> > NOW: CodeRedII (this name is easily mistaken with CRv2, so > i would suppose > > another name: i stared calling it ida_root since my first > analysis on 5th > > aug, 7:34 GMT) > > this worm alway only infects one host _once_. it checks for > double infection. > > it could generate the same ip address again in it's PRNG > but the chance > > this happening is near 0. > > you would think it should be near 0, but unless im mistaken > this should be CR II correct? Why should it be near zero? CRII spends half it's time attacking it's own subnet: < 65535 ips. After only 256 attacks, any infected host has likely already has hit one machine twice (birthday paradox). And a typical attacker has hundreds of threads running ... From my logs: (the first line means one machine has attacked me 88 times, a second 25 times, a third 19 times, two distinct machines have made 18 attacks, and another two have made 16, ... the duplication rate is quite high for those of us in "densely vulnerable" subnets) number of attacks number of ips 88 1 X 25 1 X 19 1 X 18 2 XX 17 0 16 2 XX 15 0 14 1 X 13 1 X 12 6 XXXXXX 11 0 10 4 XXXX 9 3 XXX 8 2 XX 7 1 X 6 4 XXXX 5 6 XXXXXX 4 8 XXXXXXXX 3 9 XXXXXXXXX 2 7 XXXXXXX 1 8 XXXXXXXX ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 14:25:15 PDT