-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tuesday 04 February 2003 07:08, Craig McLean wrote:
> I found this report on the way Slammer works. It explains that Slammer is
> a kind of worm which hasn't really been seen in the wild before.
it was the fastest, yes. but faster, quieter and more effective is possible.
cade sent me a white paper some time ago detailing a worm design that is
utterly scary. it wouldn't cause much bandwidth damage (which is
strategically smart if you want to leverage the worm's conquests for anything
useful) and would theoretically be even faster than slammer/saphire/whatever.
the basic concept as i recall it was to add a simple hueristic to the IP
scanning such that instead of randomly scanning the address space (which is
doomed to bring the network down and be statistically inneficient) each
infected host would team up with several others and scan a portion of the
local area before falling quiet. the heuristic detailed involved no
inter-compromised system communication post-compromise and keep network
traffic low enough to likely escape detection.
IIRC the estimated time for 100% infection of all vulnerable hosts was less
than 5 minutes.
if such a worm hasn't already made its quiet rounds, i'm sure such a thing
will before long. it's a well documented technique just waiting for some
"enterprising" individual to put it to use. =/
keep your systems patched.
- --
Aaron J. Seigo
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43
"Everything should be made as simple as possible, but not simpler"
- Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE+QIjv1rcusafx20MRAibtAJ9DXeDwX/Ucakx1HHm44AGuvS/IcwCeKPIz
fbwz96eSo4EsG4RRlZ8lWYk=
=1Tia
-----END PGP SIGNATURE-----
