On Sun, 26 Jan 2003 13:50:40 -0500, Karl A. Krueger wrote:

>Pardon my delurk, but this is very strange worm behavior. We are seeing
>100 SQL Worms per second from a single IP address on Telstra. This is
>about 10k times the level of activity we are seeing from any other
>address.
>
>Anyone here either know anyone at Telstra who can shut this off, or
>perhaps at least some explanation of why this worm instance would set
>aside its usual randomish behavior and flood us like this?

The worm's psuedo random number generator works by taking the dword
representation of the last host it attacked, multiplying it by 214013
and adding a fixed constant which is the address of GetProcAddress on
the host machine. (The RNG is seeded using GetTickCount, which returns
the number of milliseconds of uptime). The math is modulo 2^32 because
it's done in 32bit registers.

In this case, the worm hit an address on the subnet 128.128./16 and got
'stuck' on it. Any address on the subnet will take the form xxxx8080h
when represented as a dword. Multiplying it by 214013 as the pRNG does
always gives a dword of the form xxxx7E80h. So it only takes a
GetProcAddress of the form xxxx0200h and worm has set itself up to
target another host on the same subnet.

I don't know enough math to explain the significance of this particular
cycle, but I suspect there's other more subtle cycles. Perhaps there's
also addresses which will usually be missed entirely or certain address
types that the pRNG will 'gravitate' towards.

- Blazde

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]