Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worms Going Further, Faster

Posted by timothy on from the thanks-for-your-attention dept.

Major Byte writes "Rob Kolstad's MOTD (pdf) column in Usenix login; passes along a few distilled factiods from a CAIDA analysis of the 'Sappire/Slammer' Worm. When it was at full blast it was scanning over 3 billion systems per hour--a speed that 'a "better" vulnerability would have enabled infection of the entire internet in 15 minutes, a "flash worm" or a "Warhol Worm."' I think 'better' to mean 'able to infect across a lot of platforms.'"

6 of 301 comments (clear)

  1. Oh no! Shut the Interweb off! by ObviousGuy · · Score: 5, Insightful

    There's a lot that can't be done about these things because at the very bottom of every system is a human being who will forget to patch the system or stupidly open an executable.

    There is no patch for human carelessness.

    --
    I have been pwned because my /. password was too easy to guess.
  2. UDP all the way! by Gothmolly · · Score: 5, Insightful

    The nice part about Slammer is that it could just spew data - if it hit you, and you were vulnerable, you were infected. It didn't require any complicated TCP sessions, was MUCH nicer on host resources, and the entire hack fit inside a single packet. Hard to improve on this really, perhaps using LZIP to shrink the size of the payload.

    --
    I want to delete my account but Slashdot doesn't allow it.
  3. Doomsday in a good way? by maliabu · · Score: 5, Insightful

    in THE Doomsday, those who don't believe will be wiped out.

    so if we have this fast-spreading virus, wouldn't it just wipe out those who don't patch and maintain their servers properly?

    and what's left are those nicely patched servers which serve the internet better and everyone's happy ever after.

  4. Re:Why do delinquents bother? by aphor · · Score: 5, Insightful

    Why is it so hard to find the author of these programs?
    Because there are so many no-talent hacks out there who *could* have written that lump of nasty crap.

    In the beginning days, on the Apple ][ computers in my grade-school, we learned to guess our way through cracking floppy-disk copy-protected games by comparing a cracked game and a pristine byte-by-byte copy of the original. We eventually learned that a certain byte word combination was the first hardware keyboard access, and we could guess that spot was a good place to stick a jump. Then we tried a few addresses until it worked. In grade school.

    Later, as PCs wormed into the classroom around 286 vintage, there were boot sector viruses. I knew how to use a low-level (nibble) disk editor, but I never quite overcame the awe of the self-replicating TSR.

    What really grabbed me was how a really good (insidious) virus could have such a low footprint that it could go undetected for so long. The programmers of those viruses were gifted binary ecologists. I knew then that the games I played were bloated when one year the game took one disk, and the second year you had to swap two disks even though there was little extra play for all the extra data. I envied the virus programmers for their wizardly and miserly command of the machine's meager resources. I even dreamt of the day that I could crank one out like putting together a jigsaw puzzle.

    Now I am older, and the opportunity for that conquest was stolen by Moore's Law. The games (and all software in general) got bloatier and bloatier. There was so much waste, and the machines got so fast so fast, that I saw clever programming die. I was sad. It wasn't until (after I bought a student copy of Borland C++ and was stultified by the massive bloat of win16 API) that I became acquainted with Unix (FreeBSD in particular) around 1.2.1 vintage. I rediscovered elegant software.

    Now, I understand the vulgar joy in duping someone else, but only a jackass gets off duping people who compare to invertibrates on an intellectual scale. VB worms are the modern-day equivalent of burning ants with a magnifying glass. "Letth thaw off hith tweeter Beavith! Hehehehehe Heheheheh..."

    --
    --- Nothing clever here: move along now...
  5. Re:Oh no! Shut the Interweb off! by Gordo_1 · · Score: 5, Insightful

    Actually, this is exactly where a portion of the security community is currently focusing. With a deep enough level of protocol understanding, it's often possible to write generalized algorithms that detect (and presumably block) novel attempts to exploit a known vulnerability. For example, in the case of SQL Slammer, the buffer overflow vulnerability disclosure came many months before the worm hit, and at least a couple intrusion detection vendors were able to positively identify the exploit attempt without requiring an update -- one of the keys to protection against such a rapidly propagating worm.

  6. Re:Oh no! Shut the Interweb off! by GigsVT · · Score: 5, Insightful

    I'm no historian, but I bet plate armor was more for intimidation factor than anything else.

    I bet a hundred shiny enemy knights on horses really does a lot to demoralize your thousand foot soldiers.

    I think a lot of modern security is the same way, deter most attacks with shiny armor, and minimize damage on the inevitable attacks that will get through.

    Now the real problem these days is the companies selling cheap tin armor and telling people it's the strongest steel. Some things never change. :)

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.