Re: Hard data on network impact of the "Code Red" worm?
On Mon, 30 July 2001, k claffy wrote:
so, 1 aug midnite GMT (tomorrow 17:00 in california), codered goes back into 'spread' mode. within a few hours, we'll have 100,000-300,000 globally infected machines again. and presumably they won't stop at the end of the day to start phase two this time. (remember CRv2 only had a day before it went into phase two the first time)
I agree, we were lucky on some things. But predictions are always hard because we never completely understand the problem. What natural limits (or predators) exist controlling the spread of the worm. If the worm destroys the very infrastructure it needs to survive, it tends to be self- limiting. If the worm keeps re-infecting the same machines, they tend to die and stop spreading. Custodians (i.e. system and network administrators) have shown the ability to adapt, and respond if the worm is too slow. I suspect, but have no evidence, the worm can quickly spread through hundreds of thousands of machines, but then the worm's behavior tends to interfere with its ability to propagate. If it attacts attention to itself, the system administrator may take action. I know, later variants no longer change the web site. If the worm takes out DSL modems and other network infrastructure, machines behind DSL modem are isolated until a network operator can intervene. If the site is on auto-pilot, this also limits the worm. Several folks have sent me mail saying we should be worrying about the quiet zombie machines. They feel there are far more of them on the net than the "code red" worm. But the question is what are they waiting for? Argh, this is why I got out of security. Too many twisty passages. It is dark. You have been eaten by a Grue.
On Mon, Jul 30, 2001 at 03:34:39PM -0700, Sean Donelan wrote: [..]
I agree, we were lucky on some things. But predictions are always hard because we never completely understand the problem.
What natural limits (or predators) exist controlling the spread of the worm. If the worm destroys the very infrastructure it needs to survive, it tends to be self- limiting.
The worm doesn't destroy anything until typically many days after the infection/propagation to prevent exactly what you described.. Most zombies, virii etc destroyed their own infrastructure because there wasn't a delay trigger. This time there is. Evolution of sorts. With a flaw, it can be detected from the outside. Truely dormant zombies is what's worrysome.
I suspect, but have no evidence, the worm can quickly spread through hundreds of thousands of machines, but then the worm's behavior tends to interfere with its ability to propagate. If it attacts attention to itself, the system administrator may take action. I know, later variants no longer change the web site. If the worm takes out DSL modems and other network infrastructure, machines behind DSL modem are isolated until a network operator can intervene. If the site is on auto-pilot, this also limits the worm.
Your logic is flawed. If this was true, zombie networks would be largely ineffective. The current mutation is nothing more than an automated zombie distribution network, with all fun options of current zombie networks such as remote control, remote upgrades etc... You may want to read up on the details of this one, like the presentation at the bottom of http://www.digitalisland.net/codered/
Several folks have sent me mail saying we should be worrying about the quiet zombie machines. They feel there are far more of them on the net than the "code red" worm. But the question is what are they waiting for?
For somebody to activate the zombie network whenever it pleases them. It could lay dormant for a long time. The problem here isn't the worm itself, the problem is all the machines which aren't properly administrated. -- Christian Kuhtz <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S. "I speak for myself only.""
On Mon, 30 July 2001, k claffy wrote:
so, 1 aug midnite GMT (tomorrow 17:00 in california), codered goes back into 'spread' mode. within a few hours, we'll have 100,000-300,000 globally infected machines again.
NTBUGTRAQ is carrying informatiion that says that is not right. They say that currently extant copies of the thing will sleep forever, or until the host is re-booted--at which time the thing ceases to exist. The hazard tomorrow is the introduction of new copies of the thing. YMMV -- -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- . . - L. F. (Larry) Sheldon, Jr. - . Unix Systems and Network Administration . - Creighton University Computer Center-Old Gym - . 2500 California Plaza . - Omaha, Nebraska, U.S.A. 68178 Two identifying characteristics - . lsheldon@creighton.edu of System Administrators: . - 402 280-2254 (work) Infallibility, and the ability to - . 402 681-4726 (cellular) learn from their mistakes. . - 402 332-4622 (residence) - . http://www.creighton.edu/~lsheldon Adapted from Stephen Pinker . -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
participants (3)
-
Christian Kuhtz
-
Larry Sheldon
-
Sean Donelan