Full Disclosure mailing list archives

Re: Worm of the worm?

From: "Bruce Ediger" <eballen1 () qwest net>
Date: Sat, 15 May 2004 14:43:14 -0600 (MDT)

On Fri, 14 May 2004 Valdis.Kletnieks () vt edu wrote:

It's really sad that Sasser has nailed *so many* machines that Dabber
is able to propagate.


Well, what about the "Witty" worm?  It only infected machines running
a brand of firewall with a particular plug-in, as I read this document
(I'm no Windows expert):

http://www.caida.org/analysis/security/witty/

"Witty spread through a population almost an order of magnitude smaller
 than that of previous worms, demonstrating the viability of worms as
 an automated mechanism to rapidly compromise machines on the Internet,
 even in niches without a software monopoly."

That document claims "the vulnerable population of the Witty worm was only
about 12,000 computers", and goes on to imply pretty strongly that effectively
100% of the vulnerable population got infected due to the speed of infection.

I take this document to mean that a worm (a self-replicating process or
set of processes that uses network communications methods to spread)
can infect just about any size population.  Any vulnerability, even in
a small set of hosts, like the Windows hosts running ISS firewalls,
can describe a population that can support a viable worm population.

Out in the real world, a virus that could only spread between people who were
actively infected with the contagious phase of measles, or polio, or smallpox
wouldn't be able to spread very well at all.


Probably true, but doesn't this point out a flaw in the biological analogy?
Network worms, unlike chainmailing viruses, and unlike plagues affecting
true biological populations, propagate in something very nearly like a
"fully-connected" network.  For a vulnerable population of computers
(those running software flawed in an exploitable way) no "herd immunity"
exists.  We cannot protect against network worms in the same fashion that
we might protect against the spread of Klez or the spread of herpes.
For "Klez" we impart "herd immunity" by immunizing the host with the
most contacts. For herpes, we gain "herd immunity", by having the highly
social entities only socialize during periods of latency, or prevent the
exchange of infectious fluids by latex membranes.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Worm of the worm? Roberto Navarro - TusProfesionales.es (May 14)
- Re: Worm of the worm? Maxime Ducharme (May 14)
  - Re: Worm of the worm? Exibar (May 14)
- Re: Worm of the worm? Frank Knobbe (May 14)
- Re: Worm of the worm? Andrew Simmons (May 14)
- <Possible follow-ups>
- RE: Worm of the worm? Randal, Phil (May 14)
  - Re: Worm of the worm? Valdis . Kletnieks (May 14)
    - Re: Worm of the worm? Bruce Ediger (May 15)
    - Re: Worm of the worm? Valdis . Kletnieks (May 16)