|reply to justin |
Re: Blackice "Witty" Worm: source port 4000 UDP
said by justin:Same idea, I would speculate, with malware that acts in an overt way versus malware that acts more covertly.
But then, in the real world, a virus that kills the host is not a winning strategy. This is one that kills shortly after and hopefully after infecting a few more, like Ebola. Spectacular but short lived.
Exploit-based malware that scans like mad (high packet rates and broad IP address space "coverage") draws more attention to multiple aspects of the scanning (not just the ports, but also things like the "exploit"). And it will likely provoke a higher/escalated response to address the scanning -- usually involving an escalation of traffic filtering and patching. (Blaster being an example, I believe.) E-mail based malware is a more complicated situation, I believe (more factors).
In this case, I don't think the author of this thing cares as much about the level of response -- other than striking at a time which allows for a perhaps two-day headstart -- since the "average" response time is still so long that a good portion of the infected systems will have crashed before someone gets to them.
Feedback? e-mail: firstname.lastname@example.org