Full Disclosure mailing list archives
Re: interesting?
From: Simon Marechal <pingouin () rhapsodyk net>
Date: Sat, 1 Feb 2003 20:19:35 +0100
On Sat, Feb 01, 2003 at 05:03:40PM +0100, Simon Richter wrote:
Using a random distribution is the best no-brainer way to make sure having 500 worms will produce a 500 times wider coverage.No, with a truly random pattern they will step on each other's toes.
Of course. But a truly random pattern, 1 worm _should_ step on his own toes one time or another. what i meant is that having 500 worms with a random target selector makes it feel like 1 worm that tries infecting other hosts 500times faster.
PS:what you're describing looks like a pseudo random generator ... doesn't look like a structured approach.It may very well be one, or just luck. Point is, you can optimize PRNGs in a specific direction, like number of cycles contained, or you can add external elements like the time and make a function that's not bijective (which is necessary for a worm) etc. A worm is more effective if less bits depend on the time and more on the host we're on, as this distributes the attack better.
I don't find that obvious ... if hosts are close, time, if precise enough, might be a much better indicator. On intel cpus, there's a register that's increased for every cycle. If you let a good hash function process it to build a seed, you might have a really good seed generator. Even so, a good PRNG should behave very differently even with very close seeds.
On the other hand, if all bits depend on the current host, you have a PRNG with only one cycle that gets broken by the first host not running SQL Server.
I don't understand that ...
You need to find a good balance, respecting the percentage and distribution of hosts running vulnerable software and of course the fact that the system clock proceeds very slow and thus you can use only a few bits of it (but basically, these bits together with maybe, a counter, make up the redundancy you need to infect an entire network even if some hosts are not vulnerable).
And this is very obscure to me too :) What do you mean? That there is a way to coordinate this job by using a source of entropy? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- interesting? batz (Jan 31)
- Re: interesting? Berend-Jan Wever (Feb 01)
- Re: interesting? Ka (Feb 01)
- Re: interesting? Simon Richter (Feb 01)
- Re: interesting? Simon Marechal (Feb 01)
- Re: interesting? Simon Richter (Feb 01)
- Re: interesting? Simon Marechal (Feb 01)
- Re: interesting? Roland Postle (Feb 01)
- Re: interesting? Geoincidents (Feb 01)
- Re: interesting? Simon Marechal (Feb 01)
- Re: interesting? Berend-Jan Wever (Feb 01)
- Re: interesting? batz (Feb 01)
- Re: interesting? Gregory Steuck (Feb 01)
- Re: interesting? batz (Feb 01)
- Re: interesting? Bruce Ediger (Feb 01)