- google to find likely customers of the company whose product will be exploited,
- find address blocks likely to be associated with those clients using various DNS tools,
- scan randomly until you find a vulnerable host,
- then walk up and down from that IP address to find others which are likely to be nearby.
Friday, June 10, 2005
Witty Worm Insider? Perhaps not.
In several discussions around the net it has been suggested that the author of the Witty Worm must be an insider. I'm not so sure. Although I agree that it's interesting that the worm was pre-populated with a seed target list, and also interesting that some of those hosts were on a military base, I'm not convinced of the conclusions that others have drawn from these facts, namely that the attacker had to be an insider -- either from the product vendor, or from the company who reported the defect. Likewise, the implication that the attack was directed at the US Military doesn't make sense. A few minutes of scanning could have produced a list of 100 vulnerable hosts. The scanning algorithm might have been something like this: