[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F397CC4.5140.4D173BE7@localhost>
Date: Tue, 12 Aug 2003 23:48:20 +1200
From: Nick FitzGerald <nick@...us-l.demon.co.uk>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: Windows Dcom Worm planned DDoS
"Andrew Thomas" <andrewt@....co.za> wrote:
> The examinations of the code so far indicate that the worm is
> coded to DoS the windowsupdate site from the 15th of August
> onwards through the end of the year.
I'll ignore the sloppiness in that description, as several of the
published descriptions have (or at least initially got) it confused
through slightly wrong too...
> I haven't seen anything mentioning whether or not the IP is
> hardcoded. If not, shouldn't Microsoft just set the forward
> resolve to 127.0.0.1 for a period of time?
>
> That will probably save many, many $'s of wasted traffic.
Well, despite the sometimes sloppiness in the descriptions of these
things (as suggested above), the folk responsible for these
descriptions also do get things right...
Unlike CodeRed, which was hard-coded for a specific IP that happened,
when it was written, to map to one of the two physical addresses in the
www.whitehouse.gov DNS round-robin (which probably saved adding around
25% to the worm's code size), this DCOM RPC worm, being a full-blown,
file-system bound, PE EXE does a GetHostByName for windowsupdate.com
without so much as bloating the .EXE beyond its current cluster
allocation.
And, of course, if MS started messing with the DNS entries for
windowsupdate.com, it would be cutting an awful lot of users off from
much needed updates. which could be as disturbing as the rest of the
worm's effects...
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists