Code Red?

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Wayne Conrad
Date:  
Subject: Code Red?
On Sat, 11 August 2001, Craig White wrote:
> "John (EBo) David" wrote:
> >
> > Ok... what is the difference between CRv1/CRV2 and CRII?
> >
> ----
> CRv1 uses NNNNNN to overflow the input string
>
> CRv2 uses XXXXXX
>
> CRv2 has a bigger payload which includes root exploit and results in a
> compromised box even though it has been patched and rebooted.


Correct on the details but not on which names the details go with. It's understandable -- the names are a mess, partly because we have to give the things names before we understand their taxonomy.

CRv1 and CRv2 both use N's. The main differences is whether in whether the pseudo-random number generator used to generate IP's uses a fixed seed. CRv1 uses a fixed seed, causing it to not grow terribly fast; CRv2 uses a non-fixed seed, causing it to grow pretty fast. I believe the payload of CRv1 or CRv2 is largely or entirely the same.

CRII uses X's. It strongly prefers to probe address in the same /16, and somewhat prefers to probe IPs in the same /8, and occasionally probes a purely random IP. This appears to be a very good strategy for spreading quickly. It also has a completely different payload than CRv1 and CRv2. That payload roots the box.