Re: Worm Attack Rate

[Paul Cardon <paul () moquijo com>]

aleph1 () securityfocus com wrote:
> Code Red II appears to have a high attack rate. A number of factors seem
> to be contributing to the observed data.
>
> This worm spawn either 300 or 600 scanning threads. The original worm
> and its variant only spawned 100.
>
> This worm uses non-blocking I/O during the connection phase. It will
> skip over hosts that are unresponsive quickly. The original worm and
> its variant would block until the connect either succeeds or timed-out.
>
> This worm display locality. Its more likely to attack machines near
> itself in the IP address space. Since the IP address space is mostly
> sparse with machines bunched in some areas this is a more effective
> method of finding other vulnerable machines that uniformly and randomly
> selecting IP address across all of the IP address space, the method
> used by the original worm and its variant.
>
> Also, because of the locality it display the same IP addresses are
> more likely to be attacked multiple times leading any single person
> to see more attacks than normal if the worm has infected a machine
> within its IP address space neighborhood. The flip side is that it
> may take longer for the worm to jump from one IP address "island"
> to another.


Even with the higher attack rate I don't think that the overall spread
will be that much faster simply because the pool of vulnerable systems
hasn't changed significantly and the original has now been running for
nearly six days on tens if not hundreds of thousands of systems. 
(Again, which methodology for determining infections is most accurate.) 
They have been able to scan a lot of other systems in that time.

However, localized spread is much faster as we are seeing.  Hosts on the
cable modem and DSL networks that are infected will target systems a lot
closer to home so there is a greater chance that those of us on such
networks will see more propagation attempts than we did with original
Code Red.  [Yes, this repeats what Elias said but I posted this to a
local mailing list I'm on before reading this thread.]

There is a principle in processor/compiler/etc. design called "locality
of reference".  It states that if a particular memory location is
accessed, then short-term future accesses are likely to be for adjacent
memory locations.  This leads to look ahead and other strategies used to
improve performance.  (Work loads can be designed or occur naturally
that make these strategies perform miserably, but I digress.)

Essentially, we may be coining a term called "locality of vulnerability"
which means that if a system is vulnerable to a particular vulnerability
it is likely that "adjacent" systems are also vulnerable.  They will
often have the same security implementation, policy and operational
posture (which includes ad hoc or null approaches ;^) ).  This is
especially true of the cable modem and DSL networks and is also going to
be true of any homogeneous hosting site.

-paul

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com