| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: mail at blazde.co.uk (Roland Postle) Subject: 100 Worms per Second, Courtesy of Telstra On Sun, 26 Jan 2003 13:50:40 -0500, Karl A. Krueger wrote: >Pardon my delurk, but this is very strange worm behavior. We are seeing >100 SQL Worms per second from a single IP address on Telstra. This is >about 10k times the level of activity we are seeing from any other >address. > >Anyone here either know anyone at Telstra who can shut this off, or >perhaps at least some explanation of why this worm instance would set >aside its usual randomish behavior and flood us like this? The worm's psuedo random number generator works by taking the dword representation of the last host it attacked, multiplying it by 214013 and adding a fixed constant which is the address of GetProcAddress on the host machine. (The RNG is seeded using GetTickCount, which returns the number of milliseconds of uptime). The math is modulo 2^32 because it's done in 32bit registers. In this case, the worm hit an address on the subnet 128.128./16 and got 'stuck' on it. Any address on the subnet will take the form xxxx8080h when represented as a dword. Multiplying it by 214013 as the pRNG does always gives a dword of the form xxxx7E80h. So it only takes a GetProcAddress of the form xxxx0200h and worm has set itself up to target another host on the same subnet. I don't know enough math to explain the significance of this particular cycle, but I suspect there's other more subtle cycles. Perhaps there's also addresses which will usually be missed entirely or certain address types that the pRNG will 'gravitate' towards. - Blazde
Powered by blists - more mailing lists