[ISN] Nematodes: The Making of 'Beneficial' Network Worms

InfoSec News isn at c4i.org
Thu Oct 6 00:07:53 EDT 2005 

http://www.eweek.com/article2/0,1895,1867317,00.asp

By Ryan Naraine 
October 5, 2005 

Convinced that businesses will use nonmalicious worms to cut down on 
network security costs, a high-profile security researcher is pushing 
ahead with a new framework for creating a "controlled worm" that can 
be used for beneficial purposes.

Dave Aitel, vulnerability researcher at New York-based Immunity Inc.,
unveiled a research-level demo [1] of the "Nematode" framework at the
Hack In The Box confab in Kuala Lumpur, Malaysia, insisting that good
worms will become an important part of an organization's security
strategy.

"We're trying to change the way people think," Aitel said in an 
interview with Ziff Davis Internet News. "We don't want people to 
think this is impossible. It's entirely possible to create and use 
beneficial worms and it's something businesses will be deploying in 
the future."

For years, security experts have debated the concept of using good
worms to seek and destroy malicious worms. Some believe that it's time
to use the worms' tactics against them [2] and build good worms that
fix problems but the chaos and confusion associated with
self-propelled replicating programs have left others unconvinced.

Aitel is among those who believe it is "inevitable" that worm 
technology can significantly reduce the cost of disinfecting and 
maintaining a corporate network.

"We already have a proof-of-concept that can take a very simple 
exploit, go through a few steps and, in a matter of minutes, create a 
working nematode," Aitel said.

He took the name for the concept from the pointy-ended worm used to 
control pests in crops. "We can generate a nematode any way we want. 
You can make one that strictly controls, programmatically, what the 
worm does," Aitel explains.

Aitel, who did a six-year stint as a computer scientist at the NSA 
(National Security Agency) before moving on to work as a code-breaker 
for research outfit @Stake Inc., is adamant that nematodes can provide 
the answer for lowering security costs.

He sees a world where "strictly controlled" nematodes are used by 
ISPs, government organizations and large companies to show significant 
cost savings.

During his Hack In The Box presentation, Aitel outlines the reasons 
for creating nematodes and displayed strict protocols that can be used 
to control the beneficial worms.

He said nematodes can be automatically created from available 
vulnerability information and even showed off a new programming 
language to create the worms.

Aitel acknowledged potential problems with the concept, noting that 
worms are very hard to write and use large amounts of network 
bandwidth. Because worms are harder to target and control, he noted 
that IT administrators live in constant fear.

The concept includes the use of "Nematokens," servers that are 
programmed to only respond to requests from networks cleared for 
attacks and the NIL (Nematode Intermediate Language) that can be used 
as a specialized and simplified "assembly for worms."

The NIL can be used to convert exploits into nematodes quickly and 
easily. In some cases, Aitel believes that exploits can be written to 
NIL directly to simplify the process even more.

This will be part of your security team's toolkit," Aitel argues, 
noting that his company's work is "research-level proof of concept" 
that details the theory and theology of using beneficial worms.

"If you look at the security cost of maintaining a large network, most 
CIOs agree its way above what they want to pay. With this [nematode] 
concept, you can take advantage of automating technologies to get 
protection for pennies on the dollar. That's the drive behind 
developing a lot of these new forward-looking technologies," Aitel 
said.

"Nematodes are a step beyond the next step. We're two stages away from 
using this," he added. "The goal has always been to build the network 
that protects itself automatically with automated technologies. We're 
certainly not more than five years away from this sort of technology 
becoming something that you can buy."

"We already have an engine that takes exploits and turns them into 
worms and does it in a way that allows you to inject control 
mechanisms into that. That's something that will appeal to businesses.

[1] http://www.immunityinc.com/downloads/nematodes.pdf
[2] http://www.eweek.com/article2/0,1895,1037004,00.asp

More information about the ISN mailing list