lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <MKEAIJIPCGAHEFEJGDOCMEGALIAA.marc@eeye.com>
From: marc at eeye.com (Marc Maiffret)
Subject: short Blaster propagation algorithm analysis

"* It uses a "choose random IP, then scan sequentially from there"
algorithm"

It is not always a random IP that is chosen. Each time a host is infected,
there is a 40% chance that it will begin at the first address of its "Class
C"-size subnet (x.x.x.0), and a 60% chance that it will start at a
completely random IP address with the last octet set to 0
([1-254].[0-253].[0-253].0).

For a more accurate analysis of this worm please visit the eEye Blaster
Analysis at: http://www.eeye.com/html/Research/Advisories/AL20030811.html A
lot of the analysis i have read have been incomplete or just plain
incorrect. Like people failing to mention that "Disabling DCOM" on Windows
2000 SP0, SP1, SP2, does not actually work. Or that Microsoft fails to
mention, in their advisory, that you must restart your system after
disabling DCOM. etc....

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: full-disclosure-admin@...ts.netsys.com
| [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of
| vogt@...senet.com
| Sent: Tuesday, August 12, 2003 8:56 AM
| To: full-disclosure@...ts.netsys.com
| Subject: [Full-Disclosure] short Blaster propagation algorithm analysis
|
|
| As I have been working on analysing worm propagation
| algorithms for a while now (paper forthcoming), I did
| a short analysis and simulation/extrapolation of what
| we know about Blaster.
|
| The core points seem to be:
|
| * It should have a fairly high exploitable
|   population
| * It uses a "choose random IP, then scan sequentially
|   from there" algorithm
| * The infection should be fairly slow compared to
|   others, as it needs to first infect, then fetch
|   more stuff via tftp.
|
| At first, I thought that these last two factors
| explain why it is so slow. However, I have written a
| simple simulation system for worm propagation, and it
| shows that while random-IP+sequential-scanning is
| slower than pure random scanning, the difference is
| not very large, at most 50%.
| Also, Blaster only needs to fetch its main body if the
| infection was successful. On the other hand, I can show
| that it does spread faster this way then if it would
| fire its whole code at a prospective victim.
|
| The main part that I am still puzzling over is the
| question of just how many systems are vulnerable? Where
| "vulnerable" means that they can actually be infected.
| If they're firewalled, they aren't vulnerable as far
| as I am concerned, for example.
|
| Also, if anyone has hard data on how long Blaster takes
| to infect a machine, and how much overhead it occurs
| through handshakes, tftp communication, etc. I would be
| much oblieged for that data as it would help me refine
| my simulation.
|
|
| The most important result I have so far is that the
| shape of the propagation curve looks the same as any
| other worm, and while it is slower than even the very
| first Code Red, the difference is less than a factor
| of two. Depending on the vulnerable population, things
| may be worse - the vulnerable population has a
| considerable impact on propagation speed.
|
| All this is based on what data I have, but I feel
| confident that the order-of-magnitude is correct.
|
|
|
| Tom Vogt
| _______________________________________________
| Full-Disclosure - We believe in it.
| Charter: http://lists.netsys.com/full-disclosure-charter.html
|


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ