Why a "Good" Worm May be a Bad Idea

A computer worm that has wriggled its way inside millions of unpatched computers over the past few months has experts discussing some drastic countermeasures.

Conficker (aka Downup, Downadup and Kido) has infected millions of computers, installing code that gets them ready for further commands. Naturally, network administrators and security experts are pretty concerned about what the next step might be–perhaps unleashing a tsunami of spam, or maybe bombarding a banking site with an unmanageable amount of traffic in an extortion scheme.

One expert who spoke to The New York Times says that some folks are already working on a controversial countermeasure–unleashing a “good” (or “white”) computer worm that would exploit the same vulnerabilities as Conficker in order to disinfect all the machines that are compromised.

“Yes, we are working on it, as are many others,” said one botnet researcher who spoke on the grounds that he not be identified because of his plan. “Yes, it’s illegal, but so was Rosa Parks sitting in the front of the bus.”

Analysis of the worm shows how this might work. Since the worm is programmed to contact a specific set of web addresses and wait to receive further code, hijacking these addresses could squish the worm before it does much damage. Phillip Porras a researcher at SRI international, who has been studying the spread of Conficker, says that some of the domains linked with the worm have already been registered by “white hat” hackers. These well-intentioned experts might be hoping to simply prevent the worm from receiving further commands, or they might be looking for a way to inject their own viral code into the Conficker network.

Creating a “good” worm sounds like a smart idea, until you really think about it. Nicholas Weaver, a network security researcher at Berkeley’s International Computer Science Institute, explains the potential pitfalls of such an approach in this 2006 Usenix article (pdf). Aside from the legal issues involved with infecting millions of machines, Weaver says it would be incredibly difficult to program a worm to target only those machines that have been infected and avoid causing damage to other systems. History would seem to back him up–in 2004 a white worm called Welchia was released in an effort to clean up thousands of systems infected with a worm called Blaster. Unfortunately, Welchia failed to rid these computers of Blaster and only succeeded in clogging up corporate networks even more.