This proposal for target selection is part of a more general class: external target list worms, aka "Metaserver" worms. A metaserver is simply a server who's job is to keep track of other servers, which a worm can use to discover actual targets. Not only is google a metaserver, but they appear all over: the domain controller is a windows metaserver in the enterprise LAN, and gamespy is a metaserver for a bunch of different multiplayer-games. They can all be leveraged as means of finding targets. See Nicholas Weaver, Vern Paxson, Stuart Staniford, Robert Cunningham, "A Taxonomy of Computer Worms", First workshop on Rapid Malcode (WORM) 2003. URL: http://www.cs.berkeley.edu/~nweaver/papers/taxonomy.pdf for more details. Additionally, its a question how much making the system self-propigating buys you for the particular target populations, over just auto-rooting using the list the metaserver gives you. Self propigation allows exponential growth, but when the target population is on the order of ~10k or less, and the metaserver gives you a complete list of these targets, a simple sequential attack is acceptable as a per-zombie throughput of 1 victim/second would only require 2.7 hours to get the entire population using just one zombie, while 10 zombies could go through the entire population in just over 15 minutes. The major possible advantage of making it a worm is not speed (after all, the Witty author easily got ~120 zombies, and 15 minutes totally blows away human-based defenses), but robustness once defenses for automated attacks are developed in the future. The major disadvantage of making it a worm is that this now has servers engaged in unusual behavior (initiating outgoing connections), which could also be picked up by automated defenses. If I was Evil Hacker, the current defenses are such that I'd use a zombie group, rather than a worm. And probably in the future, I'd use a small zombie-army, given the size of the population, and the additional stealth imparted by not having the compromised servers attack other servers. It also strongly overlaps with such work as "Googling Up Passwords" by Scott Granneman, http://www.securityfocus.com/columnists/224 which you should probably cite. This doesn't affect the overall conclusion of the whitepaper (small populations of custom services are vulnerable to fast attacks, because the metaservers can be used to provide a target list), but this is not a new worm concept, but a particular instance of a more general, and highly dangerous class of attack. -- Nicholas C. Weaver nweaver@cs.berkeley.edu
