[IP] more on READ more on Viruses
Begin forwarded message:
From: Johan <johan@xxxxxxxxxxx>
Date: May 24, 2005 1:20:41 AM EDT
To: dave@xxxxxxxxxx
Cc: Ip ip <ip@xxxxxxxxxxxxxx>
Subject: Re: [IP] READ more on Viruses
Christian Huitema <huitema@xxxxxxxxxxxxxxxxxxxxx> writes:
The "small population" argument assumes that one can predict the
psychology of malware writers. Incidents like the Witty worm show the
limits of such predictions. In fact, one could just as easily make the
opposite argument, "strength in numbers". Large populations are a
larger
attack target, but they are also actively testing and developing
defenses, and thus less likely to be swiped out by a catastrophic
event.
Well,
I dunno whether it's ease of infection alone, or a target-rich
enviroment, that makes or breaks a virus.
A successful virus will be the one which as the highest chance of re-
infection, which I'm going to posit is something like the product of
the probabilities of finding an a suitable host and then infecting
it, and for how long it can keep trying.
Windows viruses have a very easy time finding new hosts by just
random guessing, while having a (hopefully) smaller probability of
actually infecting the target, as it is likely running some form of
virus protection.
Linux viruses (or Mac or OpenBSD) will in general have a harder time
finding hosts at random, but may (?) have an easier time exploiting
any holes found.
However, low population doesn't mean that it's hard to find a target.
For example, if I had an exploit for apache web servers, I'd have no
shortage of targets. I'm no firewall expert, but I wonder whether
that wasn't the case with ISS. Firewalls are easy to find: just send
traffic at a domain, and the firewall will intercept it.
The interesting part is that we've seen a marked shift in how viruses
propagate. Think back to the days of sneakernet and floppies; A
succesful one had to be subtle - lay low and be stealthy for a some
time before activating, else it ran the risk of not having propagated
before detection.
In contrast, todays email borne internet viruses are a bit "blunt".
I'd like to posit that the virus that will eventually sweep through
the mac or linux communities will be more like sneakernet viruses
than internet viruses. Slow and subtle.
Johan
PS: I purposefully left out zombie nets so to not muddy the waters,
but of course there's nothing stopping a population from
simultaneously having subtle and blunt infections. You just notice
the blunt ones first.
-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
http://v2.listbox.com/member/?listname=ip
Archives at: http://www.interesting-people.org/archives/interesting-people/