Re: [Full-Disclosure] interesting?

From: Roland Postle (mail@blazde.co.uk)
Date: 02/01/03

  • Next message: amol wanjari: "[Full-Disclosure] Denial of Service Attack in Linux !!!"
    From: "Roland Postle" <mail@blazde.co.uk>
    To: "full-disclosure@lists.netsys.com" <full-disclosure@lists.netsys.com>
    Date: Sat, 01 Feb 2003 16:25:18 +0000
    

    On Sat, 1 Feb 2003 15:03:50 +0100, Simon Marechal wrote:

    >> Actually, that was what the worm author did. The algorithm generates new
    >> numbers from the current (i.e. it has some sort of knowledge what hosts
    >> have already been infected) plus a not-really-predictable component
    >> (system time, IIRC) plus some sort of counter because the system clock
    >> is so slow.
    >>
    >> So what we have witnessed is the structured approach. The question
    >> remains whether the worm author is a maths wizard or just plain lucky.

    The pRNG is seeded from GetTickCount. There's no knowledge of
    previously infected hosts.

    >Using a random distribution is easier to code than another kind. Plus,
    >if you use a hierarchical way, you'd better be a REALLY good math wizz
    >to make sure 2 worms won't cover the same ip-range.

    Maybe it's a little easier but, in a TCP based worm at least, it
    doesn't require a lot of thought or math to implement. The first worm
    aims to infect the entire range. When it knows it's going to infect
    another host it delegates half of it's range (in the form of an upper
    and lower limit) to the new worm, who's aim then becomes to infect it's
    half the internet. As each instance of the worm infects more hosts they
    halves their range more and more. For a little resilience, in case some
    infections are 'killed off', each worm might delegate a particular
    address range 4 or 5 different times.

    The same kind of strategy could be applied to conectionless scanning,
    you just need a little knowledge of how likely each sent out packet is
    to infect a host. Say there's a 1% chance per packet, even if you're
    not good at maths you're going to send out at least 100 packets, in
    which case you'll infect on average 60% of the internet. If you have
    enough maths knowledge to code a worm in assembly language, you'll
    likely do better.

    Judging by the mistakes the sapphire worm author made in it's pRNG this
    strategy might have been easier.

    - Blazde

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html