RE: Worm Attack Rate

["Miles Sabin" <msabin () interx com>]

aleph1 () securityfocus com wrote,
> This worm display locality. Its more likely to attack machines near
> itself in the IP address space. Since the IP address space is mostly
> sparse with machines bunched in some areas this is a more effective
> method of finding other vulnerable machines that uniformly and 
> randomly selecting IP address across all of the IP address space, 
> the method used by the original worm and its variant.

I think there might be another angle on locality which might explain
the rate of compromise. Intuitively it seems quite likely that
_vulnerable_ machines will be clustered together, for a couple of
reasons,

* On networks with an IIS host, it's quite likely that any other
  HTTP servers will also be IIS.

* On networks with an unpatched IIS host, it's quite likely that any
  other IIS instances will also be unpatched.

both on the assumption that networks will be fairly uniform, both in
terms of the software their hosts are running, and in terms of local
security practices.

Cheers,


Miles

-- 
Miles Sabin                                     InterX
Internet Systems Architect                      27 Great West Road
+44 (0)20 8817 4030                             Middx, TW8 9AS, UK
msabin () interx com                               http://www.interx.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com