The International Computer Science Institute
is pleased to present a talk:
"Outwitting the Witty Worm -- Exploiting Pseudo-Random Number Generation for
Internet-Scale Analysis"
akumar
![[Graphic]](http://www.icsi.berkeley.edu/icons/14pxdk.gif){kind=icon}
icsi.berkeley.edu
"Outwitting the Witty Worm -- Exploiting Pseudo-Random Number Generation for
Internet-Scale Analysis"
icsi.berkeley.edu
Random numbers are used by all Internet worms to randomize their scan of the 32-bit IP address space. The Witty worm, like many of its predecessors, used the Linear Congruential Pseudo-random Number Generator (LC PRNG). In this project, we reverse engineer the state of the LC PRNG from the information contained in the IP headers generated by the worm infected machines (infectees). We then exploit this knowledge to reconstruct the series of actions performed by the worm at each infectee. Our analysis allowed us to identify the IP address of the original machine used to spread the worm. Other examples of the interesting information recovered by this analysis include: 1) the access bandwidth of the infectees, 2) the system time since last reboot of the infectees, 3) the number of physical drives on the infectees, 4) the number of infected machines behind a NAT box, 5) the exact list of packets sent by each infectee (before this work, only the list of packets actually received at the monitoring point was available), 6) the loss rate suffered by packets from each infectee, 7) the infection graph (tree) of infector-infectee relationships, etc.
The talk will open with a review of some concepts from number-theory (one slide) and then lead into discussions of the various techniques used in our analysis.