Zotob: PnP vulnerability worm
Zotob exploits the Plug-and-Play vulnerability MS05-039. Targeted Windows 2000 specifically.
Notes from the field
Writing
Long-form thinking on cyber defence, detection, and resilience — from Slackware-era honeypots through to AI-driven SOC analytics.
Showing posts tagged worm — 13 results.
Sasser: another RPC worm
Sasser exploits the LSASS vulnerability. Another major Windows worm, similar pattern to Blaster.
Witty: the fastest worm yet
Witty worm reached saturation in 45 minutes. Faster than SQL Slammer. Targets BlackICE personal firewall.
Welchia and Sobig.F
Two more worms in two days. Welchia (a Blaster-removing worm) and Sobig.F (a record-breaking mass-mailer).
Blaster: RPC DCOM worm
Blaster worm has hit. Exploits RPC DCOM in Windows. A short writeup.
SQL Slammer
Yesterday a worm called SQL Slammer reached saturation in roughly 10 minutes. The fastest worm in history. A brief writeup.
Slapper aftermath: the P2P precedent
A week into Slapper. The peer-to-peer architecture has produced a more durable compromised population than centralised worms produce. The defensive implications are substantial.
Slapper: peer-to-peer Linux worm
The Linux worm I previewed in July has now appeared in the wild. Slapper uses peer-to-peer command-and-control. The architectural innovations are worth understanding.
Reading the Slapper analysis
Reports of a Linux-targeted worm exploiting the recent OpenSSL bug are circulating. A brief preview before the public outbreak.
Nimda: a multivector worm
Yesterday a worm called Nimda appeared, simultaneously exploiting five distinct propagation vectors. The structural complexity is greater than any previous worm. A first writeup before the analysis converges.
Code Red II: a more capable variant
A more sophisticated variant of Code Red has appeared. Code Red II uses the same IIS vulnerability but installs a persistent backdoor and propagates more cleverly. The trajectory I predicted last week is on schedule.
Code Red analysed
A week into Code Red. The worm has reached saturation; the analysis from multiple research groups is converging. A walk through what we now know and what it teaches.
Code Red is here
Last Friday a worm exploiting the IIS .ida vulnerability appeared in the wild. By Saturday it had compromised tens of thousands of hosts. By Sunday, hundreds of thousands. The worm I have been predicting is here.