I've now analyzed data from three different sites, using the simple random spread model I outlined in my post to Incidents very early this morning. All three sets of data are very consistent with each other, and all are well explained by the hypothesis that the CRv2 worm was released in the early hours of yesterday morning, that it had a reasonably good random spread algorithm (unlike CRv1) and that it was capable of a spread of approximately 1.8 compromises/hour. (That is, a compromised host in the early stages of the infection could find and compromise about 1.8 other hosts in an hour - in the later stages it drops off because most hosts are already compromised. It probably compromised almost all the .ida vulnerable hosts on the Internet over the course of about twelve hours before being cleaned up and/or turning itself dormant. There's no doubt a great deal of it still lieing dormant. This was definitely a big bad worm. I imagine the worm writers can improve significantly on 1.8 compromises/hour though, so it's only going to get worse. I'm sure we can expect to see smarter targeting too. The analysis from early this morning is at http://www.silicondefense.com/cr/ I'll hopefully get a fuller analysis out some time soon. Stuart. -- Stuart Staniford --- President --- Silicon Defense ** Silicon Defense: Technical Support for Snort ** mailto:stuartat_private http://www.silicondefense.com/ (707) 445-4355 x 16 (707) 445-4222 (FAX)
This archive was generated by hypermail 2b30 : Fri Jul 20 2001 - 12:52:31 PDT