|The witty worm with Vern Paxson|
I'm sitting in a tech talk from Vern Paxson about the witty worm, and he's just described how they could determine the state of the random number generator on infected machines when it sent probes to possible victims. Which gives you the uptime of the infected host, and they can see the distance between random numbers in the sequence, which means they can calculate the speed of the network link of infected machines, because they know the time distance between repeated probe attempts and how many packets were sent in between.
They can also determine the number of disks plugged into the infected machine, because a bug in the worm only re-seeded the random number generator when it trashed a disk block on the machine. It can only do that if that randomly selected disk exists.
The talk is being taped, so other people will be able to see it in a week or two.
Tags for this post: blog internet worm research
Related posts: Measuring the popularity of SMTP server implementations on the Internet; Methodology for my SMTP survey; Interesting paper: "YouTube Traffic Characterization: A View From the Edge"; Scoble is right, nofollow is good; Why does every man and his dog put man pages online?; Compendium of TLD domain access agreements
posted at: 14:44 | path: /diary | permanent link to this entry