lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3F397CC4.5140.4D173BE7@localhost>
From: nick at virus-l.demon.co.uk (Nick FitzGerald)
Subject: Windows Dcom Worm planned DDoS

"Andrew Thomas" <andrewt@....co.za> wrote:

> The examinations of the code so far indicate that the worm is 
> coded to DoS the windowsupdate site from the 15th of August 
> onwards through the end of the year.

I'll ignore the sloppiness in that description, as several of the 
published descriptions have (or at least initially got) it confused 
through slightly wrong too...

> I haven't seen anything mentioning whether or not the IP is
> hardcoded. If not, shouldn't Microsoft just set the forward
> resolve to 127.0.0.1 for a period of time?
> 
> That will probably save many, many $'s of wasted traffic.

Well, despite the sometimes sloppiness in the descriptions of these 
things (as suggested above), the folk responsible for these 
descriptions also do get things right...

Unlike CodeRed, which was hard-coded for a specific IP that happened, 
when it was written, to map to one of the two physical addresses in the 
www.whitehouse.gov DNS round-robin (which  probably saved adding around 
25% to the worm's code size), this DCOM RPC worm, being a full-blown, 
file-system bound, PE EXE does a GetHostByName for windowsupdate.com 
without so much as bloating the .EXE beyond its current cluster 
allocation.

And, of course, if MS started messing with the DNS entries for 
windowsupdate.com, it would be cutting an awful lot of users off from 
much needed updates. which could be as disturbing as the rest of the 
worm's effects...


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ