Security Incidents mailing list archives
Re: Worm on 445/tcp?
From: "Stephen J. Friedl" <steve () unixwiz net>
Date: Tue, 17 Dec 2002 12:34:35 -0800
Scott A.McIntyre wrote:
It appears as though there's a high degree of randomness to the destination IP addresses that are chosen by the worm as can be seen from this 1 second snapshot:
The scanning pattern *is* random, though with a twist. It uses the rand() function twice to create a random IP address, but this function only has 15 bits of pseudorandomness. The upshot is that the second and fourth octets of the IP address will always be in the range 0..127. So my IP at home (64.170.X.X) won't ever get any hits.
Steve -- Stephen J Friedl • Software Consultant • Tustin, CA • +1 714 544-6561 www.unixwiz.net • I speak for me only • KA8CMY • steve () unixwiz net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Worm on 445/tcp? Scott A . McIntyre (Dec 17)
- Re: Worm on 445/tcp? Scott Fendley (Dec 17)
- Re: Worm on 445/tcp? Joe Blatz (Dec 17)
- Re: Worm on 445/tcp? james (Dec 17)
- Re: Worm on 445/tcp? Stephen J. Friedl (Dec 17)
- Re: Worm on 445/tcp? Ryan Yagatich (Dec 18)
- <Possible follow-ups>
- RE: Worm on 445/tcp? OBrien, Brennan (Dec 17)
- Re: Worm on 445/tcp? Tom . Gast (Dec 17)
- Re: Worm on 445/tcp? Stephen Friedl (Dec 18)
- Re: Worm on 445/tcp? Kyle Lai (Dec 20)