[Dshield] Worm targeting and random number generators

Kevin kkadow at gmail.com
Wed Aug 17 05:21:43 GMT 2005


On 8/16/05, Jeff Kell <jeff-kell at utc.edu> wrote:
> Kevin wrote:
> > On 8/15/05, womber <womber at gmail.com> wrote:
> >>How is this determining what IP ranges to scan?
> >>Just from what I have seen hitting my personal firewall on verizon
> >>dsl, is that most machines are verizon IP's, very few outside their
> >>range yet.
> >>I am wondering if the spread to different ranges is pretty slow due to
> >>the algorithm it is using?
> >
> > I have similar questions, and would like to see an analysis of the most
> > common variants, or just the random number generators in each.
> 
> Most scanners these days stick to the infected host's /16, or at least /8 range,
> in hopes of whacking internal networks once they get a foot in the door. 

That makes sense and matches up with the details analysis we've seen of
Welchia and other worms random number generators.  But those did generate
a percentage of their targets as random IPs, since  if the worm seldom (never)
tries any addresses out of his own parish, he won't be able to
efficiently spread
across the Internet.

I've actually seen worms futilely  targeting 169.254 because they picked up
that address from an unconfigured NIC :)


> The source IPs of ratware traffic I receive generally cluster around the target's
> /16 or /8, hardly a coincidence.
> 
> If they are random but not tuned, you'll get hits directed to bogon addresses (and/or sourced from them if spoofing), and if they try multicast (like Slammer did) they attract attention pretty quickly if you support multicast routing :-)

I'm thinking I need to arrange for the corp's WAN router team to allocate and
route the X.X.255.0/24 subnet (and X.X.0.0/24) from all of our active networks
back to the "bogon listener" to better detect selectively-scanning worms.

There is still superstition about using the high or the low end of a class-based
subnet for live hosts (hearkens to the tradition of 'subnet zero' and
'all ones'),
but IME most worms don't know that, and will gladly scan this space.

Kevin Kadow



More information about the list mailing list