Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on READ more on Viruses

From: David Farber <dave () farber net>
Date: Tue, 24 May 2005 04:39:59 -0400


Begin forwarded message:

From: Johan <johan () ccs neu edu>
Date: May 24, 2005 1:20:41 AM EDT
To: dave () farber net
Cc: Ip ip <ip () v2 listbox com>
Subject: Re: [IP] READ more on Viruses


Christian Huitema <huitema () windows microsoft com> writes:



The "small population" argument assumes that one can predict the
psychology of malware writers. Incidents like the Witty worm show the
limits of such predictions. In fact, one could just as easily make the
opposite argument, "strength in numbers". Large populations are a larger 
attack target, but they are also actively testing and developing
defenses, and thus less likely to be swiped out by a catastrophic event. 



Well,
I dunno whether it's ease of infection alone, or a target-rich enviroment, that makes or breaks a virus.
A successful virus will be the one which as the highest chance of re- infection, which I'm going to posit is something like the product of the probabilities of finding an a suitable host and then infecting it, and for how long it can keep trying.
Windows viruses have a very easy time finding new hosts by just random guessing, while having a (hopefully) smaller probability of actually infecting the target, as it is likely running some form of virus protection.
Linux viruses (or Mac or OpenBSD) will in general have a harder time finding hosts at random, but may (?) have an easier time exploiting any holes found. 

However, low population doesn't mean that it's hard to find a target.
For example, if I had an exploit for apache web servers, I'd have no shortage of targets. I'm no firewall expert, but I wonder whether that wasn't the case with ISS. Firewalls are easy to find: just send traffic at a domain, and the firewall will intercept it.
The interesting part is that we've seen a marked shift in how viruses propagate. Think back to the days of sneakernet and floppies; A succesful one had to be subtle - lay low and be stealthy for a some time before activating, else it ran the risk of not having propagated before detection.
In contrast, todays email borne internet viruses are a bit "blunt". I'd like to posit that the virus that will eventually sweep through the mac or linux communities will be more like sneakernet viruses than internet viruses. Slow and subtle. 

Johan
PS: I purposefully left out zombie nets so to not muddy the waters, but of course there's nothing stopping a population from simultaneously having subtle and blunt infections. You just notice the blunt ones first. 


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: