Full Disclosure mailing list archives
Re: Sasser skips 10.x.x.x Why?
From: Eric Chien <ecchien () yahoo com>
Date: Mon, 3 May 2004 15:16:49 -0700 (PDT)
--- Frank Knobbe <frank () knobbe us> wrote:
On Mon, 2004-05-03 at 14:44, Eric Chien wrote:Actually, it is all variants (.A - .D). And more specifically, it iterates through all the host IP addresses looking for an address that does notmatch:127.0.0.1 10. 172.16 - 172.31 (inclusive) 192.168. 169.254 Then, using this address it creates a randomaddress(sometimes changing all octets, sometimes just the last three, and sometimes just the last two).Word has it that this is not true. While the code for the address check is there, it doesn't appear to work on some Sasser variants. There are reports of infected 10/8 and 192.168/16 networks.
As stated above, the IP exclusions are applied to the _host IP_ which is used as a base to randomly generate a victim IP. The victim IP can be a 10/8, 192.168/16, etc. for example, in the case when all octets are randomly generated. When all of the _host_ IPs match the exclusion range, 127.0.0.1 is used as the base IP to randomly generate the victim IP. ...Eric _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: New LSASS-based worm finally here (Sasser), (continued)
- Re: New LSASS-based worm finally here (Sasser) Lee (May 01)
- Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 03)
- Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
- Re: Sasser skips 10.x.x.x Why? Thomas Springer (May 03)
- Unpacking Sasser youssef ALAOUI (May 03)
- RE: Sasser skips 10.x.x.x Why? Warnich Rust (May 03)
- Re: Sasser skips 10.x.x.x Why? Matt Wagenknecht (May 03)
- Re: Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
- Re: Sasser skips 10.x.x.x Why? Eric Chien (May 03)
- Re: Sasser skips 10.x.x.x Why? Frank Knobbe (May 03)
- Re: Sasser skips 10.x.x.x Why? Eric Chien (May 03)
- Sasser skips 10.x.x.x Why? Shawn Cox (May 03)
- Re: Sasser skips 10.x.x.x Why? Rodrigo Barbosa (May 03)
- Re: Sasser skips 10.x.x.x Why? Joe Stewart (May 03)
- Re: Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 04)
- Re: Re: New LSASS-based worm finally here (Sasser) insecure (May 04)
- Re: New LSASS-based worm finally here (Sasser) Gadi Evron (May 04)
- Re: New LSASS-based worm finally here (Sasser) Javier Fernandez-Sanguino (May 05)