Microsoft Works to Infect Windows Machines with Worm-Updates

Network immunology

While it is the struggle of end users, members of the security industry and ultimately Microsoft itself to keep malware off of the Windows operating system, the Redmond company is preparing a 180-degree shift in this strategy. In this context, Microsoft is proposing nothing less than to put malicious code on the users' Windows machines. Essentially, the company's research arm, the Cambridge Systems and Networking group at Microsoft Research Cambridge, in the U.K., is building a strategy and a system for infecting Windows computers with replicative code. The move is the latest in a tradition of reinventing the wheel. Replicative code provides the basis for a type of malware referred to as worms. However, Microsoft's approach is to domesticate the malicious code to the point that it will be used for update maintenance purposes.

"Can automatic patching be effective and practical in containing worms? Effective is meant to contain a worm to a small factor of the size of the population of infected hosts at worm detection time. Practical is meant that the frequency of client patch updates is reasonably small (client patch updates at regular intervals of minutes may be acceptable, while that of a fraction of second may not). We consider how effective and practical is reactive patching to contain a typical, random scanning worm. We show that already for the simple scanning strategy of random scanning worms, automatic patching system is effective, only under a lower bound on the patching rate (of the same order as the worm infection rate) - other worm scanning strategies such as that of topological worms would impose even more severe constraints," reads an excerpt of Network Immunology, the project lead by Milan Vojnovic, a researcher with systems and networks group at Microsoft Research, Cambridge.

What Vojnovic is researching is a new way of spreading updates that diverges from the current automatic patch distribution systems at Microsoft. Instead of patches being served from a central server, the updates would act like worms and replicate from one machine to the other. The worm/Microsoft update infection would start in a single machine and then contact random potential new hosts. In the eventuality that the hosts have not been infected, it would replicate itself on the target, effectively patching the operating system. Vojnovic stressed that taking a centralized server infrastructure out of the equation of serving updates would speed up the patching process. In addition, Microsoft's own work at developing the benevolent update-worm would help combat malicious counterparts.

"We consider automatic patching system where a population of hosts is partitioned into subnets. In each subnet, a patching server patches hosts in its subnets, only if in alerted state. At worm detection time, a patching server becomes alerted. Alert is distributed to other patching servers after some positive alert broadcast time. We assume patch can be automatically generated-a problem of its own and not the scope of our work. It takes some positive time for a host to become patched from the time its patch server became alerted. How fast alerts and patches need to be to contain the worm?" - it is added in the Network Immunology synopsis.