Full Disclosure mailing list archives

Re: 100 Worms per Second, Courtesy of Telstra

From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Sun, 26 Jan 2003 15:21:44 -0600

Pardon my delurk, but this is very strange worm behavior.  We are seeing
100 SQL Worms per second from a single IP address on Telstra.  This is
about 10k times the level of activity we are seeing from any other
address.


That is certainly odd.

Anyone here either know anyone at Telstra who can shut this off, or
perhaps at least some explanation of why this worm instance would set
aside its usual randomish behavior and flood us like this?


There seems to be a major weakness in the scanning pattern of this worm that
makes it flood some addresses far more extensively than others.  Considering
that the entire 'random' generator is just a trivial bit shift of the system
timer, it can't be expected to be really 'random' at all.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

100 Worms per Second, Courtesy of Telstra Karl A. Krueger (Jan 26)
- Re: 100 Worms per Second, Courtesy of Telstra Matthew Murphy (Jan 26)
- Re: 100 Worms per Second, Courtesy of Telstra Mike Tancsa (Jan 26)
  - Re: 100 Worms per Second, Courtesy of Telstra Karl A. Krueger (Jan 26)
- Re: 100 Worms per Second, Courtesy of Telstra Roland Postle (Jan 26)