Simplicity in design. Episode 1. Warhol's Worm

    as simple as possible, but not simpler

    In 2001, after the CodeRed epidemic, Nicholas Weaver wrote an extremely interesting article about the rapidly spreading worms “Warhol Worms: The Potential for Very Fast Internet Plagues” , which then had a couple more sequels. Summary of the article: if a number of optimizations are added to the worm propagation mechanism, then the worm can hit the entire vulnerable population in 15 minutes and even faster. Roughly speaking, breaking the Internet is faster than admin finishes drinking coffee. The optimizations were interesting:
    1. hitlist scanning (create a list of the first 1000-10.000 victims in advance to avoid the initial gentle stage of exponential growth)
    2. permutation scan (after finding an already infected machine, jump to the address list, since the addresses following the infected one are probably scanned)
    3. partitioned scan (the parent worm distributes address ranges to descendants to completely prevent re-scanning)
    4. subnet scan - an obvious scan of the local subnet in the first place

    I was then very struck by such opportunities for worm building. I then rolled up the article “Modular Worms” that the worms of the future will be with interchangeable nozzles, update directly on the network, etc. My article, as usual, was rejected, and after five years, as usual, it was these worms that were used to build botnets. At first there was Agobot , and then things got on stream. Even the term "open-source worm" appeared.

    The real Warhol worm appeared on February 25, 2003. It was called SQL Slammer.infected MS SQL Server. And this worm did not use a single tricky optimization. It was stupidly distributed over UDP, fitting within a single datagram. It was easier, it was cheaper. After all, we all know that TCP needs to send three packets just to start communication. In this case, it is necessary to keep data structures in the kernel, wait for a response, set timers, etc. etc. In contrast, the UDP worm could stupidly clog the uplink with datagrams, as long as it fits. And it interferes a lot: 1Mbits is 332 "spores" per second, each dispute is 376 bytes. The global spread of the worm occurred in 10 minutes. Maybe faster, I thought, because my statistics were collected in increments of 10 minutes. And there was no worm in one file, but in the next one it already was. I checked timestamps - yes, about 10 minutes. Foreign colleagues also said 10 minutes. This record is still not broken.

    Thus, the most outstanding result in the field of worm building was achieved through simplicity and cheapness, and not through sophisticated mechanisms and optimizations.

    Also popular now: