On Mon, 30 July 2001, k claffy wrote:
so, 1 aug midnite GMT (tomorrow 17:00 in california), codered goes back into 'spread' mode. within a few hours, we'll have 100,000-300,000 globally infected machines again. and presumably they won't stop at the end of the day to start phase two this time. (remember CRv2 only had a day before it went into phase two the first time)
I agree, we were lucky on some things. But predictions are always hard because we never completely understand the problem. What natural limits (or predators) exist controlling the spread of the worm. If the worm destroys the very infrastructure it needs to survive, it tends to be self- limiting. If the worm keeps re-infecting the same machines, they tend to die and stop spreading. Custodians (i.e. system and network administrators) have shown the ability to adapt, and respond if the worm is too slow. I suspect, but have no evidence, the worm can quickly spread through hundreds of thousands of machines, but then the worm's behavior tends to interfere with its ability to propagate. If it attacts attention to itself, the system administrator may take action. I know, later variants no longer change the web site. If the worm takes out DSL modems and other network infrastructure, machines behind DSL modem are isolated until a network operator can intervene. If the site is on auto-pilot, this also limits the worm. Several folks have sent me mail saying we should be worrying about the quiet zombie machines. They feel there are far more of them on the net than the "code red" worm. But the question is what are they waiting for? Argh, this is why I got out of security. Too many twisty passages. It is dark. You have been eaten by a Grue.