3 min read

Could a 'good worm' save the Internet of Things from the Mirai botnet?


October 31, 2016

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Could a 'good worm' save the Internet of Things from the Mirai botnet?

The Mirai botnet has certainly has made its presence felt – hijacking control over poorly-protected Internet of Things devices across the globe to launch massive denial-of-service attacks.

And the problem isn’t an easy one to fix. Even if manufacturers of vulnerable devices urge customers to change the default passwords or prevent their gadgets from being accessed from the outside world, there’s no guarantee that a significant number of people will actually listen.

And many of the vulnerable devices have no update infrastructure, removing the possibility of pushing out patches as would be done if the at-risk devices were desktop PCs running Windows or macOS.

In other words, it’s an almighty mess.

But now one person thinks they have a potential solution. Software engineer Leo Linsky has published code – based upon the leaked source code of Mirai – that could spread like a worm, breaking into vulnerable web-connected cameras and other devices to change their default login credentials.

Linsky shares more details of his counter-Mirai research on Github:

“The idea is to show that devices can be patched by a worm that deletes itself after changing the password to something device- specific or random. Such a tool could theoretically be used to reduce the attack surface.”

Linsky calls his creation an “anti-worm worm (or nematode)”.

I call it a potential breach of computer crime legislation.

You see, altruistic as it might appear to patch other people’s internet devices, you shouldn’t do it without their consent. Logging into someone else’s internet devie and changing their settings without permission is breaking the law in the United States, United Kingdom and many other countries around the world.

Over twenty years ago, veteran malware researcher Vesselin Bontchev wrote a seminal paper on the subject of beneficial malware, “Are ‘good’ computer viruses still a bad idea?”, and his arguments still stand up today.

For instance, aside from the legal issues, anyone releasing the “anti-worm worm” has no control over how it would spread, or the resources it might gobble up as it scours the internet looking for more vulnerable devices to patch. Furthermore, what sort of testing would be done on the viral code in a controlled environment before it is unleashed onto the public internet, and what mechanisms might exist for updating it when (inevitably) its own bugs are found?

Even if you think your anti-worm worm works well now, questions must be asked about its compatibility into the future – and how it might act if, as seems possible, it encounters other people’s attempts to create anti-worm worms.

And how would such a worm tell the difference between devices that are candidates for patching and those which should definitely be left well alone (such as those running critical systems, or those set up by researchers as honeypots to examine Mirai’s activities)?

Finally, is it possible that cybercriminals could take the code of Linsky’s creation and use it as the inspiration for their own malware (just as Linsky based his upon Mirai’s leaked code), and create an even greater menace?

Fortunately, Linsky himself seems to recognise that it would be a mistake to release Nematode onto the internet:

“This is meant to only be tested in closed research environments. Use of this software is at your own risk.”

The Internet of insecure Things is most definitely a serious problem, and one that is likely to continue to make its presence felt for a long time to come. But I don’t think releasing an anti-worm worm is the right way to deal with these significant challenges.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like