Full Disclosure mailing list archives
Re: 100 Worms per Second, Courtesy of Telstra
From: "Roland Postle" <mail () blazde co uk>
Date: Mon, 27 Jan 2003 02:38:22 +0000
On Sun, 26 Jan 2003 13:50:40 -0500, Karl A. Krueger wrote:
Pardon my delurk, but this is very strange worm behavior. We are seeing 100 SQL Worms per second from a single IP address on Telstra. This is about 10k times the level of activity we are seeing from any other address. Anyone here either know anyone at Telstra who can shut this off, or perhaps at least some explanation of why this worm instance would set aside its usual randomish behavior and flood us like this?
The worm's psuedo random number generator works by taking the dword representation of the last host it attacked, multiplying it by 214013 and adding a fixed constant which is the address of GetProcAddress on the host machine. (The RNG is seeded using GetTickCount, which returns the number of milliseconds of uptime). The math is modulo 2^32 because it's done in 32bit registers. In this case, the worm hit an address on the subnet 128.128./16 and got 'stuck' on it. Any address on the subnet will take the form xxxx8080h when represented as a dword. Multiplying it by 214013 as the pRNG does always gives a dword of the form xxxx7E80h. So it only takes a GetProcAddress of the form xxxx0200h and worm has set itself up to target another host on the same subnet. I don't know enough math to explain the significance of this particular cycle, but I suspect there's other more subtle cycles. Perhaps there's also addresses which will usually be missed entirely or certain address types that the pRNG will 'gravitate' towards. - Blazde _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- 100 Worms per Second, Courtesy of Telstra Karl A. Krueger (Jan 26)
- Re: 100 Worms per Second, Courtesy of Telstra Matthew Murphy (Jan 26)
- Re: 100 Worms per Second, Courtesy of Telstra Mike Tancsa (Jan 26)
- Re: 100 Worms per Second, Courtesy of Telstra Karl A. Krueger (Jan 26)
- Re: 100 Worms per Second, Courtesy of Telstra Roland Postle (Jan 26)