Phil Rosenthal wrote:
Also, say someone from a moderately fast internet connection (OC-3) ran nmap across the entire internet on ports like 21,22,53,80,443,3306. In one day, they can probably have a list of every server answering those ports, and the versions of the daemons on them.
Given the ability (which anyone can have with a few downloaded scripts) to subvert poorly secured machines on cable or DSL links and make them do the work, you could do this without a fast connection, and without being obvious enough to raise major alarms from intrusion detection systems. It might take a few weeks or even months. For some types of target, you may not even need nmap. Look at MX records, or at mail headers, to find mail servers, at news headers to find Usenet servers. Use a web crawler, or an existing index, to find web and FTP servers. Or write a little program that searches the DNS for names with leftmost element ftp, mail, pop, smpt, www, ns, dns, ... These won't get you a full list, but perhaps enough.
Next, just wait for an wide enough exploit to come out, and then write a Trojan that has a list of every other server vulnerable,
You don't need them all, just a few 1000 with good net conections to get things rolling. Once you have those infected, it doesn't matter if your method of spreading further is inefficient; you'll get everything anyway. Also, you may not need a new exploit. Many systems are not patched against the old ones, and it is certainly possible to try multiple exploits in a single worm.
and on every hack, it splits the list in 2, and roots another box and gives it the 2nd half of the list.
Better, give it the whole list and have each instance start at a random point in the list. That way, even if some instances are caught and killed, you still get the whole list.
I estimate that with a wide enough exploit (eg apache or openssh), you could probably compromise 20% of the servers on the net within 1 hour,
For better estimates and detailed discussion of worm design, see: http://www.cs.berkeley.edu/~nweaver/warhol.html
and then have them all begin a ping flood of something "far away" network wise (meaning a box in NYC would flood a box in SJC, a box in SJC would flood a box in Japan, etc... Trying to have as much bit distance as possible).
Why futz with a ping flood? If the objective is to take down the net, you want to attack infrastructure -- nameservers, routers, ...
From that viewpoint, the ideal worm would use whatever it needed to become widespread, but would switch attacks once it had spread, trying for known holes in things like BIND or IOS, or just flooding the root name servers.
Damn scary, but I believe if someone was determined enough, they could take down the whole 'net within one hour of pressing "enter".