Jump to content

HP's "good" worm


Recommended Posts

Opinion: No, it's not a worm, but HP's Active Countermeasures uses wormlike techniques to find and secure vulnerable systems. Although we shouldn't be afraid, it needs to be used judiciously.

Worms and other malware employ a variety of techniques to find new systems to attack. Many of them scan the network for systems containing specific, remotely exploitable vulnerabilities. Some of the fastest and most successful worms, such as Slammer and Code Red, worked this way.

HP thinks two can play at that game. The company has released its Active Countermeasures technology to a limited beta audience. It's an innovative network scanning tool that looks for systems on the network that "are unmapped or do not comply with security policy, and therefore represent vulnerable points in the network."

When it finds these systems, it "automatically deploys policy-driven mitigation techniques." It appears that the scanner actually exploits the vulnerabilities in order to gain control and deploy the mitigation techniques.

Taking the biological metaphor for all it's worth, HP says this is part of a "corporate immune system" that includes other innovative techniques such as a mail server that implements the company's "Virus Throttler," which sets rate-limiting on mail connections to limit the damage that mail worms can do.

Joe Pato, a distinguished technologist at HP Labs, spoke about this technology at the RSA conference in San Francisco earlier this year, where he likened the technique to vaccination, in which the patient receives a less virulent form of the infection.

So, it's a network vulnerability scanner with a difference. One might expect Active Countermeasures to be more effective against rogue systems on the network than a conventional scanner, but to what degree? If a system is not supposed to be there, do you really want to patch it and install your anti-virus client, or do you want to block it off the network somehow and alert the administrator?

It's not hard to imagine many problems resulting from aggressive use of this technology, although not everyone would call all of them problems. For instance, the guest or consultant who connects to the network without going through all of the proper channels first

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...