On Sat, 1 Feb 2003 15:03:50 +0100, Simon Marechal wrote: >> Actually, that was what the worm author did. The algorithm generates new >> numbers from the current (i.e. it has some sort of knowledge what hosts >> have already been infected) plus a not-really-predictable component >> (system time, IIRC) plus some sort of counter because the system clock >> is so slow. >> >> So what we have witnessed is the structured approach. The question >> remains whether the worm author is a maths wizard or just plain lucky.
The pRNG is seeded from GetTickCount. There's no knowledge of previously infected hosts. >Using a random distribution is easier to code than another kind. Plus, >if you use a hierarchical way, you'd better be a REALLY good math wizz >to make sure 2 worms won't cover the same ip-range. Maybe it's a little easier but, in a TCP based worm at least, it doesn't require a lot of thought or math to implement. The first worm aims to infect the entire range. When it knows it's going to infect another host it delegates half of it's range (in the form of an upper and lower limit) to the new worm, who's aim then becomes to infect it's half the internet. As each instance of the worm infects more hosts they halves their range more and more. For a little resilience, in case some infections are 'killed off', each worm might delegate a particular address range 4 or 5 different times. The same kind of strategy could be applied to conectionless scanning, you just need a little knowledge of how likely each sent out packet is to infect a host. Say there's a 1% chance per packet, even if you're not good at maths you're going to send out at least 100 packets, in which case you'll infect on average 60% of the internet. If you have enough maths knowledge to code a worm in assembly language, you'll likely do better. Judging by the mistakes the sapphire worm author made in it's pRNG this strategy might have been easier. - Blazde _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
