I believe there is major and perhaps fatal flaw in this analysis. Valdis.Kletnieks@vt.edu wrote:
On Sat, 31 Jan 2004 18:24:42 GMT, "Stephen J. Wilcox" said:
I'm not sure what the point of the DoS is if its intended to be a spam engine, that would have the effect of helping to identify and hence clean up the infections.
Ahh.. you didn't take the time to think it through. ;)
Consider - the perpetrator releases a *very* noisy worm with a DDoS engine on it (admittedly buggy). Then you go on vacation someplace warm and sunny, where visually attractive people of your preferred gender are walking around wearing a lot more than you need to wear where you were...
^^^^ The analysis works if that was the word "less".
Computers catch it. Computers spew it. Computers do their DDoS tapdance. Hopefully users and ISP staff notice and take action.
Then 3 weeks later, you come back, tanned and rested - and run another scan. If you find your spam backdoor on port 3127 *still* open on a machine, you can be fairly sure you can spam away with impunity - if the user and their ISP didn't notice the box spewing mail the FIRST time, they won't notice the second time.....
I doubt that the length of 3 is important. Based on my past experience "Then 3 weeks later" can be replaced by "Some time later when the cold is gone".