Detection Strategies Against Internet Worms,
believes the best way to find vulnerabilities on a large network is to
use dedicated sensors, an approach used by Arbor Networks.
"There are a number of ways of finding those vulnerabilities in
the network without the inherent risks involved in self-propagating
code," he said."
This is an extract from an article which originally appeared in