http://technology.newscientist.com/article/dn13318-friendly-worms-could-spread-software-fixes.html By Tom Simonite NewScientist.com news service 14 February 2008 Microsoft researchers are hoping to use "information epidemics" to distribute software patches more efficiently. Milan Vojnovic and colleagues from Microsoft Research in Cambridge, UK, want to make useful pieces of information such as software updates behave more like computer worms: spreading between computers instead of being downloaded from central servers. The research may also help defend against malicious types of worm, the researchers say. Software worms spread by self-replicating. After infecting one computer they probe others to find new hosts. Most existing worms randomly probe computers when looking for new hosts to infect, but that is inefficient, says Vojnovic, because they waste time exploring groups or "subnets" of computers that contain few uninfected hosts. Smart strategies Vojnovic's team have designed smarter strategies that can exploit the way some subnets provide richer pickings than others. The ideal approach uses prior knowledge of the way uninfected computers are spread across different subnets. A worm with that information can focus its attention on the most fruitful subnets infecting a given proportion of a network using the smallest possible number of probes. But although prior knowledge could be available in some cases a company distributing a patch after a previous worm attack, for example usually such perfect information will not be available. So the researchers have also developed strategies that mean the worms can learn from experience. In the best of these, a worm starts by randomly contacting potential new hosts. After finding one, it uses a more targeted approach, contacting only other computers in the same subnet. If the worm finds plenty of uninfected hosts there, it keeps spreading in that subnet, but if not, it changes tack. Spreading the load "After it fails to reach new uninfected hosts a fixed number of times in a row, say 10, it moves on to find new groups using random sampling," explains Vojnovic. This approach performs almost as efficiently as the strategies using prior knowledge. Because no central server needs to provide and coordinate all the downloads, Software patches that spread like worms could be faster and easier to distribute because no central server must bear all the load. "These strategies can minimise the amount of global traffic across the network," Vojnovic says. The research has a second potential benefit. "If we understand how future worms might be capable of spreading, we can design better countermeasures," says Vojnovic. For example, some of the new strategies would flatten the usual spike in overall network activity that can give away software worm attacks, but instead they would be revealed by spikes in local traffic. 'Perfect worm' Chuanyi Ji at Georgia Tech, University, US, is also interested in designing a "perfect worm". As well as revealing weaknesses of networks, such a worm could rush out defensive software patches faster than an attacking worm can spread, she says. Ji has examined records of previous worm attacks, and says there is evidence that some already use similar if less refined tricks to those developed by the Microsoft team. For example, the Blaster worm preferentially tries to infect local computers, like one of Vojnovic's worms. "We may see improvements to these kind of strategies appearing in future, so it is good to investigate the worst they could do," says Ji. A paper on the Microsoft research will be presented at the 27th Conference on Computer Communications (INFOCOM) in Arizona, US, in April 2008. ___________________________________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Fri Feb 15 2008 - 00:12:13 PST