Slashdot Mirror
What Does a Spreading Worm Look Like?
quibbs0 writes "When a new worm spreads around the world, people want to know if they are protected. How fast is it? How does it spread? A new simulation program developed by Symantec Research Labs not only has the answers, it also provides pictures."
What Does a Spreading Worm Look Like?
This is what a spreading worm looks like.
^_^
____
~ |rip/\/\aster /\/\onkey
...do you mean like this?
"A truly wise man realizes he knows nothing."
That is exactly what it looks like, a windows executable installer launched off of a web page with unknow origin.
Got Code?
Linking directly to an MSI file in a slashdot story.
Rocket science is easy. Neurosurgery, now *that's* difficult.
"So, what does a worm look like when it spreads? Install this program to find out!"
and ALT-F4 will activate "ultra mode"
-- 'The' Lord and Master Bitman On High, Master Of All
It's good to see the worm simulator is only slightly less platform independant than your average worm.
Perhaps Symantec figure the only ones who would want to look at a spreading worm are those most affected by it??
It won't even run the Microsoft Worm simulators. I'm missing out on all the fun with worms and viruses (virii).
Interesting, but I would be slightly more interested in a real-time actual plot. Do they have that available as well?
see a Text Widget
And it's a .msi file, hence Windows only.
How appropriate.
Il n'y a pas de Planet B.
You mean one that's been stepped on? It looks something like this.
Hey, at least I'm not trying to launch an executable on you.
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
screenshots, anyone?
I can't believe Slashdot wants us to learn how a virus spreads by encouraging us to download an MSI executable off the home page!
That would be like me going to the doctor and having him ask me if I know how HIV is spread and then asking me to take my pants off.
It was just some dork opening various joke emails from his dorky friends.
I'm a big tall mofo.
Ok, it's not that useful this time, but I'm doing this to learn :)
r .msi.torrent
http://dload.digitalriviera.com/SRL_Worm_Simulato
On similar theme, current issue of IEEE Spectrum has article on How to Hook Worms
Is it just me or do others see some issues with the people who provide the cure also providing the pictures documenting the severity of the infection? Symantec, for one, has already been slammed for sounding the alarms and hyping the dangers in order to elevate the demand for their product. Now I'm to trust their software that shows dramatic footage!! of these insidious worms assaulting the world as we know it.
Next you'll probably want me to go ask the Bush camp if we should invade Iran or the Democrats if we should repeal the two term law and re-elect Clinton again. On my way I'll stop by the car dealership and see if my current car is okay or if I should get a new one just to be safe.
You must be the change you wish to see in the world - Ghandi
I guess it's a nifty little cute program in a non-technical sense. But I see nothing more here than a program that (at least seemingly) arbitrarily places a red dot on a spinning globe biased to developed nations along a timeline where you can load up various "different worms" which frankly all look the same. I would say this is one step up from a clunky/dorky flash. It would have been nice if it was at all a little bit more technical.
I've been reading (and occasionally posting) to Slashdot for years.
.MSI file has convinced me that you are now just a bunch of clueless morons.
However this farcical link to a
Goodbye.
Agent USA was the original virus simulator. It was a game for the Atari 800 in 1985.
"He's lost in a 'floyd hole"
Yegads... Informative?
Running OS X 10.3.9, I get:
1. "No default application specified for SRL_Worm_Simulator.msi"
2. "Cannot play back the file. File format is invalid"
[Is SRI hinting at something???]
--- Attorneys Assisting Citizen-Soldiers & Families -
I've already see how a worm spreads. Especially one that initially grows exponentially with a time constant of 8.5 seconds. Yes, 8.5 seconds.
Slammer
Pay attention to the time and infected hosts data at the bottom.
IWARS.
People, in general, disappoint me. Politicians even more so.
... and in a WWW based format, as opposed to the executable from an AV company. I think it was two of their researchers -- Colleen Shannon and David Moore. The animation for Code Red is here .
Comment removed based on user account deletion
One of the reasons that worms spread exclusively on Windows is because you need end to end linkage. A simplified model is if I wanted to send a message to Kevin Bacon, I'd talk to friend A who knows an actor, who talks to Friend B, then friend C, who then talks to Kevin. If I tell someone who doesn't speak the language, the linkage is broken and my original message can no longer propogate.
In other words, a computer can only infect other computers through being infected itself (unless if the system is just serving files). Worms can't move through unsupported systems. Once it hits OS X or Linux system, it can't move anywhere. Windows is the only OS with critical mass high enough to achieve this. Symbian for mobile devices. This is why you won't see any Windows CE worms unless if it gains in terms of marketshare.
I was wondering if anyone has figured out how to write new simulations for it. This would be more interesting and useful if you could write your own simulations with your own paramaters to test how the networks you are on would compare. I tried editing the simulations that are provided but all that is affected is the speed at which the percentages change.
Couldnt view that as my firewall stopped it.
Symantec has issued yet another warning that the world will end as soon as all the worms and viruses unite against true carbon-based life forms. Symantec CEO John W. Thompson was quoted as saying, "If people would have heeded all our warnings about the coming war between reality and virtual reality we would not be headed for certain doom." At that point he started crying as his company's stock soared to record highs.
Up next, Symantec issues a warning to the Mac/UNIX community saying that their computers are too safe from Windows-based viruses. "We can no longer support operating systems that flaunt their security in face of corporate IT managers everywhere when millions of starving children are dying of malnutrition."
The Weekly World News news service will be right back after this message from our sponsor, Symantec. Ensuring your fear, uncertainty and doubt since 1982.
Since many think they write most of them anyway.
This is Slashdot after all.
I like that 1970's American television ad with the cute girl who visually demonstrates exponential growth while trying to advertise something like Brek shampoo.
"I [infected] two friends.
And they [infected] two friends.
And so on.
And so on.
And so on."
Withe the screen splitting at each phrase and winding up with 32 versions of the cute girl, it's much more visually entertaining than this demo.
No it is not. At least my norton antivirus enterprise edition 10.0 with updated signatures does not flag this file.
;)
I should be safe.
ps:
ps2: Note to moderators: this is funny, not informative!
Tell me Symantec hasn't trademarked a shade of yellow.
The Worm Simulator will be rolled out initially to members of the Symantec Sales organization for demonstrations to enterprise customers. In addition, the Worm Simulator could become a future television star during news coverage of worm outbreaks, enabling viewers to watch a virus as it spreads. Symantec Security Response intends to use the simulator for TV appearances as well.
Translation:
We invented a new, computer-assisted sales pitcher. It could also be used as a FUD spreader on TV.
Just
... is this the reason why they always hype up outbreaks?? Things are starting to make sense now ...
It seems like they fail to take a number of things into account with the sim. For one, when I ran the Sasser simulation, it followed a pretty straightforward and accurate progression. Things went slowly at first, and then picket up speed as time progressed.
But within 20 days, there were no infected nodes, anywhere; as someone who works in a penetration testing lab without a firewall, I really have to say that this is not real. And within 52 days, 100% of the world was patched. What? It was more than 95% within 30 days too, and I don't believe that either. There's no accounting for new systems coming out of the box (and onto the net) without patches, and no representation for the fact that there will never, ever be 100% coverage for any patch.
That said, it is a pretty interesting tool to see how things spread, both globally and within an organization. You just have to keep in mind that it doesn't tell the whole story.
For your security, this post has been encrypted with ROT-13, twice.
Not only is an animated GIF not a virus, but it's not some scare tactic windows program by an anti-virus company.
To keep this from being a pointless "mod up" post,
The full article is http://www.caida.org/analysis/security/sapphire/
/. discussed the Witty worm back in 2004. This analysis used UCSD Network Telescope IP block (containing 1/256 of IPv4 space) to sample the randomly spewed packets created by the worm. They were able to analyze quite a few interesting features, including the fact that the worm was jump-started by an infection of about 110 PCs at the outset, 24-hour cycles in infected/reinfected machines, and data on the distribution of bit-rates of worm transmitters.
Two wrongs don't make a right, but three lefts do.
Today an internal customer asked me why Slashdot seemed to be broken. I check the firewall logs and, lo and behold, discover 66.35.250.150 triggered the firewall's IDS for tweaking port 2000/TCP.
Why was /. poking at that port on my firewall, particularly
considering
what's usually there?
Are you protected in 2 answers
Do you understand computers and how to run one securely? Yes/No if Yes continue, if no then you arn't.
Is a patch finished and installed? If yes then you're fine. If no then you arn't protected.
Obviously opening strange program files comes under number 1, but they may make it three points if you wish.
I like muppets.
If it's gonna be a marketing pitch, they should at least make it PowerPoint so the people that try to get money to buy the solutions can make it management friendly... A few slides, some small buzzwords and presto! People get funding! Makes me crazy...Crazier. Whatever.
"It is a miracle that curiosity survives formal education." -Albert Einstein
Ha! You get both!
Nonsense:
/i msifile.msi
wine msiexec
And like most worms it's only available on Windows.
A linux binary that could chmod +x itself, and then execute? Preferently as root, so it can open a port in the iptables firewall? :-) Yeah, I didn't think so either.
It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
Which requires a Windows installation.
You were saying?
Il n'y a pas de Planet B.
Don;t open the link, it will wipe your hard drive and steal all your passwords, empty your bank account and blow up your monitor and printer...
Seriously, this is exactly how this shit spreads - get someone to download something "cool" - one reason why I never get crack patches from the warez sites...
And the people shall be oppressed, every one by another, and every one by his neighbour Isaiah 3:5
What does a spreading Worm Simulator look like?
Thanks to the Slashdot effect, I think we're gonna find out.
-S
Sound of a worm going through MS security after you click on an MSI installer.
One line blog. I hear that they're called Twitters now.
The Goatse.cx guy was called worm?
I wish I was not. That would explain why 30% of all email is Sober at the moment. As it is now, booze is not to blame.
Sober, installs itself by tricking naive people in opening the Trojan disguised as
Sorta like the MSI link in this article....
I wonder, will I get drunk when opening it on my Windows 2003 Terminal Server?
If so, I might be inclined.
well, try that one: http://www.darwinia.co.uk/ it's a game, ok. but there is a demo and if you ever wondered what is really happening when you start your fav antivir-O-mat, try it.
"The future is here. It's just not widely distributed yet." [William Gibson]
When Symantec software spreads like a worm from local distribution chains, ( BestBuy, Staples, FutureShop etc. ), demand for computer repair goes up.
Why?
Because their software breaks every machine it touches.
Worse, the computers they are installed on have not just one Virus, but many.
I tell my customers its like selling a condom with a hole in it.
You could have had so much more fun without the protection they weren't providing in the first place.
A false sense of security is worse than no security at all.
I for one welcome our new worm overlords!
Since it seems to be down, I've mirrored the simulation.
0 rm_S1mul470r.msi
http://thisurlissafenoreally.haxxxsukkar.cx/SRL_W
Someone above requested a screenshot, I've replied above but for those that missed the reply and can't run .msi files, here's a screenie:
.msi files!
http://www.jeanhaines.com/tmp/wormSim.html
Haydn.
p.s: thank god I'm at work so I can open
Time is an illusion. Lunchtime doubly so. - Douglas Adams
Could they have used a few more shades of grey? I mean, how are you ever supposed to use a visual tool if three of your indicators all look the same (white, light grey, dark grey in very small boxes).
"Windows is the only OS with critical mass high enough to achieve this. Symbian for mobile devices. This is why you won't see any Windows CE worms unless if it gains in terms of marketshare."
The Witty worm could only infect Windows machines running a specific version of specific firewall software. The vulnerable population was about 12000 machines worldwide. It infected virtually the entire vulnerable population in under an hour.
If/when there's a worm for MacOS X or Linux, there will be more than enough machines to spread it far and wide.
I rarely criticize things I don't care about.
I was hoping for the ability to tweak a worm's parameters (infection rate, pool of vulnerable hosts, etc) and see how the infection rate changes....no such luck i guess, this is more like an animated gif or something. Several of the worms do look alot the same but Slammer and Sobig do seem to be distinct.
If you can't see the value in jet powered ants you should turn in your nerd card. - Dunbal (464142)
I did some research on worms in school. Here's a report, and here's a presentation.
now we need a way to simulate skynet, pending its future release
The funny thing so far i've seen concerning worm and viruses is the Windows media center. I was looking at a new flat TV screen in an electronic shop. They were promoting the Microsoft media center. The funny thing was a little popup window at the right of the taskbar. "Windows did not find any anti-virus software on this computer." or something like. Lol...Thanks but I prefer my good old Television. Olivier
"Click this link, and you'll find out!"
Woa. I thought the article's title was "What Does a Spreading Woman Look Like?"
Good luck with that.
It looks like the entire continet of Africa is running Macs.
There is honestly no way that this "research" by a anti-virus company could be even remotely unbiased; they are going to exaggerate the hell out of this to make normal internet worms look like ebola.
The Tech Terminal
Am I the only one who read "What does a speeding worm look like?"
I run linux so I can't run the program. I would like to ask if the spread of a worm is similar to the spread of an epidemic and if the same technique (agent-based, cellular automata) is used to simulate both?
What real purpose does this simulation serve?
Have you ever had the sales FUD speel from a double-glazing/insurance/encyclopedia salesman?
Well this Symantec's FUD gimmick.
To the layman it looks pretty, it looks realistic. It's full of 'scary' statistics.
But how does this help me protect my network? How does it make me more secure?
Symantec are also being irresponsible by helping the worm/virus writing community chart the course of their creations. (This is documented behaviour).
One more thing...it'll be another 'claim to fame' trophy for worm/virus writers to have their creation appear in Symantec simulations.
Sorry, I have to cut this post short, but I must go to buy my security from Symantec _right_now_ before the world implodes.
goatse.cx?
http://xs4.xs.to/pics/04481/p556222.gif
It's CmdrTaco's worm tracker program. If this worm makes it to 500,000 of your friends in an hour then Taco will give everyone it reaches $100 and send us all to DisneyWorld!
Why, oh why, didn't I take the Blue Pill?
Oh dear! I made fun of Slashdot. Quick! Quick! Mod it overated!
"When Mods Go Bad." Next on Fox.
Mickeysoft doesn't distribute anything nowday's that isn't SP2.
You might find XP in some bargain bin somewhere though.
Thanks alot. C'mon...
JoloK
As it happens, a friend of mine, (former boss) happens to be doing something very much along these lines.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
From McAfee...
;)
--snip--
WARNING: SRL_Worm_Simulator.msi is infected with the W32/WormSimulator.B@mm virus!
ACTION: Clean/Delete threat.
It looks like you're attempting to run a competitor's program. Stop it, you insensitive clod.
--snip--
That was a weird virus warning I got when I downloaded that
I bet that the simulation shows companies with Symantec products are vastly better protected...
If people are interested in another take on worm propagation monitoring and containment, have a look at http://www.intrinsicsecurity.com/.
Disclaimer: I did some work with the folks there in past, and they are pretty sharp.
It would be interesting to use this tool to model spreads of other things, i.e. progress of a new brand or a new band. You could change the model files to be equivalent to the current spread of Firefox for example, then use it to predict future downloads. Anyone know how to change the files? They look quite simple, but I don't have any way of opening them apart form wordpad...
What Does a Spreading Worm Look Like? With pictures?
Sounds like worm pr0n to me...
Let's see. How does a spreading worm look? Perhaps it looks like users blindly downloading an EXECUTABLE program for Windows after essentially being told that "this is a safe download" becuase it is linked to from the front page a major website.
I'm not sure whether to laugh or cry at the humor or the irony.
If this thing is a virus that Norton has preprogrammed its antivirus product to ignore, I'll be laughing myself into an early grave...
It requires some dll's...but no windows installation. Having a windows installation is actually not recommended on the winehq site.
You were saying?
i hate the globe part of the program. it's bad interface imo. all the fun stuff happens when i'm stuck on part of the ocean. should've made a pause button and rotate left/right for the globe.
HD Trailers
do exist. Netsky and Opener, for starters...
You're lying!
Superb Hosting
It really suprises me that Symantec would release a friggin MSI package and not digitally sign it. Without that there's no way to know if Symantec even made this.
After downloading, installing and running this does it popup a message in big red letters saying "THIS IS HOW A WORM SPREADS!"?
First Netsky DOES NOT effect Mac OS. It can be received via email like numerous other PC viruses, but doesn't execute or cause any damage on a Mac OS X machine.
Second, Opener/Renepo IS NOT a virus or a worm. It doesn't spread and can not self-replicate. Opener/Renepo can cause damage to a Mac OS X system, but only if the user running it has permission to run it, and grants the app permission to run and perform the damage. It can't traverse the network, spread to others machines, or run without explicit permission of the user. In that sense it's pretty much the equivalent of a user deleting their own files or running a trojan application locally.
Obviously, if your going to write this, you could have at least spent 5 minutes getting information from any reputable anti-virus site. Symantec, Sophos, and a host of other sites, will give you the details of what OSs the virus run on,threat level, etc.
> Having a windows installation is actually not recommended on the winehq site.
Is that due to technical concerns, or Microsoft EULAs? I'm inclined that it's more a case of CYA than anything else.
Seriously, I've read man wine.conf(5), and I fail to see how you're going to obtain the necessary DLLs, the paths, Registry entries, etc. any other way.
Not that it really matters to me very much, as one of the reasons I switched to Linux was because I didn't want to run Micrososft software or anything that depended on it any more.
Il n'y a pas de Planet B.
There used to be a live virus flash animation on their site where it would show you what countries worm emails was being picked up in. On the left hand side, they had a list of big worm outbreaks and would play through the outbreak and show infected regions. Very nice demo, but it looks like it's no longer - http://www.messagelabs.com/viruseye/threats/ now brings you to their home page.
Just some globe and a grid hardly shows how serious worms spread over the internet. Here you can see at least how Slashdot gets infested with worms: http://www.netdisaster.com/go.php?mode=worms&url=h ttp://www.slashdot.org
Calling it a 'worm' implies, through omission, that it affects other platforms. It goes without saying that worms and viruses are largely the domain of MS, however to generate useful discussion and or viable solutions, it does need to be pointed out explicitly, especially in the healines. Many people read only the headlines.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Xbill, anyone?