Security Incidents mailing list archives
RE: CRv2 - Questions
From: "The Death" <thedeadh () netvision net il>
Date: Tue, 24 Jul 2001 23:07:24 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I thought the worm skipped 127.x.x.x and 224.x.x.x addresses? (From eEye's analysis)
It does, very simple: The PRNG output is checked before the worm attempts to connect to the IP generated. It just discards IPs with the 4th byte of 127 or 224. The Death -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBO13hse6B0r4ZZEp/EQKq2gCgv8w4Mf7fgl7VwPAABieiQJtId3UAoLSI hdLCPoO7PfsdUu+pG9not0hG =bc3y -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- CRv2 - Questions The Death (Jul 21)
- Re: CRv2 - Questions Nick FitzGerald (Jul 22)
- RE: CRv2 - Questions The Death (Jul 22)
- Re: CRv2 - Questions Steffen Dettmer (Jul 23)
- RE: CRv2 - Questions The Death (Jul 23)
- RE: CRv2 - Questions Jose Nazario (Jul 23)
- Re: CRv2 - Questions Ronald Tse (Jul 24)
- RE: CRv2 - Questions The Death (Jul 24)
- RE: CRv2 - Questions The Death (Jul 22)
- Re: CRv2 - Questions Nick FitzGerald (Jul 22)