Full Disclosure mailing list archives
short Blaster propagation algorithm analysis
From: vogt () hansenet com
Date: Tue, 12 Aug 2003 17:55:37 +0200
As I have been working on analysing worm propagation algorithms for a while now (paper forthcoming), I did a short analysis and simulation/extrapolation of what we know about Blaster. The core points seem to be: * It should have a fairly high exploitable population * It uses a "choose random IP, then scan sequentially from there" algorithm * The infection should be fairly slow compared to others, as it needs to first infect, then fetch more stuff via tftp. At first, I thought that these last two factors explain why it is so slow. However, I have written a simple simulation system for worm propagation, and it shows that while random-IP+sequential-scanning is slower than pure random scanning, the difference is not very large, at most 50%. Also, Blaster only needs to fetch its main body if the infection was successful. On the other hand, I can show that it does spread faster this way then if it would fire its whole code at a prospective victim. The main part that I am still puzzling over is the question of just how many systems are vulnerable? Where "vulnerable" means that they can actually be infected. If they're firewalled, they aren't vulnerable as far as I am concerned, for example. Also, if anyone has hard data on how long Blaster takes to infect a machine, and how much overhead it occurs through handshakes, tftp communication, etc. I would be much oblieged for that data as it would help me refine my simulation. The most important result I have so far is that the shape of the propagation curve looks the same as any other worm, and while it is slower than even the very first Code Red, the difference is less than a factor of two. Depending on the vulnerable population, things may be worse - the vulnerable population has a considerable impact on propagation speed. All this is based on what data I have, but I feel confident that the order-of-magnitude is correct. Tom Vogt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- short Blaster propagation algorithm analysis vogt (Aug 12)
- RE: short Blaster propagation algorithm analysis Marc Maiffret (Aug 12)