Paid Advertising
web application security lab

Samy Worm Analysis

I was doing some writing about the Samy worm last night in the XSS book and after doing some looking into the growth pattern of the worm (which I don’t think anyone has bothered to do) I was able to come up with a rough estimation of the acceleration of growth. Thanks to Samy for diligently writing down times and numbers. Granted those times and numbers are probably rough estimates, and the last entry, which is probably the most important to calculating this was not entered (bummer). Only “a few minutes” was marked for that last entry, so it’s difficult to say what it would have looked like. I put four minutes as less than 5 and greater than three for the worst case since no one really knows.

The are a few interesting points to note here. Firstly is not just that it had a super slow growth but that the point at which it became explosive in growth was somewhere just north of 8000 users who were infected. Further, if you look at the last two bullets (granted the last one is a guess) it appears that there is still an increase in acceleration of growth. That means that while the Samy worm was bad, it was no where near as bad as it could have been if it had been allowed to spread naturally. That insane growth scale is pretty unheard of, so it’s an interesting thing to see written out in this way.

7 Responses to “Samy Worm Analysis”

  1. Paul Says:

    Interesting! Is it possible to get that plot with a logarithmic scale on the vertical axis? Presumably, each given infected user should be infecting a certain number of users per minute, so with a logarithmic scale, the graph should be (close to) a straight line. The slope of the line would also tell you just how many users each infected user was infecting, per minute.

    In fact, one would expect the straight line to start curving towards horizontal as time goes on — as the early infected users had infected all their friends, and so stopped infecting new people. It would be interesting to see if there was any sign of saturation appearing by the time the worm was stopped.

  2. pdp Says:

    now picture what would have happened if samy was dropping one of the infamous IE exploits from last year… hm.. let’s say IE VML.

    How easy it is to construct a botnet these days?

  3. Awesome AnDrEw Says:

    I’m sure had Samy not told MySpace how to go about fixing it it’d still be spreading.

  4. Blackshadow Says:

    Thanks for providing the detailed graph. As Paul pointed out, this worm incident follows the classic S curve shape for infections.

    Check out this paper on the subject published in the ISSA magazine a few years ago:

  5. LCNA Says:

    I originally learnt of this story by reading the ‘diary’ of Sammy as he monitored the worms progress. I’ve since been unable to find it. Anybody know where I might be able to get a copy of that transcript?

  6. Mohammad Reza Says:

    hi dude, would you please send me more data about that graph? i want to make a model.

  7. Dina Says:

    to: LCNA
    I know it’s been a while but maybe you still want it…