lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200405170519.i4H5JhoO001049@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: Worm of the worm? 

On Sat, 15 May 2004 14:43:14 MDT, Bruce Ediger <eballen1@...st.net>  said:

> That document claims "the vulnerable population of the Witty worm was only
> about 12,000 computers", and goes on to imply pretty strongly that effectively
> 100% of the vulnerable population got infected due to the speed of infection.

Note that the 12K figure was arrived at in a semi-suspicious manner - they took
the number of unique hits the 'Network Telescope' got over its /8 of address
space and extrapolated a factor of 256:

"Because the network telescope contains approximately 1/256th of all IPv4
addresses, we receive roughly one out of every 256 packets sent by an Internet
worm with an unbiased random number generator."

What's wrong with this picture? Hint - how many worms have we seen so far that
have a non-*obviously*-buggy RNG?  Much less one that was statistically unbiased?
(It's a lot harder to avoid statistical bias than one might think)

These sort of estimates are always dangerous - there have been worms where the
"official" victim list estimated 1 million - but over 50M machines downloaded
the disinfection kits provided by various vendors...

> I take this document to mean that a worm (a self-replicating process or
> set of processes that uses network communications methods to spread)
> can infect just about any size population.  Any vulnerability, even in
> a small set of hosts, like the Windows hosts running ISS firewalls,
> can describe a population that can support a viable worm population.

There is a certain lower range below which you can't propagate at any
reasonable speed.  CHRISTMA EXEC did a number on the VNET/Bitnet networks many
moons ago, because VM was a predominate operating system on those two
interconnected networks.  I know for a fact that there's still a lot of VM
systems on the Internet (in fact, there's probably more VM systems on the
Internet now than there were on VNET/Bitnet at the time of that worm) -
assuming you found an exploit, how long would it take for those systems to nail
100% (I'll be generous and let you assume that anybody with a big-iron box has
at least a 100mbit pipe available).

How long would it take to infect all the PDP-11s on the net that are running
BSD 2.9? (Hint - compare any sane "initial seed" list with the total
population, and ask yourself if it's a worm or a targeted attack ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040517/1894e92b/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ