Slashdot Mirror

← Back to Stories (view on slashdot.org)

What Does a Spreading Worm Look Like?

Posted by CmdrTaco on from the can-i-disenchant-it-for-reagents dept.

quibbs0 writes "When a new worm spreads around the world, people want to know if they are protected. How fast is it? How does it spread? A new simulation program developed by Symantec Research Labs not only has the answers, it also provides pictures."

52 of 233 comments (clear)

  1. What a spreading worm *really* looks like. by TripMaster+Monkey · · Score: 5, Funny


    What Does a Spreading Worm Look Like?

    This is what a spreading worm looks like.

    ^_^

    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:What a spreading worm *really* looks like. by pdbogen · · Score: 2, Interesting

      Am I the only one reminded of Alpha Centauri by that picture?

    2. Re:What a spreading worm *really* looks like. by Reziac · · Score: 2, Funny

      I thought it might look rather like a flatworm, or perhaps a leech.

      "When a new worm spreads around the world, people want to know if they are protected."

      Well, I suppose that depends on whether it's an endangered species or not.

      --
      ~REZ~ #43301. Who'd fake being me anyway?
  2. launching a windows executable from a link by codepunk · · Score: 5, Insightful

    That is exactly what it looks like, a windows executable installer launched off of a web page with unknow origin.

    --


    Got Code?
    1. Re:launching a windows executable from a link by justforaday · · Score: 4, Interesting

      Certainly doesn't help that it's on the "enterprisesecurity" subdomain either...

      --
      I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
    2. Re:launching a windows executable from a link by Shisha · · Score: 5, Funny

      Odd; the simulation does not work on any of the platforms I use (OS X, Linux). So no pretty pictures for me. I guess that's because Linux (or OS X) are not "enterprise ready".

      Is it a coincidence that the only platform, for which one can get programs simulating the spread of worms, is MS Windows?

  3. Fastest way to spread a worm... by D4MO · · Score: 5, Insightful

    Linking directly to an MSI file in a slashdot story.

    --

    Rocket science is easy. Neurosurgery, now *that's* difficult.
    1. Re:Fastest way to spread a worm... by boaworm · · Score: 3, Funny

      I seem to be immune to these worms, I cannot doubleclick on the "msi" file.

      boaworm$ ls -l *.msi
      -rw-r--r-- 1 boaworm boaworm 2022400 28 Apr 17:16 SRL_Worm_Simulator.msi
      mirage:~/Desktop boaworm$ chmod a+x SRL_Worm_Simulator.msi
      mirage:~/Desktop boaworm$ ./SRL_Worm_Simulator.msi
      -bash: ./SRL_Worm_Simulator.msi: cannot execute binary file
      mirage:~/Desktop boaworm$

      Poor me, my Panther cant even get that worm to RUN... i't should be dead scared, should it not ? Perhaps I need Tiger..

      --
      Probable impossibilities are to be preferred to improbable possibilities.
      Aristotele
    2. Re:Fastest way to spread a worm... by Neurotoxic666 · · Score: 2, Funny

      You must be new here. People don't click the links.

      --
      You are more than the sum of what you consume. Desire is not an occupation.
  4. Great thing for a security company to encourage by Lord+Bitman · · Score: 5, Funny

    "So, what does a worm look like when it spreads? Install this program to find out!"

    and ALT-F4 will activate "ultra mode"

    --
    -- 'The' Lord and Master Bitman On High, Master Of All
  5. Appropriate packaging by PowerBert · · Score: 4, Insightful

    It's good to see the worm simulator is only slightly less platform independant than your average worm.

    Perhaps Symantec figure the only ones who would want to look at a spreading worm are those most affected by it??

  6. real plot? by moz25 · · Score: 2, Interesting

    Interesting, but I would be slightly more interested in a real-time actual plot. Do they have that available as well?

    --
    see a Text Widget
  7. What Does a Spreading Worm Look Like? by Zontar+The+Mindless · · Score: 4, Funny

    And it's a .msi file, hence Windows only.

    How appropriate.

    --
    Il n'y a pas de Planet B.
  8. You want us to install a program? by mrighi · · Score: 5, Funny

    I can't believe Slashdot wants us to learn how a virus spreads by encouraging us to download an MSI executable off the home page!

    That would be like me going to the doctor and having him ask me if I know how HIV is spread and then asking me to take my pants off.

  9. Re:Darn Linux by ZephyrXero · · Score: 2, Informative

    You can run virii with Wine ;)

    --
    "A truly wise man realizes he knows nothing."
  10. Torren by spadadot · · Score: 2, Informative

    Ok, it's not that useful this time, but I'm doing this to learn :)

    http://dload.digitalriviera.com/SRL_Worm_Simulator .msi.torrent

  11. Interesting article in IEEE spectrum by karvind · · Score: 5, Informative

    On similar theme, current issue of IEEE Spectrum has article on How to Hook Worms

  12. Snake Oil for sale by Marcus+Erroneous · · Score: 5, Insightful

    Is it just me or do others see some issues with the people who provide the cure also providing the pictures documenting the severity of the infection? Symantec, for one, has already been slammed for sounding the alarms and hyping the dangers in order to elevate the demand for their product. Now I'm to trust their software that shows dramatic footage!! of these insidious worms assaulting the world as we know it.
    Next you'll probably want me to go ask the Bush camp if we should invade Iran or the Democrats if we should repeal the two term law and re-elect Clinton again. On my way I'll stop by the car dealership and see if my current car is okay or if I should get a new one just to be safe.

    --
    You must be the change you wish to see in the world - Ghandi
    1. Re:Snake Oil for sale by utexaspunk · · Score: 2, Insightful

      while i agree that the antivirus companies have some dubious tactics, i dunno if this is really all that inappropriate. people studying diseases often study transmission patterns and infection rates, but we don't accuse them of any impropriety. you'd expect an oncologist to have some decent pictures of a cancer spreading, wouldn't you?

    2. Re:Snake Oil for sale by iritant · · Score: 2, Insightful

      On its own I wouldn't discount what Semantec says. However, "simulations" generally involve models, and those models have assumptions. What are the assumptions in this model, I wonder? We already know that a virus can travel roughly at the speed of a disk drive's ability to write.

      It would be more interesting to see a study of computer-based virii versus biological ones. How about some real epidemiologists take a crack at it? Perhaps they already have..

      Anyone? Anyone? Bueller?

  13. *Yawn* by mattmentecky · · Score: 3, Insightful

    I guess it's a nifty little cute program in a non-technical sense. But I see nothing more here than a program that (at least seemingly) arbitrarily places a red dot on a spinning globe biased to developed nations along a timeline where you can load up various "different worms" which frankly all look the same. I would say this is one step up from a clunky/dorky flash. It would have been nice if it was at all a little bit more technical.

    1. Re:*Yawn* by -brazil- · · Score: 2, Insightful

      If they look all the same to you, you didn't look at all of them. The Slammer looks radically different from all the others. Due to its tiny size and rapid mode of travel (UDP packets sent to random IP numbers), it spread extremely quickly to nearly all vulnerable systems - but only relatively few systems (those running MS SQL server) were vulnerable.

      --

      The illegal we do immediately. The unconstitutional takes a little longer.
      --Henry Kissinger

  14. Goodbye Slashdot. by shippo · · Score: 2, Insightful

    I've been reading (and occasionally posting) to Slashdot for years.

    However this farcical link to a .MSI file has convinced me that you are now just a bunch of clueless morons.

    Goodbye.

    1. Re:Goodbye Slashdot. by utexaspunk · · Score: 4, Insightful

      and all the comments mentioning the stupidity of the .msi link didn't make us not morons? everyone agrees the editors suck, but i think it's safe to say most of us don't come here for the quality articles. most of us don't even read them! we're here for the discussion.

      anyway, don't let the door hit you on the way out!

    2. Re:Goodbye Slashdot. by Lothsahn · · Score: 3, Funny

      ...you must be new here.

      --
      -=Lothsahn=-
    3. Re:Goodbye Slashdot. by sehryan · · Score: 3, Funny

      Can I have your UserID?

      --
      The world moves for love. It kneels before it in awe.
    4. Re:Goodbye Slashdot. by Vaystrem · · Score: 2, Funny

      Bah its not worth it its just a '6 digit id' ;)

  15. Agent USA by Sporkinum · · Score: 3, Insightful

    Agent USA was the original virus simulator. It was a game for the Atari 800 in 1985.

    --
    "He's lost in a 'floyd hole"
  16. Slammer/Sapphire by carambola5 · · Score: 5, Interesting

    I've already see how a worm spreads. Especially one that initially grows exponentially with a time constant of 8.5 seconds. Yes, 8.5 seconds.

    Slammer

    Pay attention to the time and infected hosts data at the bottom.

    --
    IWARS.
    People, in general, disappoint me. Politicians even more so.
  17. CAIDA did this for earlier worms... by m0rningstar · · Score: 4, Informative

    ... and in a WWW based format, as opposed to the executable from an AV company. I think it was two of their researchers -- Colleen Shannon and David Moore. The animation for Code Red is here .

  18. Comment removed by account_deleted · · Score: 3, Funny

    Comment removed based on user account deletion

  19. end to end linkage by Anonymous Coward · · Score: 3, Informative

    One of the reasons that worms spread exclusively on Windows is because you need end to end linkage. A simplified model is if I wanted to send a message to Kevin Bacon, I'd talk to friend A who knows an actor, who talks to Friend B, then friend C, who then talks to Kevin. If I tell someone who doesn't speak the language, the linkage is broken and my original message can no longer propogate.

    In other words, a computer can only infect other computers through being infected itself (unless if the system is just serving files). Worms can't move through unsupported systems. Once it hits OS X or Linux system, it can't move anywhere. Windows is the only OS with critical mass high enough to achieve this. Symbian for mobile devices. This is why you won't see any Windows CE worms unless if it gains in terms of marketshare.

    1. Re:end to end linkage by daniel_mcl · · Score: 2, Insightful

      Another reason is that the Windows architecture, unlike Linux or the BSD core of OS X, was never designed to be used in network or multiuser settings and even now that NT-based systems are the norm the old DOS mentality prevails. A large number of the exploits in Windows are based on the ability to embed executable code in pretty much anything that should not have executable code in it -- word processor documents, emails, etc.

      It's not hard at all to find whatever flavor of UNIX system you want in huge concentrations; sites such as Yahoo and Google run huge farms of them, for instance, as do most research institutions. If one of these was to be infected with a worm you can be sure it'd spread pretty quickly.

      --
      I used to read Caltizzle. I was a lot cooler than you.
  20. Anyone figure out? by doombob · · Score: 4, Interesting

    I was wondering if anyone has figured out how to write new simulations for it. This would be more interesting and useful if you could write your own simulations with your own paramaters to test how the networks you are on would compare. I tried editing the simulations that are provided but all that is affected is the speed at which the percentages change.

    1. Re:Anyone figure out? by alecks · · Score: 2, Funny

      Yes you can, but you need a hex editor. Load up the exe and goto this address: 23HX,12BA... change the H to an F... This will let you literally drag and drop simulation (.sim) files in the loader and run them. I showed this to my boss earlier today and he's been busi all morning creating sim files to try out.

      --
      The Digital Couture Collection
  21. In other news... by qw(name) · · Score: 2, Funny

    Symantec has issued yet another warning that the world will end as soon as all the worms and viruses unite against true carbon-based life forms. Symantec CEO John W. Thompson was quoted as saying, "If people would have heeded all our warnings about the coming war between reality and virtual reality we would not be headed for certain doom." At that point he started crying as his company's stock soared to record highs.

    Up next, Symantec issues a warning to the Mac/UNIX community saying that their computers are too safe from Windows-based viruses. "We can no longer support operating systems that flaunt their security in face of corporate IT managers everywhere when millions of starving children are dying of malnutrition."

    The Weekly World News news service will be right back after this message from our sponsor, Symantec. Ensuring your fear, uncertainty and doubt since 1982.

  22. Brek Girl Simulation by buckhead_buddy · · Score: 2, Interesting

    I like that 1970's American television ad with the cute girl who visually demonstrates exponential growth while trying to advertise something like Brek shampoo.

    "I [infected] two friends.
    And they [infected] two friends.
    And so on.
    And so on.
    And so on."

    Withe the screen splitting at each phrase and winding up with 32 versions of the cute girl, it's much more visually entertaining than this demo.

  23. Re:Don't Download it by leuk_he · · Score: 5, Funny

    No it is not. At least my norton antivirus enterprise edition 10.0 with updated signatures does not flag this file.

    I should be safe.

    ps: ;)

    ps2: Note to moderators: this is funny, not informative!

  24. Yellow? by SmokeyMirror · · Score: 2, Funny
    So I read the article and I find this bit here: As the worm spreads, nodes in the network and on the globe start turning colors. Symantec Yellow represents patched and secure machines

    Tell me Symantec hasn't trademarked a shade of yellow.

  25. From TFA by Laurentiu · · Score: 2, Insightful

    The Worm Simulator will be rolled out initially to members of the Symantec Sales organization for demonstrations to enterprise customers. In addition, the Worm Simulator could become a future television star during news coverage of worm outbreaks, enabling viewers to watch a virus as it spreads. Symantec Security Response intends to use the simulator for TV appearances as well.

    Translation:
    We invented a new, computer-assisted sales pitcher. It could also be used as a FUD spreader on TV.

    --
    Just /. IT
  26. Missing some factors by Shoten · · Score: 4, Interesting

    It seems like they fail to take a number of things into account with the sim. For one, when I ran the Sasser simulation, it followed a pretty straightforward and accurate progression. Things went slowly at first, and then picket up speed as time progressed.

    But within 20 days, there were no infected nodes, anywhere; as someone who works in a penetration testing lab without a firewall, I really have to say that this is not real. And within 52 days, 100% of the world was patched. What? It was more than 95% within 30 days too, and I don't believe that either. There's no accounting for new systems coming out of the box (and onto the net) without patches, and no representation for the fact that there will never, ever be 100% coverage for any patch.

    That said, it is a pretty interesting tool to see how things spread, both globally and within an organization. You just have to keep in mind that it doesn't tell the whole story.

    --

    For your security, this post has been encrypted with ROT-13, twice.
  27. Real data: Analysis of the Witty worm by G4from128k · · Score: 3, Interesting

    /. discussed the Witty worm back in 2004. This analysis used UCSD Network Telescope IP block (containing 1/256 of IPv4 space) to sample the randomly spewed packets created by the worm. They were able to analyze quite a few interesting features, including the fact that the worm was jump-started by an infection of about 110 PCs at the outset, 24-hour cycles in infected/reinfected machines, and data on the distribution of bit-rates of worm transmitters.

    --
    Two wrongs don't make a right, but three lefts do.
  28. Speaking of spreading worms... by Anonymous Coward · · Score: 2, Interesting
    How timely this article!

    Today an internal customer asked me why Slashdot seemed to be broken. I check the firewall logs and, lo and behold, discover 66.35.250.150 triggered the firewall's IDS for tweaking port 2000/TCP.

    Why was /. poking at that port on my firewall, particularly considering what's usually there?

  29. Are you protected by Turn-X+Alphonse · · Score: 2, Interesting

    Are you protected in 2 answers

    Do you understand computers and how to run one securely? Yes/No if Yes continue, if no then you arn't.
    Is a patch finished and installed? If yes then you're fine. If no then you arn't protected.

    Obviously opening strange program files comes under number 1, but they may make it three points if you wish.

    --
    I like muppets.
  30. Make the "pictures" a PowerPoint presentation... by faloi · · Score: 2, Funny

    If it's gonna be a marketing pitch, they should at least make it PowerPoint so the people that try to get money to buy the solutions can make it management friendly... A few slides, some small buzzwords and presto! People get funding! Makes me crazy...Crazier. Whatever.

    --
    "It is a miracle that curiosity survives formal education." -Albert Einstein
  31. Re:msi by HaydnH · · Score: 2, Informative

    Sure: http://www.jeanhaines.com/tmp/wormSim.html

    *watches website get /.'ed!*

    Haydn.

    --
    Time is an illusion. Lunchtime doubly so. - Douglas Adams
  32. an even better question: ... by cutecub · · Score: 2, Funny

    What does a spreading Worm Simulator look like?

    Thanks to the Slashdot effect, I think we're gonna find out.

    -S

  33. Screenshot by HaydnH · · Score: 2, Informative

    Someone above requested a screenshot, I've replied above but for those that missed the reply and can't run .msi files, here's a screenie:

    http://www.jeanhaines.com/tmp/wormSim.html

    Haydn.

    p.s: thank god I'm at work so I can open .msi files!

    --
    Time is an illusion. Lunchtime doubly so. - Douglas Adams
  34. the funny thing so far by oliderid · · Score: 2, Informative

    The funny thing so far i've seen concerning worm and viruses is the Windows media center. I was looking at a new flat TV screen in an electronic shop. They were promoting the Microsoft media center. The funny thing was a little popup window at the right of the taskbar. "Windows did not find any anti-virus software on this computer." or something like. Lol...Thanks but I prefer my good old Television. Olivier

  35. Unbiased? by Shook18 · · Score: 2, Interesting

    There is honestly no way that this "research" by a anti-virus company could be even remotely unbiased; they are going to exaggerate the hell out of this to make normal internet worms look like ebola.

    --
    The Tech Terminal
  36. Man, this sounds familiar.. by jcr · · Score: 3, Informative

    As it happens, a friend of mine, (former boss) happens to be doing something very much along these lines.

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
  37. Re:Mac Worms by allgood2 · · Score: 2, Informative

    First Netsky DOES NOT effect Mac OS. It can be received via email like numerous other PC viruses, but doesn't execute or cause any damage on a Mac OS X machine.

    Second, Opener/Renepo IS NOT a virus or a worm. It doesn't spread and can not self-replicate. Opener/Renepo can cause damage to a Mac OS X system, but only if the user running it has permission to run it, and grants the app permission to run and perform the damage. It can't traverse the network, spread to others machines, or run without explicit permission of the user. In that sense it's pretty much the equivalent of a user deleting their own files or running a trojan application locally.

    Obviously, if your going to write this, you could have at least spent 5 minutes getting information from any reputable anti-virus site. Symantec, Sophos, and a host of other sites, will give you the details of what OSs the virus run on,threat level, etc.