| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: Worm of the worm? On Sat, 15 May 2004 14:43:14 MDT, Bruce Ediger <eballen1@...st.net> said: > That document claims "the vulnerable population of the Witty worm was only > about 12,000 computers", and goes on to imply pretty strongly that effectively > 100% of the vulnerable population got infected due to the speed of infection. Note that the 12K figure was arrived at in a semi-suspicious manner - they took the number of unique hits the 'Network Telescope' got over its /8 of address space and extrapolated a factor of 256: "Because the network telescope contains approximately 1/256th of all IPv4 addresses, we receive roughly one out of every 256 packets sent by an Internet worm with an unbiased random number generator." What's wrong with this picture? Hint - how many worms have we seen so far that have a non-*obviously*-buggy RNG? Much less one that was statistically unbiased? (It's a lot harder to avoid statistical bias than one might think) These sort of estimates are always dangerous - there have been worms where the "official" victim list estimated 1 million - but over 50M machines downloaded the disinfection kits provided by various vendors... > I take this document to mean that a worm (a self-replicating process or > set of processes that uses network communications methods to spread) > can infect just about any size population. Any vulnerability, even in > a small set of hosts, like the Windows hosts running ISS firewalls, > can describe a population that can support a viable worm population. There is a certain lower range below which you can't propagate at any reasonable speed. CHRISTMA EXEC did a number on the VNET/Bitnet networks many moons ago, because VM was a predominate operating system on those two interconnected networks. I know for a fact that there's still a lot of VM systems on the Internet (in fact, there's probably more VM systems on the Internet now than there were on VNET/Bitnet at the time of that worm) - assuming you found an exploit, how long would it take for those systems to nail 100% (I'll be generous and let you assume that anybody with a big-iron box has at least a 100mbit pipe available). How long would it take to infect all the PDP-11s on the net that are running BSD 2.9? (Hint - compare any sane "initial seed" list with the total population, and ask yourself if it's a worm or a targeted attack ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040517/1894e92b/attachment.bin
Powered by blists - more mailing lists