Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CRv2 - Questions

From: Steffen Dettmer <steffen () dett de>
Date: Mon, 23 Jul 2001 11:39:47 +0200
* The Death wrote on Sun, Jul 22, 2001 at 03:38 +0200:

From the basic study of CRv1's PRNG (which i am now conducting), I can see

that due to the seeding method used, only 2 seeds are unique (other seeds
are only nexts-states of one of the two unique seeds) - seeds 1 and 3
(50F0668Dh and F2D133A7h). The period of the PRNG is 2147483648 (80000000h).
Therefore, the total number of outputs using this PRNG, is 4294967296. That
is, CRv1 tried to infect no more than 4294967296 different IPs (this number
has to be decreased by the number of outputs discarded by the worm).


IPv4 has 32 bit address space, and 2^32 == 4294967296. So there
are no more than 2^32 IPs and no need to have a PRNG to output
more - but the order of this 2^32 numbers plays a role. AFAIK the
first version produced the same order. This is not a PRNG but a
chain generator with the same output on every infected host.

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: