[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] short Blaster propagation algorithm analysis

To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] short Blaster propagation algorithm analysis
From: vogt@hansenet.com
Date: Tue, 12 Aug 2003 17:55:37 +0200

As I have been working on analysing worm propagation 
algorithms for a while now (paper forthcoming), I did 
a short analysis and simulation/extrapolation of what 
we know about Blaster.

The core points seem to be:

* It should have a fairly high exploitable
  population
* It uses a "choose random IP, then scan sequentially
  from there" algorithm
* The infection should be fairly slow compared to
  others, as it needs to first infect, then fetch
  more stuff via tftp.

At first, I thought that these last two factors
explain why it is so slow. However, I have written a
simple simulation system for worm propagation, and it
shows that while random-IP+sequential-scanning is
slower than pure random scanning, the difference is
not very large, at most 50%.
Also, Blaster only needs to fetch its main body if the
infection was successful. On the other hand, I can show
that it does spread faster this way then if it would
fire its whole code at a prospective victim.

The main part that I am still puzzling over is the
question of just how many systems are vulnerable? Where
"vulnerable" means that they can actually be infected.
If they're firewalled, they aren't vulnerable as far
as I am concerned, for example.

Also, if anyone has hard data on how long Blaster takes
to infect a machine, and how much overhead it occurs
through handshakes, tftp communication, etc. I would be
much oblieged for that data as it would help me refine
my simulation.


The most important result I have so far is that the
shape of the propagation curve looks the same as any
other worm, and while it is slower than even the very
first Code Red, the difference is less than a factor
of two. Depending on the vulnerable population, things
may be worse - the vulnerable population has a
considerable impact on propagation speed.

All this is based on what data I have, but I feel
confident that the order-of-magnitude is correct.



Tom Vogt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] short Blaster propagation algorithm analysis
  - From: "Marc Maiffret" <marc@eeye.com>

Prev by Date: Re: [Full-Disclosure] MSblast worm
Next by Date: Re: [normal] RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
Prev by thread: RE: [Full-Disclosure] dobble-clicking msblast.exe
Next by thread: RE: [Full-Disclosure] short Blaster propagation algorithm analysis
Index(es):
- Date
- Thread