What if people developing worms do small test runs before the final release?
The AT&T approach might not work if the developer was testing it on a private network, but if they used a small collection of zombies on the internet to test it out and see how well it works, conceivably it could be detected? Or something like that... > [mailto:[EMAIL PROTECTED] On Behalf Of Hoho > On Fri, 2003-10-17 at 22:44, jkm wrote: > > Quote 2: > > "AT&T saw anomalies in its network three to four weeks > before that worm > > hit and was able to take certain precautions. "When the > worm actually > > happened, AT&T's network did not take a hit,'' Eslambolchi said." > > > Doesn't it seem like they're trying to violate causality? If the worm > doesn't exist yet, then its associated traffic doesn't exist > yet, hence > there's nothing to detect. Wonder what those 'anomalies' > were. Seems no > more effective than just watching MS security patches and reading FD. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html