The Spread of the Witty Worm Shannon, David Moore Note : 2004 paper, I have the CAIDA data for this section and I should really take a look at it Angle : More of a report of what happened and how it was discovered My angle : I am trying to limit focus on virus history and how the virus works (except spread techniques) Rather interested in how the spread was analysed. Interesting Points about Witty -> Has a destructive payload -> Very high intial infection rate -> Shortest time bewteen infection and identification -> Spread in host population where pro-active security mechs were taking places -> Spread in a much smaller possible infection population ( that is a much smaller susceptible population) General Points & CAIDA -> Worms span large geograpohic and topological regions its hard to measure from a single view point (unless you happen to own 1/256 of the entire IP space) -> Any sort of inbound traffic for CAIDA is anamolus as their Class A block has almost no hosts ( almost ?) -> Assuming an unbiased random generator they receive 1/256 packets of all sent -> ISS Firewalls had a module for analyzing ICQv5( Internet Chat) messages which had a buffer overflow -> Witty after infected a host it sends 20000 packets with random IP's with packets of a random size but ensured that the packets dont get fragemented -> would slow down spread -> The fact that it wasn't a fixed size made it hard to block -> Witty randomly deleted parts of a drive -> Most worm growth is sigmoid, slow start (few intially pre-infected machines, but much higher growth at latter ends due to a high number of infected machines) -> Only 12000 machines were in fact susceptible of pool 4.3 million. Caida saw 110 machines infected in first 10 seconds -> they used sort of hitlist. -> After first minute, witty has sigmoid growth. -> Saw stablization of total infected after 45 min -> most/all of susceptible population is infected -> Run into counting issues due to DHCP -> First worm to show that a worm could infect a small population very quickly ( Would imagine it would be slow due to the low numbers of susceptibles) -> Spread faster than it was possible for humans to react to ( same as SQLSlammer) -> Users that use non-popular software may still be targers ... -> Destructive Payload + Traffic Filtering + Patched Machines -> rapid decay of infected hosts -> Bandwidth limited -> Shoehorning of average users into security experts due to the "failure" of the current patching model -> should end users really be part of the security infrastructure ?