Re: [Full-Disclosure] Worm of the worm?
To: Bruce Ediger <email@example.com> Date: Mon, 17 May 2004 01:19:43 -0400
On Sat, 15 May 2004 14:43:14 MDT, Bruce Ediger <firstname.lastname@example.org> said:
> That document claims "the vulnerable population of the Witty worm was only
> about 12,000 computers", and goes on to imply pretty strongly that effectively
> 100% of the vulnerable population got infected due to the speed of infection.
Note that the 12K figure was arrived at in a semi-suspicious manner - they took
the number of unique hits the 'Network Telescope' got over its /8 of address
space and extrapolated a factor of 256:
"Because the network telescope contains approximately 1/256th of all IPv4
addresses, we receive roughly one out of every 256 packets sent by an Internet
worm with an unbiased random number generator."
What's wrong with this picture? Hint - how many worms have we seen so far that
have a non-*obviously*-buggy RNG? Much less one that was statistically unbiased?
(It's a lot harder to avoid statistical bias than one might think)
These sort of estimates are always dangerous - there have been worms where the
"official" victim list estimated 1 million - but over 50M machines downloaded
the disinfection kits provided by various vendors...
> I take this document to mean that a worm (a self-replicating process or
> set of processes that uses network communications methods to spread)
> can infect just about any size population. Any vulnerability, even in
> a small set of hosts, like the Windows hosts running ISS firewalls,
> can describe a population that can support a viable worm population.
There is a certain lower range below which you can't propagate at any
reasonable speed. CHRISTMA EXEC did a number on the VNET/Bitnet networks many
moons ago, because VM was a predominate operating system on those two
interconnected networks. I know for a fact that there's still a lot of VM
systems on the Internet (in fact, there's probably more VM systems on the
Internet now than there were on VNET/Bitnet at the time of that worm) -
assuming you found an exploit, how long would it take for those systems to nail
100% (I'll be generous and let you assume that anybody with a big-iron box has
at least a 100mbit pipe available).
How long would it take to infect all the PDP-11s on the net that are running
BSD 2.9? (Hint - compare any sane "initial seed" list with the total
population, and ask yourself if it's a worm or a targeted attack ;)
Full-Disclosure - We believe in it.
- application/pgp-signature attachment: stored