Re: CRv2 - Questions

From: Steffen Dettmer (steffenat_private)
Date: Mon Jul 23 2001 - 02:39:47 PDT

  • Next message: Alfred Huger: "Code Red Worm, closing notes"

    * The Death wrote on Sun, Jul 22, 2001 at 03:38 +0200:
    > >From the basic study of CRv1's PRNG (which i am now conducting), I can see
    > that due to the seeding method used, only 2 seeds are unique (other seeds
    > are only nexts-states of one of the two unique seeds) - seeds 1 and 3
    > (50F0668Dh and F2D133A7h). The period of the PRNG is 2147483648 (80000000h).
    > Therefore, the total number of outputs using this PRNG, is 4294967296. That
    > is, CRv1 tried to infect no more than 4294967296 different IPs (this number
    > has to be decreased by the number of outputs discarded by the worm).
    
    IPv4 has 32 bit address space, and 2^32 == 4294967296. So there
    are no more than 2^32 IPs and no need to have a PRNG to output
    more - but the order of this 2^32 numbers plays a role. AFAIK the
    first version produced the same order. This is not a PRNG but a
    chain generator with the same output on every infected host.
    
    oki,
    
    Steffen
    
    -- 
    Dieses Schreiben wurde maschinell erstellt,
    es trägt daher weder Unterschrift noch Siegel.
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 23 2001 - 06:48:38 PDT