| . |
|
Bitland.Net Security Notes
Comments? email jwilkins-at-bitland*net
More information on the author at Jonathan Wilkins's home page RSS feed available at http://www.bitland.net/index.rss 
|
| Archives: 2007, 2006, 2005, 2004, 2003, 2002, 2001, 2000 |
| |
| |
| Further analysis of the Witty worm | (2005/05/26 14:45) |
For all who don't know: Vern Paxson > * If a paper has his name on it, it's always worth your time to read it. Given that, here's a new one: Exploiting Underlying Structure for Detailed Reconstruction of an Internet-Scale Event by Kumar, Paxson and Weaver In case you don't remember, Witty was probably the most interesting worm of the past decade. It was a flash worm, targetting installations of several of ISS's products (RealSecure Network, RealSecure Server Sensor, RealSecure Desktop and BlackICE). It infected most of the vulnerable population in just over an hour and likely used a hitlist to seed it's propogation. It was also destructive, overwriting random blocks on the hard drive. It was clearly written by someone skilled, rather than relying on PoC code written by someone else. In this paper the researchers are able to figure out an incredible amount of information on the victim hosts and the spread of the worm by using a block of unused IP address space and the fact that the worm seeded it's PRNG with the infected system's time. They are able to compute each victim's uptime, bandwidth, number of disks, figure out which machine infected which others and find out which machine was the origin of the attack. It also demonstrates the problems with using PRNGs. |
| +digg | +del.icio.us | [Worms ] | Permanent link |
| |
| RSS feed available at http://www.bitland.net/index.rss |