| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: marc at eeye.com (Marc Maiffret) Subject: short Blaster propagation algorithm analysis "* It uses a "choose random IP, then scan sequentially from there" algorithm" It is not always a random IP that is chosen. Each time a host is infected, there is a 40% chance that it will begin at the first address of its "Class C"-size subnet (x.x.x.0), and a 60% chance that it will start at a completely random IP address with the last octet set to 0 ([1-254].[0-253].[0-253].0). For a more accurate analysis of this worm please visit the eEye Blaster Analysis at: http://www.eeye.com/html/Research/Advisories/AL20030811.html A lot of the analysis i have read have been incomplete or just plain incorrect. Like people failing to mention that "Disabling DCOM" on Windows 2000 SP0, SP1, SP2, does not actually work. Or that Microsoft fails to mention, in their advisory, that you must restart your system after disabling DCOM. etc.... Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities | -----Original Message----- | From: full-disclosure-admin@...ts.netsys.com | [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of | vogt@...senet.com | Sent: Tuesday, August 12, 2003 8:56 AM | To: full-disclosure@...ts.netsys.com | Subject: [Full-Disclosure] short Blaster propagation algorithm analysis | | | As I have been working on analysing worm propagation | algorithms for a while now (paper forthcoming), I did | a short analysis and simulation/extrapolation of what | we know about Blaster. | | The core points seem to be: | | * It should have a fairly high exploitable | population | * It uses a "choose random IP, then scan sequentially | from there" algorithm | * The infection should be fairly slow compared to | others, as it needs to first infect, then fetch | more stuff via tftp. | | At first, I thought that these last two factors | explain why it is so slow. However, I have written a | simple simulation system for worm propagation, and it | shows that while random-IP+sequential-scanning is | slower than pure random scanning, the difference is | not very large, at most 50%. | Also, Blaster only needs to fetch its main body if the | infection was successful. On the other hand, I can show | that it does spread faster this way then if it would | fire its whole code at a prospective victim. | | The main part that I am still puzzling over is the | question of just how many systems are vulnerable? Where | "vulnerable" means that they can actually be infected. | If they're firewalled, they aren't vulnerable as far | as I am concerned, for example. | | Also, if anyone has hard data on how long Blaster takes | to infect a machine, and how much overhead it occurs | through handshakes, tftp communication, etc. I would be | much oblieged for that data as it would help me refine | my simulation. | | | The most important result I have so far is that the | shape of the propagation curve looks the same as any | other worm, and while it is slower than even the very | first Code Red, the difference is less than a factor | of two. Depending on the vulnerable population, things | may be worse - the vulnerable population has a | considerable impact on propagation speed. | | All this is based on what data I have, but I feel | confident that the order-of-magnitude is correct. | | | | Tom Vogt | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html |
Powered by blists - more mailing lists