[Dshield] Port 16387

Joe Stewart jstewart at lurhq.com
Tue Mar 23 19:10:51 GMT 2004


On Tuesday 23 March 2004 11:32 am, Bill McCarty wrote:
> Witty's destination port appears random. But, I've noted that, across
> my Class C, the random value is fixed for a given destination IP. So,
> a single host could get Witty traffic from a variety of infected
> attackers, all targeting a single destination port. That resembles
> the situation reported by Mike.

Here's the way the worm determines the port. Note that I've left out the 
packet length calculation which is obtained in a similar pseudo-random 
manner:

PSUEDOCODE:

while (1) {
  x = GetTickCount
  for (c = 0; c < 20000; c++) {
    x = x * 214013 + 2531011
    y = x * 214013 + 2531011
    x = x >> 16
    ip = (y & 0xffff0000) + x
    y = y * 214013 + 2531011
    port = (y & 0xffff0000) >> 16
    sendto(ip, port)
  }
  do_bad_stuff_to_hd
}

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/




More information about the list mailing list