RE: AT&T early warning system

[S G Masood <sgmasood () yahoo com>]

--- Steve Wray <steve.wray () paradise net nz> wrote:
> What if people developing worms do small test runs
> before the final release?
>
> The AT&T approach might not work if the developer
> was testing it on a private network, but if they
> used a small collection of zombies on the internet 
> to test it out and see how well it works, 
> conceivably it could be detected?

In most cases, technically,it will not be possible to
do a test run of a worm on a "small collection of
zombies on the internet". 
One fact that is true for most worms is that a worm
once released on the internet cannot be called back
even by the author(for various reasons like speed of
propagation, nature of propagation, etc.). If the
author wants to test the worm on a small collection of
machines on the *internet* before the final release,
he would have to considerably change the design of the
worm. This change of design itself shows that there is
no point in doing a test run on the internet because
the results from such a test would differ widely from
the actual results of the final version of the worm
used for the actual mass attack. The test version and
the final release would be entirely different
creatures.
IMHO, testing on a private network is always
preferable for highly accurate predictions.

--
S.G.Masood
Hyderabad,
India.



__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html