Great analysis. > ... Too many users are connected". ... This prevents people > from exploiting the /scripts/root.exe backdoor Which would suggest that black hats would have been hampered in any attempts to remodel. (By remodel I mean to invisibly remove the known backdoor and replace it with a new one.) > I think this will become an important algorithm for future worms. Regularity and locality of ip allocation is a godsend to worm writers regarding both public and private ip spaces. For example, as I posted to a local linux user group yesterday: Use 10.x.x.x even for small private nets? . . 4. It's reasonable to surmise that many future worms will adopt this local bias philosophy. . . So, my tentative (but remember clueless) conclusion, is that, even on tiny private nets, it would probably be smart to use as sparse an ip space as possible, right? > the Morris Worm injected the community with a lot of knowledge > about worms. ... When the next IIS exploit is announced, we've got > two weeks to patch a million systems before that next worm takes > down the Internet. I disagree with the 2 weeks and the take down the Internet. Neither Code Red nor Code Red II took down the Internet. It could clearly happen, but one can't absolutely know. As for the 2 weeks: > There is even a danger that a worm will be written first, > then the next exploit added to it later. Thus, the worm may > appear on the first day the next vulnerability is announced, > even though the writer didn't have 0-day knowledge. Precisely. Soon we may no longer have the 2 week luxury. Timely patching may come to mean doing it within hours of announce (and in years to come, minutes). > I'm sure people have fully grasped the situation. Did you miss a "not"? > If anybody has a large dark subnet to play with, I'd love to > install by deredoc program mentioned above. It not only > plays with the current worms, it can be used to encourage > 0-day worms to reveal themselves. Simple and beautiful. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 15:10:45 PDT