lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 12 Aug 2003 10:11:03 +0200
From: Andrew Thomas <andrew@...erator.co.za>
To: bugtraq@...urityfocus.com, incidents@...urityfocus.com
Subject: RE: DCOM worm analysis report: W32.Blaster.Worm


> From: Dave Ahmad [mailto:da@...urityfocus.com]
> Sent: 11 August 2003 11:36
> Subject: DCOM worm analysis report: W32.Blaster.Worm
> 
.. https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf
..

If the information contained herein is still correct, then it would appear that the algorithm used for target IP selection is far from optimal, and 
would result in large concentration of traffic around the IP address ranges 
of the initial infections.

While this is probably a bad thing for those concerned, this should at least 
buy the rest of the 'net some time to bunker down and ensure that their 
systems get patched. Unfortunately, scare situations like this may be the 
only way to get most of the machines patched.

Also, if this 80/20 rule for OS selection applies (80% XP, 20% win2k), then 
a lot of countries that are still predominantly running windows 2000 will 
experience a slower infection rate. I haven't run any figures to determine 
exactly what the difference will be, but given that here in South Africa, 
out of a web server version list of 100k odd machines, IIS/5.0 was vastly 
predominant, it would make some difference at least.

Q: Does the exploit use shellcode that includes a call to ExitThread or the 
like, such as *not* to take down the RPC service? 

>From the comment about the mutex lock, it would appear that there is some 
expectation of a reinfection, so I'd guess that that was the case. Still, I'd 
like confirmation. If the RPC service got taken down, then I'm sure that a lot 
of sysadmin's would notice a lot more quickly.

--
Andrew G. Thomas
Hobbs & Associates Chartered Accountants (SA)
(o) +27-(0)21-683-0500
(f) +27-(0)21-683-0577
(m) +27-(0)83-318-4070 

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ