Security Incidents mailing list archives
Re: Ramen worm scanner and multicast addresses
From: Daniel Martin <dtmartin24 () HOME COM>
Date: Wed, 17 Jan 2001 20:54:32 -0500
slim bones <slim () io com> writes:
Ramen uses a binary called randb to generate class B nets to scan. I just made it generate 1000 of these, they appear to be reasonably scattered... however the first byte of the IP address was never less than 13 nor greater than 242. Between those, addresses are fairly evenly dispersed considering the small sample size. Of 1000 addresses about 60 were in the range you identify. From what I've seen the worm would not discriminate against multicast addresses.
For what it's worth, a disassembly of randb shows that the algorithm used to choose network addresses is equivalent to: (int)((rand()*230)/(MAXINT+1)) + 13 for the first byte and (int)((rand()*254)/(MAXINT+1)) + 1 for the second. In other words, just what you said; uniformly distributed in the first byte from 13 to 242 and uniform in the second byte from 1 to 255. Reading intel floating point assembly always makes me think of forth, or postscript...
PS a mirror of a defaced web page at jpl -- html matches what's in the ramen worm index.html... http://www.attrition.org/mirror/attrition/2001/01/15/uta7400.jpl.nasa.gov/
Shame on jpl, then. Anything running a website accessible to the outside world should have someone applying security patches regularly.
Current thread:
- Ramen worm scanner and multicast addresses Bill Owens (Jan 17)
- Re: Ramen worm scanner and multicast addresses slim bones (Jan 17)
- Re: Ramen worm scanner and multicast addresses Daniel Martin (Jan 17)
- Re: Ramen worm scanner and multicast addresses Bill Owens (Jan 17)
- Re: Ramen worm scanner and multicast addresses slim bones (Jan 17)