██████╗ ██████╗ ██╗ ██╗ █████╗ ╚════██╗██╔═══██╗██║ ██║██╔══██╗ █████╔╝██║ ██║███████║███████║ ╚═══██╗██║ ██║██╔══██║██╔══██║ ██████╔╝╚██████╔╝██║ ██║██║ ██║ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝
Welcome to 3OHA, a place for random notes, thoughts, and factoids that I
want to share or remember.
8 November 2022
With the proliferation of computer viruses and worms during the 1980s and the 1990s, some computer security researchers wondered if malware techniques could be leveraged for good. Cohen referred to this idea as benevolent malware, though the term nematode became more popular years later. Nematodes never found a niche application nor proved to be really useful in the real world. Yet, this did not stop some people from experimenting with them and exploring their potential by actually building and releasing a few examples in the wild.
Nematodes have always been a controversial idea. Most researchers consider the idea of a 'good virus' is an oxymoron. One recurring point against them is the lack of control over their spread, which may cause more disruption than the evil they try to fight. Even if replication is somehow controlled, they often display unanticipated behaviors with harmful effects—for instance, installing a patch that breaks some application stack on a victim. On top of that, there are legal and ethical issues in infecting and tampering with a system without user consent.
I recently stumbled upon some old notes I had on this topic while preparing a report, so I decided to write them up here.
In 1982, Xerox's researchers John Shoch and Jon Hupp reported their experience running a series of experiments with computer worms in a paper titled "The 'Worm' Programs - Early Experience with a Distributed Computation" [1]. They conceived a worm as a distributed computation that lives on multiple machines. In their own terms, a 'segment' is the program that runs on each machine and the 'worm' is the collection of segments. Worms can expand when new segments join (when they spread copies of themselves) or contract when a segment terminates.
Shoch and Hupp's central idea was to explore propagation mechanisms and useful payloads to run as a distributed computation over the network of "infected" hosts. They programmed several worms in BCPL and deployed them in the Xerox Palo Alto Research Center network, which included over 100 Alto computers interconnected by an Ethernet local network. The worm propagation was fairly simple: a sequential enumeration of the Ethernet address space until it finds a host that is idle. Determining if a host was idle or not was provided by a daemon running on each host that gave this information when queried. Once an idle computer was found, the worm used FTP to transfer its code and asked the remote host to run it.
One interesting feature of Shoch and Hupp's worms is that they were fileless, i.e., the code never touched the disk. This decision was deliberate for two reasons: (i) the worm might land on a computer with no disk mounted; and (ii) if a user left a disk spinning (disks back then did that), writing on the disk would have harmful consequences. This is one of the first examples of fileless malware—even if this was not malware—, though for reasons very different to those that made the term popular years later.
Shoch and Hupp discovered that the biggest problem associated with the worm management is controlling its growth. They reported a few worrying experiences with buggy worms that resulted in unusable machines. Mistakes aside, they explored five main applications:
After his seminal papers on computer virology, Cohen wrote in 1991 a paper titled "A Case for Benevolent Viruses" [2] in which he explored the potential for beneficial uses of computer viruses. He put forward the idea that the very same features that make viruses a threat—they can spread quickly, easily, thoroughly, and autonomously—could make them a powerful distributed computing tool. The main application for viruses envisioned by Cohen is in the parallel processing realm, in particular to efficiently and reliably distribute processing tasks across nodes of a network. 'Worm' is perhaps a more fitting term to capture the class of programs that Cohen was describing, which are very similar to Shoch and Hupp's. But Cohen deliberately uses the term 'virus' in his paper, even when refering to the Internet (Morris) Worm, who he calls 'the Internet Virus.'
The idea of viral computation, or the use of self-replicating programs for parallel processing, was not new, but Cohen argues that the model is adequate for some applications. He points out at maintenance—deleting temporary files, killing errant processes, fixing bugs etc.—as a major application domain. Yet, Cohen's paper is not empirical and does not report practical experiences. Instead, it is an essay discussing how evolutionary mechanisms, such as random mutations and Darwinist selection, could be incorporated to computation models. His work is thus more aligned with the then nascent area of Artificial Life and Evolutionary Computation, and how to develop controlled viral computing environments.
The idea of benevolent malware was later revisited by Bontchev in his essay "Are 'Good' Computer Viruses Still a Bad Idea?" [3]. Bontchev argues that many use cases suggested before, such as the anti-virus virus or the maintenance worms are actually bad examples. He provided a list of conditions of different nature (technical, ethical, legal, and psychological) for a computer virus to be beneficial, and gave insights on how to solve these issues. At Black Hat 2006 [4], Aitel expanded on these ideas, developing a framework for automatically generating beneficial worms and discussing requirements for controlled spread (e.g., adding state and using more complex communication protocols).
There are some scattered examples of real worms that were developed and deployed in the wild to fight other worms. The earliest documented example is the case of Reaper, a worm that some consider the first antivirus ever written. The story dates back to 1971, when Bob Thomas at BBN (Bolt Beranek and Newman) wrote a program that moved autonomously between DEC PDP-10 computers using the ARPANET. Ray Tomlinson wrote a second version that made copies of itself rather than simply move. The program, known as Creeper was a prank that caused no harm to the computers where it landed other than writing the message "I'M THE CREEPER. CATCH ME IF YOU CAN!" This is considered to be the first actual computer worm. The same author, Ray Tomlinson, wrote Reaper as a cure, which was also a worm that spreaded throughout the ARPANET trying to find and destroying copies of Creeper.
A second, more contemporary example of a benign worm is the case of Welchia, which is also known as MSBlast.D, LoveSan.D and Nachia. Welchia is closely linked to the infamous Blaster worm (also known as Lovsan, Lovesan and MSBlast), which spread during August 2003 on computers running Windows XP and 2000. Blaster exploited a DCOM RPC vulnerability described in Microsoft Security Bulletin MS03-026. The Welchia worm was created to fight Blaster by first exploiting and then trying to patch the same vulnerability that Blaster used to spread. As it is often the case with worms, a few design and programming errors caused Welchia to exhibit harmful behavior. For instance, it scanned so aggresively for new hosts that it caused DoS attacks on many corporate networks.
Reaper and Welchia are well-known examples of malware designed to remove another malware. Some researchers actually use the term "nematode" to refer exclusively to this type of benevolent malware. Other famous nematodes are:
C:\class.sys and deleted it. This file was created by the Class (1988) virus, another macro virus. The class.sys file contained the code that would be inserted in the Normal.dot template. By removing it, Ethan effectively neutralized Class.