Thu, 14 Aug 2003

Is W32/Blaster cleaning up the Internet?

For the past few days, I've been scratching my head trying to figure out why, all of a sudden, I don't see any HTTP exploit attempts in my logs. I usually see 4-10 exploit attempts a mixture of cmd.exe and default.ida attempts. However, Sunday, 8/10 was the last time I saw any such attempts in the logs.

It seems statistically improbable that this is just a normal lull in activity.

There is a possible explanation. Perhaps the W32/Blaster Worm (aka, LovSan) is responsible.

I assume the vast majority of exploit attempts come from Windows systems that have been compromised by worms like Nimba and Code Red. They are attempting to propagate themselves through HTTP exploits. If these same systems where taken down by W32/Blaster, then they aren't able to spread the other worms they host.

Because Blaster causes infected machines to crash, they will get the attention of their owners. Some will just remove W32/Blaster, leaving other worms intact. However, I expect most infected systems will get a more thorough cleaning, virus detection software installed, etc.

A side effect of W32/Blaster could be a much cleaner Internet.

I haven't verified this or seen this theory posted elsewhere, yet. I'll be hunting for verification.

[/internet] [link]

About this weblog

This site is the personal weblog of Marc Mims. You can contact Marc by sending e-mail to:
marc@questright.com.

Marc writes here about cycling, programming, Linux, and other items of personal interest.

This site is syndicated with RSS.

Archives

Credits

CSS stolen from Tom Coates who didn't even complain.