| The witty worm with Vern Paxson |
I'm sitting in a tech talk from Vern Paxson about the witty worm, and he's just described how they could determine the state of the random number generator on infected machines when it sent probes to possible victims. Which gives you the uptime of the infected host, and they can see the distance between random numbers in the sequence, which means they can calculate the speed of the network link of infected machines, because they know the time distance between repeated probe attempts and how many packets were sent in between.
They can also determine the number of disks plugged into the infected machine, because a bug in the worm only re-seeded the random number generator when it trashed a disk block on the machine. It can only do that if that randomly selected disk exists.
The talk is being taped, so other people will be able to see it in a week or two.
Very cool.
Tags for this post: blog internet worm research
Related posts: Measuring the popularity of SMTP server implementations on the Internet; Interesting paper: "YouTube Traffic Characterization: A View From the Edge"; Methodology for my SMTP survey; RemoteWorker v74; Microsoft Exchange the most popular SMTP server on the Internet?; I think I've worked out the problem with the hotel network; Mikal, the massive domain squatter; Internet traffic; Compendium of TLD domain access agreements; Domain name lookup helper for python?; Normalising mail server package names; Satellite internet at Walmart; Dear Lazyweb: how do I check SSL keys for vulnerability?; The web is probably parkier than it seems; The Internet is a strange place; What is the definition of publication?; RemoteWorker v70; Initial SMTP survey poster results in a pie chart; Parked domains; Announcing early results of my survey of SMTP servers; Tangential research to my own
posted at: 14:44 | path: /diary | permanent link to this entry
Comment on this post.