From: mail at blazde.co.uk (Roland Postle)
Subject: interesting?

On Sat, 1 Feb 2003 15:03:50 +0100, Simon Marechal wrote:

>> Actually, that was what the worm author did. The algorithm generates new
>> numbers from the current (i.e. it has some sort of knowledge what hosts
>> have already been infected) plus a not-really-predictable component
>> (system time, IIRC) plus some sort of counter because the system clock
>> is so slow.
>> 
>> So what we have witnessed is the structured approach. The question
>> remains whether the worm author is a maths wizard or just plain lucky.

The pRNG is seeded from GetTickCount. There's no knowledge of
previously infected hosts.

>Using a random distribution is easier to code than another kind. Plus,
>if you use a hierarchical way, you'd better be a REALLY good math wizz
>to make sure 2 worms won't cover the same ip-range.

Maybe it's a little easier but, in a TCP based worm at least, it
doesn't require a lot of thought or math to implement. The first worm
aims to infect the entire range. When it knows it's going to infect
another host it delegates half of it's range (in the form of an upper
and lower limit) to the new worm, who's aim then becomes to infect it's
half the internet. As each instance of the worm infects more hosts they
halves their range more and more. For a little resilience, in case some
infections are 'killed off', each worm might delegate a particular
address range 4 or 5 different times.

The same kind of strategy could be applied to conectionless scanning,
you just need a little knowledge of how likely each sent out packet is
to infect a host. Say there's a 1% chance per packet, even if you're
not good at maths you're going to send out at least 100 packets, in
which case you'll infect on average 60% of the internet. If you have
enough maths knowledge to code a worm in assembly language, you'll
likely do better.

Judging by the mistakes the sapphire worm author made in it's pRNG this
strategy might have been easier.

- Blazde

Powered by blists - more mailing lists