Anti-worm (sometimes helpful worm), has multiple meanings in the field of computer security. It can be a piece of software designed to protect against computer worms, combining the features of anti-virus software and a personal firewall. It can also refer to a worm designed to do something that its author feels is helpful, though not necessarily with the permission of the executing computer's owner.
The concept of the "anti-worm", or "helpful worm", is a proactive method of dealing with virus and computer worm outbreaks. This type of worm delivers its payload by doing helpful actions instead of malicious actions. Just like malicious computer worms, anti-worms reach computers by scanning IP ranges and placing a copy of themselves on vulnerable hosts. The anti-worm then patches the computer's vulnerability and uses the affected computer to find other vulnerable hosts. Anti-worms have the ability to spread just as fast as regular computer worms, utilizing the same "scan, infect, repeat" model that malicious computer worms use.
Anti-worms have been used to combat the effects of the Code Red, Blaster, and Santy worms. Welchia is an example of a helpful worm. Utilizing the same deficiencies exploited by the Blaster worm, Welchia infected computers and automatically began downloading Microsoft security updates for Windows without the users' consent. It automatically rebooted the computers, installing the updates. One of these updates was the patch that fixed the exploit.
Other examples of helpful worms are "Den_Zuko", "Cheeze", "CodeGreen", and "Millenium".
The Santy worm was released shortly before Christmas 2004 and spread quickly, using Google to search for vulnerable versions of phpBB. The worm exploited a bug in the phpBB software to infect the host, defacing the website, and deleting all of the messages stored on the forums. The worm was poised to spread to hundreds of thousands of other websites running the phpBB forum. Approximately 10 days after the worm's launch, someone released another worm to combat the Santy worm and patch the vulnerable phpBB forum.
The anti-Santy worm spread quickly, affecting thousands of servers running the phpBB. The anti-Santy worm, however, caused some problems of its own. Many site administrators reported that the anti-worm crashed their systems by flooding them with requests, resulting in a denial-of-service attack. Still others reported that the patch did not work.
Whether or not the anti-worm had a significant positive impact on curtailing the spread of the Santy worm is unknown. Within several hours of Santy's release, Google blocked the search string the worm was using to find vulnerable hosts. Thus, the worm could not find new hosts to infect. There is no way to determine if Google's actions or the anti-Santy worm did the most to protect hosts.
Many computer security experts have denounced the so-called "anti-worm". Their position is that no code should be run on a system without the system owner's consent. Even though they do not do anything "malicious", most helpful worms do not log events, and some automatically reboot the computer (without the user's consent) as part of the installation process. They can put a strain on the network as they spread and download updates. Worm code, even if its author has good intentions, can wreak havoc on the network. It can overflow the traffic capacity of the network. Its author can not know the exact configuration of the systems on which the code will run, and it could render that system useless for its intended purpose.
Most jurisdictions that have computer crime laws covering worms do not distinguish "worms" from "anti-worms", thereby making the author(s) of such code liable to prosecution.
- 'Anti-worms' fight off Code Red threat (archived at the Internet Archive on September 14, 2001)
- The Welchia Worm. December 18, 2003. p. 1. Retrieved 9 June 2014.