Re: interesting?

[Simon Richter <Simon.Richter () hogyros de>]

Hi,

> > So what we have witnessed is the structured approach. The question
> > remains whether the worm author is a maths wizard or just plain lucky.

> Using a random distribution is the best no-brainer way to make sure
> having 500 worms will produce a 500 times wider coverage.

No, with a truly random pattern they will step on each other's toes.

> PS:what you're describing looks like a pseudo random generator ... doesn't 
> look like a structured approach.

It may very well be one, or just luck. Point is, you can optimize PRNGs
in a specific direction, like number of cycles contained, or you can add
external elements like the time and make a function that's not bijective
(which is necessary for a worm) etc. A worm is more effective if less
bits depend on the time and more on the host we're on, as this
distributes the attack better. On the other hand, if all bits depend on
the current host, you have a PRNG with only one cycle that gets broken
by the first host not running SQL Server. You need to find a good
balance, respecting the percentage and distribution of hosts running
vulnerable software and of course the fact that the system clock
proceeds very slow and thus you can use only a few bits of it (but
basically, these bits together with maybe, a counter, make up the
redundancy you need to infect an entire network even if some hosts are
not vulnerable).

> Do you have a link to that generator description?

It was posted a few days ago on this list. Archive link is

http://lists.netsys.com/pipermail/full-disclosure/2003-January/003718.html

   Simon

-- 
GPG Fingerprint: 040E B5F7 84F1 4FBC CEAD  ADC6 18A0 CC8D 5706 A4B4

Attachment: _bin
Description: