lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: eballen1 at qwest.net (Bruce Ediger)
Subject: Worm of the worm? 

On Fri, 14 May 2004 Valdis.Kletnieks@...edu wrote:

> It's really sad that Sasser has nailed *so many* machines that Dabber
> is able to propagate.

Well, what about the "Witty" worm?  It only infected machines running
a brand of firewall with a particular plug-in, as I read this document
(I'm no Windows expert):

http://www.caida.org/analysis/security/witty/

"Witty spread through a population almost an order of magnitude smaller
 than that of previous worms, demonstrating the viability of worms as
 an automated mechanism to rapidly compromise machines on the Internet,
 even in niches without a software monopoly."

That document claims "the vulnerable population of the Witty worm was only
about 12,000 computers", and goes on to imply pretty strongly that effectively
100% of the vulnerable population got infected due to the speed of infection.

I take this document to mean that a worm (a self-replicating process or
set of processes that uses network communications methods to spread)
can infect just about any size population.  Any vulnerability, even in
a small set of hosts, like the Windows hosts running ISS firewalls,
can describe a population that can support a viable worm population.

> Out in the real world, a virus that could only spread between people who were
> actively infected with the contagious phase of measles, or polio, or smallpox
> wouldn't be able to spread very well at all.

Probably true, but doesn't this point out a flaw in the biological analogy?
Network worms, unlike chainmailing viruses, and unlike plagues affecting
true biological populations, propagate in something very nearly like a
"fully-connected" network.  For a vulnerable population of computers
(those running software flawed in an exploitable way) no "herd immunity"
exists.  We cannot protect against network worms in the same fashion that
we might protect against the spread of Klez or the spread of herpes.
For "Klez" we impart "herd immunity" by immunizing the host with the
most contacts. For herpes, we gain "herd immunity", by having the highly
social entities only socialize during periods of latency, or prevent the
exchange of infectious fluids by latex membranes.


Powered by blists - more mailing lists