What seems to have happened here is that NT systems that had been infected by the worm last May and *not* been cleaned out were quietly doing whatever they did until last late June or so. At that point, several NTs on our campus started scanning off-campus IPs, and getting picked up by the NIDS. At another level, diseases ebb and flow with time as the proportion of the population vulnerable to the disease increses and decreases. The worms we see now may take decades to disappear completely from the Internet. After an outbreak, a lot of systems will get patched and the worm drops off the radar. A few months pass and new (and unpatched) systems are put into service. When the number of new, unpatched systems reaches a threshold level, the worm "booms" again and the cycle repeats. I don't have the data to test this idea, but it fits some models for biological diseases and parasite-host relationships. In fact, the sadmind/IIS worm is a nice example of a parasite with a two-stage life cycle ... Anyone out there looking for a thesis topic? 8-) - Andy On Thu, 9 Aug 2001, Stephen W. Thompson wrote: > Follow my line of thinking here. > > > If I'm correct, that implies a) sadmind/IIS is more prevalent than > we'd realized and, possibly b) that there might be a variant of > sadmind/IIS that succeeds on non-Solaris machines unlike the original > variant. Any corroboration on (b) from anyone? > ------------------------------------------------------------------------------ ** Andy Johnston (andyat_private) * pager: 410-678-8949 ** ** Distributed Systems Manager * PGP key:(afj2000) 1024/F67035E1 ** ** Office of Information Technology, UMBC * 5D 44 1E 2E A6 7C 91 7A ** ** 410-455-2583 (v)/410-455-1065 (f) * C4 66 5F D5 BA B9 F6 58 ** ------------------------------------------------------------------------------ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 07:22:53 PDT