Interesting People mailing list archives
more on READ more on Viruses
From: David Farber <dave () farber net>
Date: Tue, 24 May 2005 04:39:59 -0400
Begin forwarded message: From: Johan <johan () ccs neu edu> Date: May 24, 2005 1:20:41 AM EDT To: dave () farber net Cc: Ip ip <ip () v2 listbox com> Subject: Re: [IP] READ more on Viruses Christian Huitema <huitema () windows microsoft com> writes:
The "small population" argument assumes that one can predict the psychology of malware writers. Incidents like the Witty worm show the limits of such predictions. In fact, one could just as easily make theopposite argument, "strength in numbers". Large populations are a largerattack target, but they are also actively testing and developingdefenses, and thus less likely to be swiped out by a catastrophic event.
Well,I dunno whether it's ease of infection alone, or a target-rich enviroment, that makes or breaks a virus.
A successful virus will be the one which as the highest chance of re- infection, which I'm going to posit is something like the product of the probabilities of finding an a suitable host and then infecting it, and for how long it can keep trying.
Windows viruses have a very easy time finding new hosts by just random guessing, while having a (hopefully) smaller probability of actually infecting the target, as it is likely running some form of virus protection.
Linux viruses (or Mac or OpenBSD) will in general have a harder time finding hosts at random, but may (?) have an easier time exploiting any holes found.
However, low population doesn't mean that it's hard to find a target.For example, if I had an exploit for apache web servers, I'd have no shortage of targets. I'm no firewall expert, but I wonder whether that wasn't the case with ISS. Firewalls are easy to find: just send traffic at a domain, and the firewall will intercept it.
The interesting part is that we've seen a marked shift in how viruses propagate. Think back to the days of sneakernet and floppies; A succesful one had to be subtle - lay low and be stealthy for a some time before activating, else it ran the risk of not having propagated before detection.
In contrast, todays email borne internet viruses are a bit "blunt". I'd like to posit that the virus that will eventually sweep through the mac or linux communities will be more like sneakernet viruses than internet viruses. Slow and subtle.
JohanPS: I purposefully left out zombie nets so to not muddy the waters, but of course there's nothing stopping a population from simultaneously having subtle and blunt infections. You just notice the blunt ones first.
------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on READ more on Viruses David Farber (May 24)