26 Jan
2003
26 Jan
'03
1:06 p.m.
On Sun, Jan 26, 2003 at 06:50:36PM +0000, Stephen J. Wilcox wrote:
My observation was that the target IPs are not random and that local IPs were hit more often (same /16 more than /8 more than all /0) .. a la Codered.
The worm calls gettickcount to get a pseudorandom seed, and always uses that seed to create random addresses. It's possible the random address generator isn't very good and creates addresses that are too similar. Check out http://www.eeye.com/html/Research/Flash/AL20030125.html - Chris -- strawberry@toth.org.uk http://www.toth.org.uk/~strawberry