Re: DCOM worm analysis report: W32.Blaster.Worm

From: Valdis.Kletnieksat_private
Date: Tue Aug 12 2003 - 21:07:03 PDT

Next message: Dowling, Gabrielle: "RE: MSBLASTER Infecting despite 03-026 patch?"

Previous message: Lloyd Taylor: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
In reply to: Andrew Thomas: "RE: DCOM worm analysis report: W32.Blaster.Worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 12 Aug 2003 10:11:03 +0200, Andrew Thomas <andrewat_private>  said:

> If the information contained herein is still correct, then it would appear that
> the algorithm used for target IP selection is far from optimal, and 
> would result in large concentration of traffic around the IP address ranges 
> of the initial infections.

That may have been true in the first half hour or so.  Just remember that the
*first* time the worm hops to another /8, it will start creating another large
concentration around THAT address range... and inside 30 minutes there's too
many pools to count.

Another way to look at it - by the time you started seeing "me too" postings
that *something* was up, it had gotten out of the original ranges (remember
that the "me toos" are in general evidence that it's left the original range)

application/pgp-signature attachment: stored

Next message: Dowling, Gabrielle: "RE: MSBLASTER Infecting despite 03-026 patch?"
Previous message: Lloyd Taylor: "Re: Blasting Blaster.Worm (aka LovSan Virus)"
In reply to: Andrew Thomas: "RE: DCOM worm analysis report: W32.Blaster.Worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 23:01:16 PDT