Flash Worms

From: Stuart Staniford (stuart@silicondefense.com)
Date: 08/17/01

Message-ID: <3B7C69D1.9817DACF@silicondefense.com>
Date: Thu, 16 Aug 2001 17:48:17 -0700
From: Stuart Staniford <stuart@silicondefense.com>
To: incidents@securityfocus.com, focus-ids@securityfocus.com
Subject: Flash Worms

After reading Nick Weaver's excellent analysis of the Warhol worm idea (a
worm that can infect all vulnerable servers on the Internet in less than 15
minutes), we at Silicon Defense came up with a variant of his design that
could go faster.

We argue that a well-prepared and well-designed worm could infect all
vulnerable Internet servers in less than thirty seconds - something we are
calling a Flash Worm.

If you weren't already numb with terror about how to cope with what's
likely to come down your favorite Internet pipe in the next year or two:



Stuart Staniford     ---     President     ---     Silicon Defense
         ** Silicon Defense: Technical Support for Snort **
mailto:stuart@silicondefense.com  http://www.silicondefense.com/
(707) 445-4355 x 16                           (707) 445-4222 (FAX)

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Flash Worms
    ... > be attacked from the Internet, are vulnerable to whatever exploit the worm ... What we're arguing is that the worm can reach ... Or maybe I simply misunderstood the term "vulnerable host", ... "host that can be infected and that can infect in his turn"? ...
  • FW: X-Force Response to Concern About the "Code Red" Worm
    ... >Internet Security Systems Security Alert ... >The Internet has recently been faced with the threat of a worm, ... IIS Web servers without ... >other system continues searching for additional servers to infect. ...
  • Re: Bring me the head of the sasser Creator!!!
    ... > currently circulating on the Internet. ... The worm exploits the Local ... > visit the following Web site: ... > Please contact your Antivirus Vendor for additional details about this ...
    ... Even more disturbing then the fact that they use the internet and not there ... MS SQL WORM IS DESTROYING INTERNET BLOCK PORT 1434! ... > this while at a Bank of America ATM today. ...
    ... It doesn't remove the worm. ... Left Click 'Advanced' Under "Internet Connection Firewall" tick the box ... You can then connect to the Internet and download the Microsoft relevant patch. ... It has been reported that, for users of Windows XP, ...