RE: CRv2 - Questions

From: The Death (thedeadhat_private)
Date: Sat Jul 21 2001 - 18:38:23 PDT

  • Next message: Gareth Hastings: "Guess this is a hack attemp"

    From the basic study of CRv1's PRNG (which i am now conducting), I can see
    that due to the seeding method used, only 2 seeds are unique (other seeds
    are only nexts-states of one of the two unique seeds) - seeds 1 and 3
    (50F0668Dh and F2D133A7h). The period of the PRNG is 2147483648 (80000000h).
    Therefore, the total number of outputs using this PRNG, is 4294967296. That
    is, CRv1 tried to infect no more than 4294967296 different IPs (this number
    has to be decreased by the number of outputs discarded by the worm).
    
    I've red Stuart Sandiford's modeling. Tomorrow i will seek for congruences
    (and the lack of them) in the infected hosts list and the PRNG's output - i
    will try to find out how many IPs infected were not supposed to be attacked
    (due to the PRNG's limitations). Of cource, i assume that this check will
    only support Stuart's model (though a big mistery will rise if most of the
    IPs on the list are a part of the output of the PRNG...). Also, i am not
    fimilliar with the statistics, but my guess is that when trying to infect a
    random ip, the chances of infecting it are much lower than 1 to 14658
    (4294967296 / 293000, when 293000 is Vern Paxson's assessment from the 20th,
    at 1:30 GMT).
    
    The only question i now have is how come CRv2 was caught so late, if it was
    released on the 18th.
    
    Regards,
    	The Death
    
    -----Original Message-----
    From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk]
    Sent: Sunday, July 22, 2001 1:43 AM
    To: incidentsat_private; bugtraqat_private
    Cc: The Death
    Subject: Re: CRv2 - Questions
    
    
    "The Death" <thedeadhat_private> wrote:
    
    > 1) Is it known if the CRv2 worm will function like CRv1, in the matter of
    > c:\noworm ? If so, then systems who were once infected (with the CRv1
    worm)
    > will actually not go trough step 7 (attacking www.whitehouse.gov)
    
    "CRv2" *is* identical to "CRv1" except in that it has an effective
    random network address generator and it does not intercept page
    serving and return "defaced" pages.  (And note that the defaced page
    serving, like everything else in this worm, is done entirely from
    running code.  I've seen many well-meaning descriptions of cleaning
    it up that end with something to the effect of "search for and
    replace any defaced web pages" -- well, that's a waste of time if the
    only thing that could have "defaced" your server was Code Red,
    because there are no defaced web page files.)
    
    > 2) Is it known for the destenation of attack used by the CRv2 worm? Is it
    > still trying to attack the blocked IP as CRv1 ?
    
    "CRv2" is identical to "CRv1" except...
    
    It "attacks" the same IP in the same way at the same time for the
    same duration.
    
    > 3) What, do you think, caused the 'black hat' who made CRv1 to release
    CRv2?
    
    Do you know it was the same person?  Perhaps you should be talking to
    the authorities...
    
    > It isn't too smart to send CRv1 to "check the ground", as CRv1 brought
    alot
    > of awareness to the bug exploited, therefore CRv2 will have much less
    hosts
    > to exploit. Might it be that the 'black-hat' was not aware of the short
    > period of the PRNG he designed?
    
    The evidence is that "CRv1" did *not* significantly reduce the
    potential host-base for this exploit.  It was CRv2 that "took off" on
    (US) Thursday.  If you think about the way CRv1 works, with every
    instance trying to hit the same sequence of machines, CRv1 *must*
    spread slowly because the first machine hit will "lead the pack" with
    all its offspring simply following in its footsteps.  Unless one of
    its early hits is a much more powerful machine or has much more
    bandwidth to exploit, the first victim will lead the way and the
    others will just keep following.  If that initial victim is stopped
    for whatever reason ("unexplainable" performance degradation causing
    a frustrated (and largely clueless) admin to reboot it being the most
    likely cause), the instance most closely at that first victims heels
    will take over the lead, with a growing pack following it.  It was
    this observation and the sudden explosive growth of Code Red on
    Thursday that tipped various people off that something new was
    happening.  You should check Stuart Sandiford's modelling of various
    Code Red attack reports (posted to incidents.org and the incidents
    list on Friday) to get more of an idea of these issues.
    
    
    --
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 13:48:03 PDT