Full Disclosure mailing list archives
Re: Sasser skips 10.x.x.x Why?
From: Frank Knobbe <frank () knobbe us>
Date: Mon, 03 May 2004 16:59:31 -0500
On Mon, 2004-05-03 at 14:44, Eric Chien wrote:
Actually, it is all variants (.A - .D). And more specifically, it iterates through all the host IP addresses looking for an address that does not match: 127.0.0.1 10. 172.16 - 172.31 (inclusive) 192.168. 169.254 Then, using this address it creates a random address (sometimes changing all octets, sometimes just the last three, and sometimes just the last two).
Word has it that this is not true. While the code for the address check is there, it doesn't appear to work on some Sasser variants. There are reports of infected 10/8 and 192.168/16 networks. Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- New LSASS-based worm finally here (Sasser) Ben Ryan (May 01)
- Re: New LSASS-based worm finally here (Sasser) Lee (May 01)
- Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 03)
- Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
- Re: Sasser skips 10.x.x.x Why? Thomas Springer (May 03)
- Unpacking Sasser youssef ALAOUI (May 03)
- RE: Sasser skips 10.x.x.x Why? Warnich Rust (May 03)
- Re: Sasser skips 10.x.x.x Why? Matt Wagenknecht (May 03)
- Re: Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
- Re: Sasser skips 10.x.x.x Why? Eric Chien (May 03)
- Re: Sasser skips 10.x.x.x Why? Frank Knobbe (May 03)
- Re: Sasser skips 10.x.x.x Why? Eric Chien (May 03)
- Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
- Re: Sasser skips 10.x.x.x Why? Rodrigo Barbosa (May 03)
- Re: Sasser skips 10.x.x.x Why? Joe Stewart (May 03)
- Re: Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 04)
- Re: Re: New LSASS-based worm finally here (Sasser) insecure (May 04)
- <Possible follow-ups>
- RE: New LSASS-based worm finally here (Sasser) Marc Maiffret (May 04)
- Re: New LSASS-based worm finally here (Sasser) Gadi Evron (May 04)