Re: Fwd: [IP] The Spread of the Sapphire/Slammer SQL Worm

["H. Morrow Long" <morrow.long () YALE EDU>]

There was a research paper which came out last summer (summer of 2002)
predicting what it called the 'Andy Warhol worm' -- one which could
propagate widely around the world via the Internet and achieve a good
breadth within 15 minutes.

There are a number of versions of the paper presented in a few forms
(I think the NANOG conference had one presentation I saw).  The last
version I believe was the version presented at USENIX Security 2002:
       "How to 0wn the Internet in Your Spare Time"
               http://www.cs.berkeley.edu/~nweaver/cdc.web/

Some methods of improving quick worm propagation
are discussed in the versions of the paper.

Other references to the Andy Warhol Worm paper:

  Warhol Worms: The Potential for Very Fast Internet Plagues
  "In the future, everybody will have 15 minutes of fame" -Andy Warhol. ... The MSN messenger
  worm just reported is not a "Warhol Worm", it is a topologically aware ...
  http://www.cs.berkeley.edu/~nweaver/warhol.html - 29k - Jan. 31, 2003

  Researchers predict worm that eats the Internet in 15 minutes
  ... They called this the "Warhol worm" after artist Andy Warhol's well-known
  quote that in the future, everyone will be famous for 15 minutes. ...
  http://www.nwfusion.com/news/2002/1021worm.html - 52k

  The worm that ate the Internet?
  ... minutes. They called this the Warhol worm after artist Andy Warhol's
  quote that everyone will be famous for 15 minutes. A similar ...
  http://www.nwfusion.com/news/2002/1028worm.html - 45k - Jan. 31, 2003

  ZDNet: Story: How bigger, badder Code Red worms are being built
  ... Andy Warhol is famous for saying "In the future, everybody will have 15 minutes ... proposing
  that virus writers constructing some future Code Red-like worm add a ...
  http://www.zdnet.com/anchordesk/stories/ story/0,10738,2810238,00.html - 43k - Jan. 31, 2003

On UniSOG () SANS ORG Russell Fulton <r.fulton () auckland ac nz> had also noted that the
random IP address number generation function was not entirely random, nor did
it apparently have a good random distribution as some vulnerable SQL Server 2000 servers
at the University of New Zealand Auckland escaped apparently untouched and unscathed.

Morrow


Dan Updegrove wrote:
> Colleagues -
>
> This study supports inferences we made from our log files -- most of the
> penetration damage had been done within the first 10 minutes!
>
> Regards,
> Dan
>
>
> > -----Original Message-----
> > From: vern () ee lbl gov
> > Date: Fri, 31 Jan 2003 17:13:14
> > To:nanog () merit edu
> > Subject: The Spread of the Sapphire/Slammer SQL Worm
> >
> >
> > We have completed our preliminary analysis of the spread of the
> > Sapphire/Slammer SQL worm.  This worm required roughly 10 minutes to
> > spread worldwide making it by far the fastest worm to date.  In the
> > early stages the worm was doubling in size every 8.5 seconds.  At its
> > peak, achieved approximately 3 minutes after it was released, Sapphire
> > scanned the net at over 55 million IP addresses per second.  It
> > infected at least 75,000 victims and probably considerably more.
> >
> > This remarkable speed, nearly two orders of magnitude faster than Code
> > Red, was the result of a bandwidth-limited scanner.  Since Sapphire
> > didn't need to wait for responses, each copy could scan at the maximum
> > rate that the processor and network bandwidth could support.
> >
> > There were also two noteworthy bugs in the pseudo-random number
> > generator which complicated our analysis and limited our ability to
> > estimate the total infection but did not slow the spread of the worm.
> >
> > The full analysis is available at
> > http://www.caida.org/analysis/security/sapphire/
> > http://www.silicondefense.com/sapphire/
> > http://www.cs.berkeley.edu/~nweaver/sapphire/
> >
> > David Moore, CAIDA & UCSD CSE
> > Vern Paxson, ICIR & LBNL
> > Stefan Savage, UCSD CSE
> > Colleen Shannon, CAIDA
> > Stuart Staniford, Silicon Defense
> > Nicholas Weaver, Silicon Defense and UC Berkeley EECS
> >
> > ------ End of Forwarded Message
>
>
>
> VP  for Information Technology          Phone (512) 232-9610
> The University of Texas at Austin       Fax (512) 232-9607
> FAC 248 (Mail code: G9800)              d.updegrove () its utexas edu
> P.O. Box 7407
> http://wnt.utexas.edu/~danu/
> Austin, TX 78713-7407
>
> **********
> Participation and subscription information for this EDUCAUSE Discussion
> Group discussion list can be found at http://www.educause.edu/memdir/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.