Where Worms Go To Die?
by Anton Chuvakin
Related link: http://www.chuvakin.org/honeynet/worms/
Where do computer worms go to die? Recently I got curious what happens to the old worms that, by all counts, deserve to die a fast and painful death. So, I tapped into my security event storage, collected from honeypots and various other Internet-exposed sensors over the last couple of years. Here is what I came up with (see the link to picture and some rolling summary counts for ports and Snort NIDS alerts). The weirdest thing discovered was that even "bad old" CodeRed (circa 2001) is not going away.
In epidemiology, a disease has a 'threshold'. When the number of hosts in the environment falls below the threshold, the epidemic dampens, because the disease can't spread rapidly enough (fewer new hosts catch the disease than the number of infected hosts that leave through death or healing). Some studies suggest that the threshold for a computer virus on the internet is zero - the net is so interconnected a single infected host is a sufficient source to maintain the epidemic.