NETI@home Data Analyzed

An anonymous reader writes "The NETI@home Internet traffic statistics project (featured in Wired and Slashdot previously) has a quick analysis on the malicious traffic they observed. It's a rough world out there." Perhaps not suprising, but still disheartening, the researchers find among other things that a large portion of typical end-user traffic consists of malicious connection attempts.

Re:RBL of infected/malicious sites?

[glesga_kiss]

There are some. This site has several different blocklists, such as ad-hosts, anti-p2p bodies, spyware companies, hackers, trackers, trojans etc. The link above lists what's available. Sure, the lists aren't 100% acurate, but they are a lot better than nothing.

Very highly recommended. With the case of p2p, it's good to keep your head down. It's the tall ones that get their heads chopped off...

They also have software to convert the lists to various formats for use in different firewalls. iptables fans should check out "linblock". Beware though, a large list can take an hour to parse on your typical recycled firewall box, but the tool merges the ranges to keep the tables as short as possible.

Recent Worms DO organize to manage utilization

[billstewart]

Most of the interesting recent viruses *do* have some level of organization to reduce duplication of effort, and the postulated "Warhol Worms" designed to take over the entire Internet in 15 minutes would need to do so, because otherwise they're not as effective. Some of them pre-scan the net to find a list of vulnerable machines to infect first, and then haul around parts of the list. Others partition the address space quasi-deterministically (e.g. Phase 1 scans all of the valid /8 address spaces until it's infected some machine in each one, Phase 2 scans all of the 256 /16 address spaces within its /8 until it's affected one in each, Phase 3 scans all of the 256 /24 addresses within its /16, Phase 4 scans all the 256 addresses within its /24.

Code Red II implemented a randomized variant on this: "1/8th of the time, CodeRedII probes a completely random IP address. 1/2 of the time, CodeRedII probes a machine in the same /8 (so if the infected machine had the IP address 10.9.8.7, the IP address probed would start with 10.), while 3/8ths of the time, it probes a machine on the same /16 (so the IP address probed would start with 10.9.)" It means the worms don't have to keep track of phases, but it gets similar effects, and while there is more chance of overlap, it's not too high until the worm's infected most of the net, and the added random searches help make up for machines that didn't successfully infect their netblocks due to firewalls or failures or simple slowness.

At least one worm that took this sort of approach had a bad random number generator, so it kept hitting the same territory too hard and missing other wide-open spaces, which protected a few parts of the net from infection.