Re: Sasser skips 10.x.x.x Why?

[Eric Chien <ecchien () yahoo com>]

--- Frank Knobbe <frank () knobbe us> wrote:
> On Mon, 2004-05-03 at 14:44, Eric Chien wrote:
> > Actually, it is all variants (.A - .D).  And more
> > specifically, it iterates through all the host IP
> > addresses looking for an address that does not
> match:
> > 127.0.0.1
> > 10.
> > 172.16 - 172.31 (inclusive)
> > 192.168.
> > 169.254
> >
> > Then, using this address it creates a random
> address
> > (sometimes changing all octets, sometimes just the
> > last three, and sometimes just the last two).
>
> Word has it that this is not true. While the code
> for the address check
> is there, it doesn't appear to work on some Sasser
> variants. There are
> reports of infected 10/8 and 192.168/16 networks. 

As stated above, the IP exclusions are applied to the
_host IP_ which is used as a base to randomly generate
a victim IP.  The victim IP can be a 10/8, 192.168/16,
etc. for example, in the case when all octets are
randomly generated.

When all of the _host_ IPs match the exclusion range,
127.0.0.1 is used as the base IP to randomly generate
the victim IP.

...Eric

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html