Slashdot Mirror
What Does a Spreading Worm Look Like?
quibbs0 writes "When a new worm spreads around the world, people want to know if they are protected. How fast is it? How does it spread? A new simulation program developed by Symantec Research Labs not only has the answers, it also provides pictures."
What Does a Spreading Worm Look Like?
This is what a spreading worm looks like.
^_^
____
~ |rip/\/\aster /\/\onkey
That is exactly what it looks like, a windows executable installer launched off of a web page with unknow origin.
Got Code?
Linking directly to an MSI file in a slashdot story.
Rocket science is easy. Neurosurgery, now *that's* difficult.
"So, what does a worm look like when it spreads? Install this program to find out!"
and ALT-F4 will activate "ultra mode"
-- 'The' Lord and Master Bitman On High, Master Of All
It's good to see the worm simulator is only slightly less platform independant than your average worm.
Perhaps Symantec figure the only ones who would want to look at a spreading worm are those most affected by it??
And it's a .msi file, hence Windows only.
How appropriate.
Il n'y a pas de Planet B.
I can't believe Slashdot wants us to learn how a virus spreads by encouraging us to download an MSI executable off the home page!
That would be like me going to the doctor and having him ask me if I know how HIV is spread and then asking me to take my pants off.
On similar theme, current issue of IEEE Spectrum has article on How to Hook Worms
Is it just me or do others see some issues with the people who provide the cure also providing the pictures documenting the severity of the infection? Symantec, for one, has already been slammed for sounding the alarms and hyping the dangers in order to elevate the demand for their product. Now I'm to trust their software that shows dramatic footage!! of these insidious worms assaulting the world as we know it.
Next you'll probably want me to go ask the Bush camp if we should invade Iran or the Democrats if we should repeal the two term law and re-elect Clinton again. On my way I'll stop by the car dealership and see if my current car is okay or if I should get a new one just to be safe.
You must be the change you wish to see in the world - Ghandi
I guess it's a nifty little cute program in a non-technical sense. But I see nothing more here than a program that (at least seemingly) arbitrarily places a red dot on a spinning globe biased to developed nations along a timeline where you can load up various "different worms" which frankly all look the same. I would say this is one step up from a clunky/dorky flash. It would have been nice if it was at all a little bit more technical.
Agent USA was the original virus simulator. It was a game for the Atari 800 in 1985.
"He's lost in a 'floyd hole"
I've already see how a worm spreads. Especially one that initially grows exponentially with a time constant of 8.5 seconds. Yes, 8.5 seconds.
Slammer
Pay attention to the time and infected hosts data at the bottom.
IWARS.
People, in general, disappoint me. Politicians even more so.
... and in a WWW based format, as opposed to the executable from an AV company. I think it was two of their researchers -- Colleen Shannon and David Moore. The animation for Code Red is here .
Comment removed based on user account deletion
One of the reasons that worms spread exclusively on Windows is because you need end to end linkage. A simplified model is if I wanted to send a message to Kevin Bacon, I'd talk to friend A who knows an actor, who talks to Friend B, then friend C, who then talks to Kevin. If I tell someone who doesn't speak the language, the linkage is broken and my original message can no longer propogate.
In other words, a computer can only infect other computers through being infected itself (unless if the system is just serving files). Worms can't move through unsupported systems. Once it hits OS X or Linux system, it can't move anywhere. Windows is the only OS with critical mass high enough to achieve this. Symbian for mobile devices. This is why you won't see any Windows CE worms unless if it gains in terms of marketshare.
I was wondering if anyone has figured out how to write new simulations for it. This would be more interesting and useful if you could write your own simulations with your own paramaters to test how the networks you are on would compare. I tried editing the simulations that are provided but all that is affected is the speed at which the percentages change.
No it is not. At least my norton antivirus enterprise edition 10.0 with updated signatures does not flag this file.
;)
I should be safe.
ps:
ps2: Note to moderators: this is funny, not informative!
and all the comments mentioning the stupidity of the .msi link didn't make us not morons? everyone agrees the editors suck, but i think it's safe to say most of us don't come here for the quality articles. most of us don't even read them! we're here for the discussion.
anyway, don't let the door hit you on the way out!
It seems like they fail to take a number of things into account with the sim. For one, when I ran the Sasser simulation, it followed a pretty straightforward and accurate progression. Things went slowly at first, and then picket up speed as time progressed.
But within 20 days, there were no infected nodes, anywhere; as someone who works in a penetration testing lab without a firewall, I really have to say that this is not real. And within 52 days, 100% of the world was patched. What? It was more than 95% within 30 days too, and I don't believe that either. There's no accounting for new systems coming out of the box (and onto the net) without patches, and no representation for the fact that there will never, ever be 100% coverage for any patch.
That said, it is a pretty interesting tool to see how things spread, both globally and within an organization. You just have to keep in mind that it doesn't tell the whole story.
For your security, this post has been encrypted with ROT-13, twice.
...you must be new here.
-=Lothsahn=-
/. discussed the Witty worm back in 2004. This analysis used UCSD Network Telescope IP block (containing 1/256 of IPv4 space) to sample the randomly spewed packets created by the worm. They were able to analyze quite a few interesting features, including the fact that the worm was jump-started by an infection of about 110 PCs at the outset, 24-hour cycles in infected/reinfected machines, and data on the distribution of bit-rates of worm transmitters.
Two wrongs don't make a right, but three lefts do.
Can I have your UserID?
The world moves for love. It kneels before it in awe.
As it happens, a friend of mine, (former boss) happens to be doing something very much along these lines.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."