|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: management interface accessability (was Re: Worm / UDP1434)
On Sun, Jan 26, 2003 at 06:50:36PM +0000, Stephen J. Wilcox wrote: > My observation was that the target IPs are not random and that local IPs were > hit more often (same /16 more than /8 more than all /0) .. a la Codered. The worm calls gettickcount to get a pseudorandom seed, and always uses that seed to create random addresses. It's possible the random address generator isn't very good and creates addresses that are too similar. Check out http://www.eeye.com/html/Research/Flash/AL20030125.html - Chris -- [email protected] http://www.toth.org.uk/~strawberry
|