Re: [Full-Disclosure] Worm of the worm?
Date: 05/17/04

  • Next message: "Re: [Full-Disclosure] Sasser author"
    To: Bruce Ediger <>
    Date: Mon, 17 May 2004 01:19:43 -0400

    On Sat, 15 May 2004 14:43:14 MDT, Bruce Ediger <> said:

    > That document claims "the vulnerable population of the Witty worm was only
    > about 12,000 computers", and goes on to imply pretty strongly that effectively
    > 100% of the vulnerable population got infected due to the speed of infection.

    Note that the 12K figure was arrived at in a semi-suspicious manner - they took
    the number of unique hits the 'Network Telescope' got over its /8 of address
    space and extrapolated a factor of 256:

    "Because the network telescope contains approximately 1/256th of all IPv4
    addresses, we receive roughly one out of every 256 packets sent by an Internet
    worm with an unbiased random number generator."

    What's wrong with this picture? Hint - how many worms have we seen so far that
    have a non-*obviously*-buggy RNG? Much less one that was statistically unbiased?
    (It's a lot harder to avoid statistical bias than one might think)

    These sort of estimates are always dangerous - there have been worms where the
    "official" victim list estimated 1 million - but over 50M machines downloaded
    the disinfection kits provided by various vendors...

    > I take this document to mean that a worm (a self-replicating process or
    > set of processes that uses network communications methods to spread)
    > can infect just about any size population. Any vulnerability, even in
    > a small set of hosts, like the Windows hosts running ISS firewalls,
    > can describe a population that can support a viable worm population.

    There is a certain lower range below which you can't propagate at any
    reasonable speed. CHRISTMA EXEC did a number on the VNET/Bitnet networks many
    moons ago, because VM was a predominate operating system on those two
    interconnected networks. I know for a fact that there's still a lot of VM
    systems on the Internet (in fact, there's probably more VM systems on the
    Internet now than there were on VNET/Bitnet at the time of that worm) -
    assuming you found an exploit, how long would it take for those systems to nail
    100% (I'll be generous and let you assume that anybody with a big-iron box has
    at least a 100mbit pipe available).

    How long would it take to infect all the PDP-11s on the net that are running
    BSD 2.9? (Hint - compare any sane "initial seed" list with the total
    population, and ask yourself if it's a worm or a targeted attack ;)


    Full-Disclosure - We believe in it.

  • Next message: "Re: [Full-Disclosure] Sasser author"

    Relevant Pages

    • CERT Advisory CA-2001-23
      ... We believe the worm will begin propagating again on ... susceptible to the vulnerability described in CA-2001-13 Buffer ... time required to infect all vulnerable IIS servers with this worm ... and egress filtering should be implemented at the network edge. ...
    • [Full-Disclosure] ALERT WEBDAV worm on the loose
      ... YOU MAY BE ABLE TO HELP PREVENT THE NEXT SLAMMER TYPE NETWORK MELTDOWN. ... YOU HAVE TWO CLIENTS INFECTED WITH THIS NEW WORM NOW. ... MUST TAKE YOUR SERVER OFF LINE NOW and make sure it was not infected. ... into your network via email or other means and they can infect servers and ...
    • SirCam damage or infections: ...
      ... Subject: SirCam damage or infections: ... ... The worm is network aware, and it will enumerate the network resources ... first it was described as able to enumerate shares and infect them. ...
    • [REVS] Curious Yellow: The First Coordinated Worm Design
      ... The Warhol worm design began the theoretical discussion of so-called ... very quick infection of the network. ... Warhol superworm is to pre-scan the network for vulnerable targets. ... The method for nominating a worm to attack a target is easy. ...
    • Re: Cross-platform virus?
      ... prevent payloads from being dropped and direct which executables to ... infect, without propagating the code to allow for this. ... The interesting part comes when you create a WORM. ... to allow for injecting code into a worm and letting it propagate the ...