|The witty worm with Vern Paxson|
I'm sitting in a tech talk from Vern Paxson about the witty worm, and he's just described how they could determine the state of the random number generator on infected machines when it sent probes to possible victims. Which gives you the uptime of the infected host, and they can see the distance between random numbers in the sequence, which means they can calculate the speed of the network link of infected machines, because they know the time distance between repeated probe attempts and how many packets were sent in between.
They can also determine the number of disks plugged into the infected machine, because a bug in the worm only re-seeded the random number generator when it trashed a disk block on the machine. It can only do that if that randomly selected disk exists.
The talk is being taped, so other people will be able to see it in a week or two.
Tags for this post: blog internet worm research
Related posts: Methodology for my SMTP survey; Measuring the popularity of SMTP server implementations on the Internet; Interesting paper: "YouTube Traffic Characterization: A View From the Edge"; iBurst: Coverage in Canberra still sucks; Traffic based linkage spam?; iBurst: Ibis Darling Harbour
posted at: 14:44 | path: /diary | permanent link to this entry