Worms versus Bots

Paul Jakma paul at clubi.ie
Wed May 5 09:13:02 UTC 2004

On Tue, 4 May 2004, chuck goolsbee wrote:

> So maybe they WOULD be better with a "WebTV" model.
> Or a Macintosh.

or a cheap Lidel or WalMart PC with Fedora 1 on it. Epiphany,
Evolution and OpenOffice would keep vast majority of the basic
computer users happy. Distributions like Fedora[0] are pretty much
invulnerable to mass, automated worm infections[1].

Automated worms would literally be a thing of the past if everyone
switched to Fedora, RHEL or if the current dominant OS vendor adopted
similar measures (apparently they will be). Judging by the amount of
packets (couple per s) I get in to common vulnerability ports, there 
are a lot of worm infected machines out there:

# iptables -L scans -v | awk 'BEGIN { printf ("\n%5s  %6s  %4s  
%20s\n", "pkts", "bytes", "prot", "dest port"); } NR > 2 && $1 ~ 
/^[0-9]/ { sub (/^dpt:/, "", $11); pkts += $1; bytes += $2; printf 
("%5d  %6d  %4s  %20s\n", $1, $2, $4, $11);} END { printf ("-----  
------\n%5d  %6d\n", pkts, bytes);}'

 pkts   bytes  prot             dest port
 1721   82856   tcp          microsoft-ds
  874   42008   tcp                   135
  455   21944   tcp           netbios-ssn
  322   15456   tcp                  3127
   36    1788   tcp              ms-sql-s
  661   31776   tcp                  2745
  309   14832   tcp                  6129
   82    3960   tcp                  swat
  427   20556   tcp                  1025
  263   20514   udp            netbios-ns
   36   14544   udp              ms-sql-m
-----  ------
 5186  270234

that's maybe an hours worth or less of counting too. And what uses 
TCP ports 1327 and 2745?

0. http://people.redhat.com/drepper/nonselsec.pdf[2]

1. Though not to trojans which attack human vulnerabilities
obviously, or non buffer overflow attacks, eg scripting language
vulnerabilities, though these are rare.

2. Obviously, the 2 main mechanisms described in the paper originate
elsewhere in concept, but Fedora is probably the first OS of
sufficient use to a basic computer user to put it all together.

Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
	warning: do not ever send email to spam at dishone.st
	Money isn't everything, but at least it keeps the kids in touch.

More information about the NANOG mailing list