lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <DF79BE12AF8DD344B107D0D03621E5750ED9A6@kermit.corp.hansenet.com>
From: vogt at hansenet.com (vogt@...senet.com)
Subject: short Blaster propagation algorithm analysis

As I have been working on analysing worm propagation 
algorithms for a while now (paper forthcoming), I did 
a short analysis and simulation/extrapolation of what 
we know about Blaster.

The core points seem to be:

* It should have a fairly high exploitable
  population
* It uses a "choose random IP, then scan sequentially
  from there" algorithm
* The infection should be fairly slow compared to
  others, as it needs to first infect, then fetch
  more stuff via tftp.

At first, I thought that these last two factors
explain why it is so slow. However, I have written a
simple simulation system for worm propagation, and it
shows that while random-IP+sequential-scanning is
slower than pure random scanning, the difference is
not very large, at most 50%.
Also, Blaster only needs to fetch its main body if the
infection was successful. On the other hand, I can show
that it does spread faster this way then if it would
fire its whole code at a prospective victim.

The main part that I am still puzzling over is the
question of just how many systems are vulnerable? Where
"vulnerable" means that they can actually be infected.
If they're firewalled, they aren't vulnerable as far
as I am concerned, for example.

Also, if anyone has hard data on how long Blaster takes
to infect a machine, and how much overhead it occurs
through handshakes, tftp communication, etc. I would be
much oblieged for that data as it would help me refine
my simulation.


The most important result I have so far is that the
shape of the propagation curve looks the same as any
other worm, and while it is slower than even the very
first Code Red, the difference is less than a factor
of two. Depending on the vulnerable population, things
may be worse - the vulnerable population has a
considerable impact on propagation speed.

All this is based on what data I have, but I feel
confident that the order-of-magnitude is correct.



Tom Vogt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ