Re: [Full-Disclosure] interesting?

From: Roland Postle (
Date: 02/01/03

  • Next message: amol wanjari: "[Full-Disclosure] Denial of Service Attack in Linux !!!"
    From: "Roland Postle" <>
    To: "" <>
    Date: Sat, 01 Feb 2003 16:25:18 +0000

    On Sat, 1 Feb 2003 15:03:50 +0100, Simon Marechal wrote:

    >> Actually, that was what the worm author did. The algorithm generates new
    >> numbers from the current (i.e. it has some sort of knowledge what hosts
    >> have already been infected) plus a not-really-predictable component
    >> (system time, IIRC) plus some sort of counter because the system clock
    >> is so slow.
    >> So what we have witnessed is the structured approach. The question
    >> remains whether the worm author is a maths wizard or just plain lucky.

    The pRNG is seeded from GetTickCount. There's no knowledge of
    previously infected hosts.

    >Using a random distribution is easier to code than another kind. Plus,
    >if you use a hierarchical way, you'd better be a REALLY good math wizz
    >to make sure 2 worms won't cover the same ip-range.

    Maybe it's a little easier but, in a TCP based worm at least, it
    doesn't require a lot of thought or math to implement. The first worm
    aims to infect the entire range. When it knows it's going to infect
    another host it delegates half of it's range (in the form of an upper
    and lower limit) to the new worm, who's aim then becomes to infect it's
    half the internet. As each instance of the worm infects more hosts they
    halves their range more and more. For a little resilience, in case some
    infections are 'killed off', each worm might delegate a particular
    address range 4 or 5 different times.

    The same kind of strategy could be applied to conectionless scanning,
    you just need a little knowledge of how likely each sent out packet is
    to infect a host. Say there's a 1% chance per packet, even if you're
    not good at maths you're going to send out at least 100 packets, in
    which case you'll infect on average 60% of the internet. If you have
    enough maths knowledge to code a worm in assembly language, you'll
    likely do better.

    Judging by the mistakes the sapphire worm author made in it's pRNG this
    strategy might have been easier.

    - Blazde

    Full-Disclosure - We believe in it.

    Relevant Pages

    • Re: more on the mass mailing
      ... The worm just scans files on the infected system which may contain ... infect 25% of the addressed systems: ... From that point on the number of hosts spreading the worm is ...
    • Re: Cross-platform virus?
      ... prevent payloads from being dropped and direct which executables to ... infect, without propagating the code to allow for this. ... The interesting part comes when you create a WORM. ... to allow for injecting code into a worm and letting it propagate the ...
    • CERT Advisory CA-2001-23
      ... We believe the worm will begin propagating again on ... susceptible to the vulnerability described in CA-2001-13 Buffer ... time required to infect all vulnerable IIS servers with this worm ... and egress filtering should be implemented at the network edge. ...
    • Fighting worms with honeypots : honeyd vs msblast.exe
      ... While trying to help the community to fight the evil worm MSBLAST, ... [Honeyd is a free software product by Niels Provos: ... from the attacker. ... every hosts owned by msblast that was ...
    • RE: New "concept" virus/worm?
      ... The W32.Nimda.A@mm worm infects IIS servers by exploiting the 'MS IIS/PWS ... opening the attachment will infect the machine. ... The virus comes at a time of heightened sensitivity to Internet attack. ...