Since the first computer worm appeared in 1988, researchers have dreamed of deploying good worms to fight the bad ones. These would be programmed to invade a computer by exploiting the same weak points that bad worms use. But instead of delivering malicious software, the worms would close up the weak spot and so render the computer impervious to further attack. "We're talking about fighting fire with fire," says programmer David Aitel of the firm Immunity in Miami, Florida, who developed the worm.
These so-called "patching worms" have previously been used by virus-writing gangs to try to stop the spread of worms deployed by their rivals. Legitimate users have been wary of unleashing patching worms because they are difficult to control, raising fears that the originator would be liable if one were to crash computers it was not designed to patch. "Even if your intentions are good you are altering the behaviour of someone's machine without their consent," says Jose Nazario of the security firm Arbor Net, who runs a website called Worm Blog.
Aitel claims to have overcome this problem by programming the beneficial worms to visit only computers on a particular network. The worms, which he calls "nematodes", are programmed with a map of the network that tells them the range of IP addresses of all the machines they are allowed to invade. The first thing they do when they contact a potential beneficiary is to check whether the computer is in their range. If so they will invade; if not, they look for a new host.
Alternatively, the "polite" worms can be programmed to ask a central server for permission to invade. To ensure the infected computer always has access to that central server, Aitel suggests using the domain name system (DNS) server, which is responsible for translating domain names like newscientist.com into their numerical IP address. All computers on the network must have access to the DNS server at all times, as they contact it each time they visit a web page. If equipped with suitable software, it could also tell the worm whether it was allowed to invade a machine with a particular IP address.
To allow programmers with no worm-writing experience to assemble their own worm, Aitel has developed a programming language called Nematode Intermediate Language (NIL), which breaks a worm down into smaller software modules. He presented it last week at the Black Hat Briefings federal conference in Washington DC.
The company hopes to start selling NIL modules within the next four years.
"This article is posted on this site to give advance access to other authorised media who may wish to quote extracts as part of fair dealing with this copyrighted material. Full attribution is required, and if publishing online a link to www.newscientist.com is also required. The story below is the EXACT text used in New Scientist, therefore advance permission is required before any and every reproduction of each article in full. Please contact firstname.lastname@example.org. Please note that all material is copyright of Reed Business Information Limited and we reserve the right to take such action as we consider appropriate to protect such copyright."
THIS ARTICLE APPEARS IN NEW SCIENTIST MAGAZINE ISSUE: 4 FEBRUARY 2006
Author: Celeste Biever
IF REPORTING ON THIS STORY, PLEASE MENTION NEW SCIENTIST AS THE SOURCE AND, IF PUBLISHING ONLINE, PLEASE CARRY A HYPERLINK TO: http://www.