Re: [Full-Disclosure] interesting?

From: Simon Richter (Simon.Richter@hogyros.de)
Date: 02/01/03

Next message: Roland Postle: "Re: [Full-Disclosure] interesting?"

Previous message: Berend-Jan Wever: "Re: [Full-Disclosure] interesting?"
In reply to: batz: "[Full-Disclosure] interesting?"
Next in thread: Simon Marechal: "Re: [Full-Disclosure] interesting?"
Reply: Simon Marechal: "Re: [Full-Disclosure] interesting?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: batz <batsy@vapour.net>
From: Simon Richter <Simon.Richter@hogyros.de>
Date: Sat, 1 Feb 2003 13:54:36 +0100

Hi,

> According to the analysis posted to NANOG by a number of
> researchers (http://www.caida.org/analysis/security/sapphire/),
> It infected the majority of hosts within the first 10 minutes.

[...]

> This seems important is because it shows that a high rate
> of saturation can be achieved among network nodes as
> effectively (if not more so) using random distribution, as by
> using a structured or hierarchical distribution strategy.

Actually, that was what the worm author did. The algorithm generates new
numbers from the current (i.e. it has some sort of knowledge what hosts
have already been infected) plus a not-really-predictable component
(system time, IIRC) plus some sort of counter because the system clock
is so slow.

So what we have witnessed is the structured approach. The question
remains whether the worm author is a maths wizard or just plain lucky.

Simon

-- 
GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD  ADC6 18A0 CC8D 5706 A4B4

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

application/pgp-signature attachment: stored

Next message: Roland Postle: "Re: [Full-Disclosure] interesting?"
Previous message: Berend-Jan Wever: "Re: [Full-Disclosure] interesting?"
In reply to: batz: "[Full-Disclosure] interesting?"
Next in thread: Simon Marechal: "Re: [Full-Disclosure] interesting?"
Reply: Simon Marechal: "Re: [Full-Disclosure] interesting?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Fighting worms with honeypots : honeyd vs msblast.exe
... While trying to help the community to fight the evil worm MSBLAST, ... [Honeyd is a free software product by Niels Provos: ... from the attacker. ... every hosts owned by msblast that was ...
(Focus-IDS)
Re: MetaSploit Exploit Framework v1.0
... Do you plan adding some sort of support in order to exploit hosts ... > Tired of constantly searching the web for the latest exploits? ... > Get CORE IMPACT and get some rest. ...
(Pen-Test)
How to obtain a complete list of CR2 compromised hosts
... How to obtain a complete list of CR2 compromised hosts ... The problem with releasing a worm or virus to obtain some information ... originator creates a very clear trail that can be traced back to the ... a worm might send password lists to a Usenet ...
(Incidents)
Re: [Full-Disclosure] interesting?
... >> remains whether the worm author is a maths wizard or just plain lucky. ... previously infected hosts. ... When it knows it's going to infect ...
(Full-Disclosure)
Re: Linux worm targets
... >So if the hosts aren't vulnerable, how does the worm gain access? ... And how does a worm externally determine what distribution ... Apache doesn't always reveal distro names (e.g. ... source code is then placed on the victim server, ...
(comp.os.linux.security)