* The Death wrote on Sun, Jul 22, 2001 at 03:38 +0200: > >From the basic study of CRv1's PRNG (which i am now conducting), I can see > that due to the seeding method used, only 2 seeds are unique (other seeds > are only nexts-states of one of the two unique seeds) - seeds 1 and 3 > (50F0668Dh and F2D133A7h). The period of the PRNG is 2147483648 (80000000h). > Therefore, the total number of outputs using this PRNG, is 4294967296. That > is, CRv1 tried to infect no more than 4294967296 different IPs (this number > has to be decreased by the number of outputs discarded by the worm). IPv4 has 32 bit address space, and 2^32 == 4294967296. So there are no more than 2^32 IPs and no need to have a PRNG to output more - but the order of this 2^32 numbers plays a role. AFAIK the first version produced the same order. This is not a PRNG but a chain generator with the same output on every infected host. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 06:48:38 PDT