Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Worms Security

What Does a Spreading Worm Look Like? 233

Posted by CmdrTaco from the can-i-disenchant-it-for-reagents dept.
quibbs0 writes "When a new worm spreads around the world, people want to know if they are protected. How fast is it? How does it spread? A new simulation program developed by Symantec Research Labs not only has the answers, it also provides pictures."
This discussion has been archived. No new comments can be posted.

What Does a Spreading Worm Look Like? More

What Does a Spreading Worm Look Like?

Comments Filter:

  • What a spreading worm *really* looks like. (Score:5, Funny)

    by TripMaster Monkey ( 862126 ) * on Tuesday May 10, 2005 @09:13AM (#12488109)

    What Does a Spreading Worm Look Like?

    This [moviegoods.com] is what a spreading worm looks like.

    ^_^

  • ...do you mean like this [okccc.edu]?

  • launching a windows executable from a link (Score:5, Insightful)

    by codepunk ( 167897 ) on Tuesday May 10, 2005 @09:15AM (#12488131)
    That is exactly what it looks like, a windows executable installer launched off of a web page with unknow origin.

  • Fastest way to spread a worm... (Score:5, Insightful)

    by D4MO ( 78537 ) on Tuesday May 10, 2005 @09:16AM (#12488137)
    Linking directly to an MSI file in a slashdot story.

  • Great thing for a security company to encourage (Score:5, Funny)

    by Lord Bitman ( 95493 ) on Tuesday May 10, 2005 @09:16AM (#12488138) Homepage
    "So, what does a worm look like when it spreads? Install this program to find out!"

    and ALT-F4 will activate "ultra mode"

  • Appropriate packaging (Score:4, Insightful)

    by PowerBert ( 265553 ) on Tuesday May 10, 2005 @09:17AM (#12488144) Homepage
    It's good to see the worm simulator is only slightly less platform independant than your average worm.

    Perhaps Symantec figure the only ones who would want to look at a spreading worm are those most affected by it??

  • real plot? (Score:3, Interesting)

    by moz25 ( 262020 ) on Tuesday May 10, 2005 @09:18AM (#12488164) Homepage
    Interesting, but I would be slightly more interested in a real-time actual plot. Do they have that available as well?
  • And it's a .msi file, hence Windows only.

    How appropriate.
  • You mean one that's been stepped on? It looks something like this [moi-carine.com].

    Hey, at least I'm not trying to launch an executable on you.

  • msi (Score:2)

    by hugzz ( 712021 )
    .msi format. usefull.

    screenshots, anyone?

  • You want us to install a program? (Score:5, Funny)

    by mrighi ( 855168 ) on Tuesday May 10, 2005 @09:20AM (#12488189) Homepage
    I can't believe Slashdot wants us to learn how a virus spreads by encouraging us to download an MSI executable off the home page!

    That would be like me going to the doctor and having him ask me if I know how HIV is spread and then asking me to take my pants off.
    • No -
      Remember, this is coming from Symantec:

      it would be more like going to a Glaxo Marketing Rep's office, and having him demonstrate how HIV is spread, by bending you over his desk. Then charging you the $300 or so a day for the next ten years for AIDS meds his company makes.

  • Torren (Score:2, Informative)

    by spadadot ( 879731 )
    Ok, it's not that useful this time, but I'm doing this to learn :)

    http://dload.digitalriviera.com/SRL_Worm_Simulator .msi.torrent [digitalriviera.com]
    • Actually, it's totally useless. It's a 404. But it's cool that you're figuring it out for next time....
    • So, now we not only have somewhat untrusted code from a party who profits from the spread of virii, but we've now had it repackaged by a completely untrested third party.

      I'm being ungrateful, just pointing out the ever-increasing irony.

  • Interesting article in IEEE spectrum (Score:5, Informative)

    by karvind ( 833059 ) <karvindNO@SPAMgmail.com> on Tuesday May 10, 2005 @09:22AM (#12488206) Journal
    On similar theme, current issue of IEEE Spectrum has article on How to Hook Worms [ieee.org]

  • Snake Oil for sale (Score:5, Insightful)

    by Marcus Erroneous ( 11660 ) on Tuesday May 10, 2005 @09:22AM (#12488213) Homepage
    Is it just me or do others see some issues with the people who provide the cure also providing the pictures documenting the severity of the infection? Symantec, for one, has already been slammed for sounding the alarms and hyping the dangers in order to elevate the demand for their product. Now I'm to trust their software that shows dramatic footage!! of these insidious worms assaulting the world as we know it.
    Next you'll probably want me to go ask the Bush camp if we should invade Iran or the Democrats if we should repeal the two term law and re-elect Clinton again. On my way I'll stop by the car dealership and see if my current car is okay or if I should get a new one just to be safe.
    • while i agree that the antivirus companies have some dubious tactics, i dunno if this is really all that inappropriate. people studying diseases often study transmission patterns and infection rates, but we don't accuse them of any impropriety. you'd expect an oncologist to have some decent pictures of a cancer spreading, wouldn't you?

    • Re:Snake Oil for sale (Score:3, Insightful)

      by iritant ( 156271 )
      On its own I wouldn't discount what Semantec says. However, "simulations" generally involve models, and those models have assumptions. What are the assumptions in this model, I wonder? We already know that a virus can travel roughly at the speed of a disk drive's ability to write.

      It would be more interesting to see a study of computer-based virii versus biological ones. How about some real epidemiologists take a crack at it? Perhaps they already have..

      Anyone? Anyone? Bueller?
    • Symantec has been hitting the press very hard, this is just the latest in their ongoing attempt to convince us they dont suck.
    • I was wondering why the absurt .msi format, but after reading your post i'm thinking it might be a strange tactic...

      don't you have to turn down security levels on IE to see those things? if more and more content is provided that way, more people will put their browser in the 'hole-ridden' setting... and therefore will need more symantec software

  • *Yawn* (Score:3, Insightful)

    by mattmentecky ( 799199 ) on Tuesday May 10, 2005 @09:23AM (#12488218)
    I guess it's a nifty little cute program in a non-technical sense. But I see nothing more here than a program that (at least seemingly) arbitrarily places a red dot on a spinning globe biased to developed nations along a timeline where you can load up various "different worms" which frankly all look the same. I would say this is one step up from a clunky/dorky flash. It would have been nice if it was at all a little bit more technical.

    • Re:*Yawn* (Score:2, Insightful)

      by -brazil- ( 111867 )
      If they look all the same to you, you didn't look at all of them. The Slammer looks radically different from all the others. Due to its tiny size and rapid mode of travel (UDP packets sent to random IP numbers), it spread extremely quickly to nearly all vulnerable systems - but only relatively few systems (those running MS SQL server) were vulnerable.

  • Goodbye Slashdot. (Score:2, Insightful)

    by shippo ( 166521 )
    I've been reading (and occasionally posting) to Slashdot for years.

    However this farcical link to a .MSI file has convinced me that you are now just a bunch of clueless morons.

    Goodbye.

  • Agent USA (Score:4, Insightful)

    by Sporkinum ( 655143 ) on Tuesday May 10, 2005 @09:24AM (#12488224)
    Agent USA was the original virus simulator. It was a game for the Atari 800 in 1985.
    • Agent USA was the original virus simulator. It was a game for the Atari 800 in 1985.

      Are you sure about that [corewar.co.uk]? It seems like that claim could easily go to Agent USA or Corewars (or something else entirely - Lisp hackers are notorious for inventing clever amusements (like Emacs (which probably has a Corewars-mode (oh, it does [sourceforge.net])))).

  • Running OS X 10.3.9, I get:

    1. "No default application specified for SRL_Worm_Simulator.msi"

    ... so I specify Windows Media Player and get:

    2. "Cannot play back the file. File format is invalid"

    [Is SRI hinting at something???]

  • Slammer/Sapphire (Score:5, Interesting)

    by carambola5 ( 456983 ) on Tuesday May 10, 2005 @09:31AM (#12488305) Homepage
    I've already see how a worm spreads. Especially one that initially grows exponentially with a time constant of 8.5 seconds. Yes, 8.5 seconds.

    Slammer [caida.org]

    Pay attention to the time and infected hosts data at the bottom.

  • CAIDA did this for earlier worms... (Score:5, Informative)

    by m0rningstar ( 301842 ) <cpw@noSpaM.silvertyne.com> on Tuesday May 10, 2005 @09:31AM (#12488306) Homepage
    ... and in a WWW based format, as opposed to the executable from an AV company. I think it was two of their researchers -- Colleen Shannon and David Moore. The animation for Code Red is here [caida.org] .

  • end to end linkage (Score:3, Informative)

    by Anonymous Coward on Tuesday May 10, 2005 @09:34AM (#12488325)
    One of the reasons that worms spread exclusively on Windows is because you need end to end linkage. A simplified model is if I wanted to send a message to Kevin Bacon, I'd talk to friend A who knows an actor, who talks to Friend B, then friend C, who then talks to Kevin. If I tell someone who doesn't speak the language, the linkage is broken and my original message can no longer propogate.

    In other words, a computer can only infect other computers through being infected itself (unless if the system is just serving files). Worms can't move through unsupported systems. Once it hits OS X or Linux system, it can't move anywhere. Windows is the only OS with critical mass high enough to achieve this. Symbian for mobile devices. This is why you won't see any Windows CE worms unless if it gains in terms of marketshare.
    • Another reason is that the Windows architecture, unlike Linux or the BSD core of OS X, was never designed to be used in network or multiuser settings and even now that NT-based systems are the norm the old DOS mentality prevails. A large number of the exploits in Windows are based on the ability to embed executable code in pretty much anything that should not have executable code in it -- word processor documents, emails, etc.

      It's not hard at all to find whatever flavor of UNIX system you want in huge con
    • Then why don't we see Linux worms infecting webservers? After all webservers are much easier to find having a public domain name and all.
    • "Windows is the only OS with critical mass high enough to achieve this. Symbian for mobile devices. This is why you won't see any Windows CE worms unless if it gains in terms of marketshare."

      The Witty worm could only infect Windows machines running a specific version of specific firewall software. The vulnerable population was about 12000 machines worldwide. It infected virtually the entire vulnerable population in under an hour.

      If/when there's a worm for MacOS X or Linux, there will be more than enough m

  • Anyone figure out? (Score:4, Interesting)

    by doombob ( 717921 ) on Tuesday May 10, 2005 @09:35AM (#12488333) Homepage
    I was wondering if anyone has figured out how to write new simulations for it. This would be more interesting and useful if you could write your own simulations with your own paramaters to test how the networks you are on would compare. I tried editing the simulations that are provided but all that is affected is the speed at which the percentages change.
    • Yes you can, but you need a hex editor. Load up the exe and goto this address: 23HX,12BA... change the H to an F... This will let you literally drag and drop simulation (.sim) files in the loader and run them. I showed this to my boss earlier today and he's been busi all morning creating sim files to try out.

  • In other news... (Score:3, Funny)

    by qw(name) ( 718245 ) on Tuesday May 10, 2005 @09:36AM (#12488339) Journal
    Symantec has issued yet another warning that the world will end as soon as all the worms and viruses unite against true carbon-based life forms. Symantec CEO John W. Thompson was quoted as saying, "If people would have heeded all our warnings about the coming war between reality and virtual reality we would not be headed for certain doom." At that point he started crying as his company's stock soared to record highs.

    Up next, Symantec issues a warning to the Mac/UNIX community saying that their computers are too safe from Windows-based viruses. "We can no longer support operating systems that flaunt their security in face of corporate IT managers everywhere when millions of starving children are dying of malnutrition."

    The Weekly World News news service will be right back after this message from our sponsor, Symantec. Ensuring your fear, uncertainty and doubt since 1982.

  • Brek Girl Simulation (Score:3, Interesting)

    by buckhead_buddy ( 186384 ) on Tuesday May 10, 2005 @09:40AM (#12488385)
    I like that 1970's American television ad with the cute girl who visually demonstrates exponential growth while trying to advertise something like Brek shampoo.

    "I [infected] two friends.
    And they [infected] two friends.
    And so on.
    And so on.
    And so on."

    Withe the screen splitting at each phrase and winding up with 32 versions of the cute girl, it's much more visually entertaining than this demo.

  • Yellow? (Score:2, Funny)

    by SmokeyMirror ( 840301 )
    So I read the article and I find this bit here: As the worm spreads, nodes in the network and on the globe start turning colors. Symantec Yellow represents patched and secure machines

    Tell me Symantec hasn't trademarked a shade of yellow.

  • From TFA (Score:2, Insightful)

    by Laurentiu ( 830504 )
    The Worm Simulator will be rolled out initially to members of the Symantec Sales organization for demonstrations to enterprise customers. In addition, the Worm Simulator could become a future television star during news coverage of worm outbreaks, enabling viewers to watch a virus as it spreads. Symantec Security Response intends to use the simulator for TV appearances as well.

    Translation:
    We invented a new, computer-assisted sales pitcher. It could also be used as a FUD spreader on TV.

  • Missing some factors (Score:5, Interesting)

    by Shoten ( 260439 ) on Tuesday May 10, 2005 @09:43AM (#12488411)
    It seems like they fail to take a number of things into account with the sim. For one, when I ran the Sasser simulation, it followed a pretty straightforward and accurate progression. Things went slowly at first, and then picket up speed as time progressed.

    But within 20 days, there were no infected nodes, anywhere; as someone who works in a penetration testing lab without a firewall, I really have to say that this is not real. And within 52 days, 100% of the world was patched. What? It was more than 95% within 30 days too, and I don't believe that either. There's no accounting for new systems coming out of the box (and onto the net) without patches, and no representation for the fact that there will never, ever be 100% coverage for any patch.

    That said, it is a pretty interesting tool to see how things spread, both globally and within an organization. You just have to keep in mind that it doesn't tell the whole story.
    • Well, maybe these days the owners of the countless spamming zombies are patching 'their' windows machines ;)
    • don't you get it? this is how symantec views the world. they believe everyone is using their software. they believe that in their ideal world, that virii and worms exist, but is not a problem that can't be solved and is solvable. they believe that when such a worm gets released, their stock prices will go up and more of their software will be sold.

      they believe if you use norton av, then the maximum # of days your computer can be affected is 20days (the maximum time they forsee themselves to write a patch a

  • Real data: Analysis of the Witty worm (Score:4, Interesting)

    by G4from128k ( 686170 ) on Tuesday May 10, 2005 @09:44AM (#12488422)
    /. discussed the Witty worm [slashdot.org] back in 2004. This analysis [caida.org] used UCSD Network Telescope IP block (containing 1/256 of IPv4 space) to sample the randomly spewed packets created by the worm. They were able to analyze quite a few interesting features, including the fact that the worm was jump-started by an infection of about 110 PCs at the outset, 24-hour cycles in infected/reinfected machines, and data on the distribution of bit-rates of worm transmitters.

  • Speaking of spreading worms... (Score:2, Interesting)

    by Anonymous Coward
    How timely this article!

    Today an internal customer asked me why Slashdot seemed to be broken. I check the firewall logs and, lo and behold, discover 66.35.250.150 triggered the firewall's IDS for tweaking port 2000/TCP.

    Why was /. poking at that port on my firewall, particularly considering what's usually there [sans.org]?

  • Are you protected (Score:3, Interesting)

    by Turn-X Alphonse ( 789240 ) on Tuesday May 10, 2005 @09:48AM (#12488452) Journal
    Are you protected in 2 answers

    Do you understand computers and how to run one securely? Yes/No if Yes continue, if no then you arn't.
    Is a patch finished and installed? If yes then you're fine. If no then you arn't protected.

    Obviously opening strange program files comes under number 1, but they may make it three points if you wish.
  • If it's gonna be a marketing pitch, they should at least make it PowerPoint so the people that try to get money to buy the solutions can make it management friendly... A few slides, some small buzzwords and presto! People get funding! Makes me crazy...Crazier. Whatever.
  • Don;t open the link, it will wipe your hard drive and steal all your passwords, empty your bank account and blow up your monitor and printer...

    Seriously, this is exactly how this shit spreads - get someone to download something "cool" - one reason why I never get crack patches from the warez sites...

  • an even better question: ... (Score:3, Funny)

    by cutecub ( 136606 ) on Tuesday May 10, 2005 @10:23AM (#12488795)

    What does a spreading Worm Simulator look like?

    Thanks to the Slashdot effect, I think we're gonna find out.

    -S

  • I wish I was not. That would explain why 30% of all email is Sober at the moment. As it is now, booze is not to blame.

    Sober, installs itself by tricking naive people in opening the Trojan disguised as

    Sorta like the MSI link in this article....

    I wonder, will I get drunk when opening it on my Windows 2003 Terminal Server?

    If so, I might be inclined.
  • When Symantec software spreads like a worm from local distribution chains, ( BestBuy, Staples, FutureShop etc. ), demand for computer repair goes up.

    Why?
    Because their software breaks every machine it touches.
    Worse, the computers they are installed on have not just one Virus, but many.

    I tell my customers its like selling a condom with a hole in it.
    You could have had so much more fun without the protection they weren't providing in the first place.

    A false sense of security is worse than no security at all.

  • Screenshot (Score:2, Informative)

    by HaydnH ( 877214 )
    Someone above requested a screenshot, I've replied above but for those that missed the reply and can't run .msi files, here's a screenie:

    http://www.jeanhaines.com/tmp/wormSim.html [jeanhaines.com]

    Haydn.

    p.s: thank god I'm at work so I can open .msi files!
  • The funny thing so far i've seen concerning worm and viruses is the Windows media center. I was looking at a new flat TV screen in an electronic shop. They were promoting the Microsoft media center. The funny thing was a little popup window at the right of the taskbar. "Windows did not find any anti-virus software on this computer." or something like. Lol...Thanks but I prefer my good old Television. Olivier
  • It looks like the entire continet of Africa is running Macs.

  • Unbiased? (Score:2, Interesting)

    by Shook18 ( 878947 )
    There is honestly no way that this "research" by a anti-virus company could be even remotely unbiased; they are going to exaggerate the hell out of this to make normal internet worms look like ebola.

  • Comment removed (Score:4, Informative)

    by account_deleted ( 4530225 ) on Tuesday May 10, 2005 @11:57AM (#12489822)
    Comment removed based on user account deletion
  • From McAfee...

    --snip--
    WARNING: SRL_Worm_Simulator.msi is infected with the W32/WormSimulator.B@mm virus!

    ACTION: Clean/Delete threat.

    It looks like you're attempting to run a competitor's program. Stop it, you insensitive clod.
    --snip--

    That was a weird virus warning I got when I downloaded that ;)
  • Hmmmm

    Let's see. How does a spreading worm look? Perhaps it looks like users blindly downloading an EXECUTABLE program for Windows after essentially being told that "this is a safe download" becuase it is linked to from the front page a major website.

    I'm not sure whether to laugh or cry at the humor or the irony.

    If this thing is a virus that Norton has preprogrammed its antivirus product to ignore, I'll be laughing myself into an early grave...

  • i hate the globe part of the program. it's bad interface imo. all the fun stuff happens when i'm stuck on part of the ocean. should've made a pause button and rotate left/right for the globe.

Slashdot Top Deals

The algorithm for finding the longest path in a graph is NP-complete. For you systems people, that means it's *real slow*. -- Bart Miller

Close