Anti-worm
From Wikipedia, the free encyclopedia
Anti-worm has multiple meanings within the field of computer security. It can be a piece of software designed to protect against computer worms, combining the features of anti-virus software and a personal firewall. It can also mean a worm designed to do something that its author feels is helpful.
Contents |
[edit] Concept
The concept of "anti-worms" is a proactive method of dealing with virus and computer worm outbreaks. Just like malicious computer worms, anti-worms reach computers by scanning IP ranges and placing a copy of themselves on vulnerable hosts. The anti-worm then patches the computer's vulnerability and uses the affected computer to find other vulnerable hosts. Anti-worms have the ability to spread just as fast as regular computer worms, utilizing the same "scan, infect, repeat" model that malicious computer worms use.
[edit] Criticism
Many computer security experts have denounced the so-called "anti-worm". Their position is that no code should be run on a system without the system owner's consent. Worm code, even if its author has good intentions, can wreak havoc on a network. It can overflow the traffic capacity of the network. Its author does not know the exact configuration of the system on which the code is running, and it could render that system useless for its intended purpose.
It is important to note that most jurisdictions which have computer crime laws covering worms do not distinguish "worms" from "anti-worms," thus making the author(s) of such code liable to prosecution.
[edit] Example
The Santy worm was released shortly before Christmas 2004 and spread quickly, using Google to search for vulnerable versions of phpBB. The worm exploited a bug in the phpBB software to infect the host, defacing the website and deleting all of the messages stored on the forums. The worm was poised to spread to hundreds of thousands of other websites running the phpBB forum. Approximately 10 days after the worm's launch, someone released another worm to combat the Santy worm and patch the vulnerable phpBB forum. The anti-Santy worm spread quickly affecting thousands of servers running the phpBB.
However, the anti-santy worm caused problems of its own. Many site administrators reported that the anti-worm crashed their systems by flooding them with requests, resulting in a denial-of-service attack. Others reported that the patch did not work.
Whether or not the anti-worm had a significant positive impact on the spread Santy worm is unknown. Within several hours of Santy's release, Google blocked the search string the worm was using to find vulnerable hosts. Thus, the worm could not find new hosts to infect. There is no way to determine if Google's actions or the anti-Santy worm did more to protect hosts.
Anti-worms have also been used to combat the effects of the Code Red worm.[1]
