aleph1at_private wrote, > This worm display locality. Its more likely to attack machines near > itself in the IP address space. Since the IP address space is mostly > sparse with machines bunched in some areas this is a more effective > method of finding other vulnerable machines that uniformly and > randomly selecting IP address across all of the IP address space, > the method used by the original worm and its variant. I think there might be another angle on locality which might explain the rate of compromise. Intuitively it seems quite likely that _vulnerable_ machines will be clustered together, for a couple of reasons, * On networks with an IIS host, it's quite likely that any other HTTP servers will also be IIS. * On networks with an unpatched IIS host, it's quite likely that any other IIS instances will also be unpatched. both on the assumption that networks will be fairly uniform, both in terms of the software their hosts are running, and in terms of local security practices. Cheers, Miles -- Miles Sabin InterX Internet Systems Architect 27 Great West Road +44 (0)20 8817 4030 Middx, TW8 9AS, UK msabinat_private http://www.interx.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 10:04:29 PDT