Full Disclosure mailing list archives
RE: short Blaster propagation algorithm analysis
From: "Marc Maiffret" <marc () eeye com>
Date: Tue, 12 Aug 2003 11:01:10 -0700
"* It uses a "choose random IP, then scan sequentially from there" algorithm" It is not always a random IP that is chosen. Each time a host is infected, there is a 40% chance that it will begin at the first address of its "Class C"-size subnet (x.x.x.0), and a 60% chance that it will start at a completely random IP address with the last octet set to 0 ([1-254].[0-253].[0-253].0). For a more accurate analysis of this worm please visit the eEye Blaster Analysis at: http://www.eeye.com/html/Research/Advisories/AL20030811.html A lot of the analysis i have read have been incomplete or just plain incorrect. Like people failing to mention that "Disabling DCOM" on Windows 2000 SP0, SP1, SP2, does not actually work. Or that Microsoft fails to mention, in their advisory, that you must restart your system after disabling DCOM. etc.... Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities | -----Original Message----- | From: full-disclosure-admin () lists netsys com | [mailto:full-disclosure-admin () lists netsys com]On Behalf Of | vogt () hansenet com | Sent: Tuesday, August 12, 2003 8:56 AM | To: full-disclosure () lists netsys com | Subject: [Full-disclosure] short Blaster propagation algorithm analysis | | | As I have been working on analysing worm propagation | algorithms for a while now (paper forthcoming), I did | a short analysis and simulation/extrapolation of what | we know about Blaster. | | The core points seem to be: | | * It should have a fairly high exploitable | population | * It uses a "choose random IP, then scan sequentially | from there" algorithm | * The infection should be fairly slow compared to | others, as it needs to first infect, then fetch | more stuff via tftp. | | At first, I thought that these last two factors | explain why it is so slow. However, I have written a | simple simulation system for worm propagation, and it | shows that while random-IP+sequential-scanning is | slower than pure random scanning, the difference is | not very large, at most 50%. | Also, Blaster only needs to fetch its main body if the | infection was successful. On the other hand, I can show | that it does spread faster this way then if it would | fire its whole code at a prospective victim. | | The main part that I am still puzzling over is the | question of just how many systems are vulnerable? Where | "vulnerable" means that they can actually be infected. | If they're firewalled, they aren't vulnerable as far | as I am concerned, for example. | | Also, if anyone has hard data on how long Blaster takes | to infect a machine, and how much overhead it occurs | through handshakes, tftp communication, etc. I would be | much oblieged for that data as it would help me refine | my simulation. | | | The most important result I have so far is that the | shape of the propagation curve looks the same as any | other worm, and while it is slower than even the very | first Code Red, the difference is less than a factor | of two. Depending on the vulnerable population, things | may be worse - the vulnerable population has a | considerable impact on propagation speed. | | All this is based on what data I have, but I feel | confident that the order-of-magnitude is correct. | | | | Tom Vogt | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html | _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- short Blaster propagation algorithm analysis vogt (Aug 12)
- RE: short Blaster propagation algorithm analysis Marc Maiffret (Aug 12)