lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030201160340.GR6545@phobos.fs.tum.de>
From: Simon.Richter at hogyros.de (Simon Richter)
Subject: interesting?

Hi,

> > So what we have witnessed is the structured approach. The question
> > remains whether the worm author is a maths wizard or just plain lucky.

> Using a random distribution is the best no-brainer way to make sure
> having 500 worms will produce a 500 times wider coverage.

No, with a truly random pattern they will step on each other's toes.

> PS:what you're describing looks like a pseudo random generator ... doesn't 
> look like a structured approach.

It may very well be one, or just luck. Point is, you can optimize PRNGs
in a specific direction, like number of cycles contained, or you can add
external elements like the time and make a function that's not bijective
(which is necessary for a worm) etc. A worm is more effective if less
bits depend on the time and more on the host we're on, as this
distributes the attack better. On the other hand, if all bits depend on
the current host, you have a PRNG with only one cycle that gets broken
by the first host not running SQL Server. You need to find a good
balance, respecting the percentage and distribution of hosts running
vulnerable software and of course the fact that the system clock
proceeds very slow and thus you can use only a few bits of it (but
basically, these bits together with maybe, a counter, make up the
redundancy you need to infect an entire network even if some hosts are
not vulnerable).

> Do you have a link to that generator description?

It was posted a few days ago on this list. Archive link is

http://lists.netsys.com/pipermail/full-disclosure/2003-January/003718.html

   Simon

-- 
GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD  ADC6 18A0 CC8D 5706 A4B4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030201/9df47a12/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ