Full Disclosure mailing list archives
Re: Worm of the worm?
From: "Bruce Ediger" <eballen1 () qwest net>
Date: Sat, 15 May 2004 14:43:14 -0600 (MDT)
On Fri, 14 May 2004 Valdis.Kletnieks () vt edu wrote:
It's really sad that Sasser has nailed *so many* machines that Dabber is able to propagate.
Well, what about the "Witty" worm? It only infected machines running a brand of firewall with a particular plug-in, as I read this document (I'm no Windows expert): http://www.caida.org/analysis/security/witty/ "Witty spread through a population almost an order of magnitude smaller than that of previous worms, demonstrating the viability of worms as an automated mechanism to rapidly compromise machines on the Internet, even in niches without a software monopoly." That document claims "the vulnerable population of the Witty worm was only about 12,000 computers", and goes on to imply pretty strongly that effectively 100% of the vulnerable population got infected due to the speed of infection. I take this document to mean that a worm (a self-replicating process or set of processes that uses network communications methods to spread) can infect just about any size population. Any vulnerability, even in a small set of hosts, like the Windows hosts running ISS firewalls, can describe a population that can support a viable worm population.
Out in the real world, a virus that could only spread between people who were actively infected with the contagious phase of measles, or polio, or smallpox wouldn't be able to spread very well at all.
Probably true, but doesn't this point out a flaw in the biological analogy? Network worms, unlike chainmailing viruses, and unlike plagues affecting true biological populations, propagate in something very nearly like a "fully-connected" network. For a vulnerable population of computers (those running software flawed in an exploitable way) no "herd immunity" exists. We cannot protect against network worms in the same fashion that we might protect against the spread of Klez or the spread of herpes. For "Klez" we impart "herd immunity" by immunizing the host with the most contacts. For herpes, we gain "herd immunity", by having the highly social entities only socialize during periods of latency, or prevent the exchange of infectious fluids by latex membranes. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Worm of the worm? Roberto Navarro - TusProfesionales.es (May 14)
- Re: Worm of the worm? Maxime Ducharme (May 14)
- Re: Worm of the worm? Exibar (May 14)
- Re: Worm of the worm? Frank Knobbe (May 14)
- Re: Worm of the worm? Andrew Simmons (May 14)
- <Possible follow-ups>
- RE: Worm of the worm? Randal, Phil (May 14)
- Re: Worm of the worm? Valdis . Kletnieks (May 14)
- Re: Worm of the worm? Bruce Ediger (May 15)
- Re: Worm of the worm? Valdis . Kletnieks (May 16)
- Re: Worm of the worm? Valdis . Kletnieks (May 14)
- Re: Worm of the worm? Maxime Ducharme (May 14)