lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <200401291558.24206.jstewart@lurhq.com>
From: jstewart at lurhq.com (Joe Stewart)
Subject: Mydoom DoS attack bug

Here's why people have been getting inconsistent results when setting 
the system date forward and looking for the DoS attack to start:

Begining of DDoS date check subroutine:

4A3DB0 PUSH EBP                                 ;  callCreateSCOddos
4A3DB1 MOV EBP,ESP
4A3DB3 SUB ESP,10


Get the current system time as a FILETIME struct:

4A3DB6 LEA EAX,DWORD PTR SS:[EBP-8]
4A3DB9 PUSH EAX
4A3DBA CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>]


Convert the stored DoS start date from SystemTime to FileTime:

4A3DC0 LEA EAX,DWORD PTR SS:[EBP-10]
4A3DC3 PUSH EAX
4A3DC4 MOV EAX,DWORD PTR SS:[EBP+8]
4A3DC7 ADD EAX,214                              
4A3DCC PUSH EAX	                                 ; Feb 1, 2004
4A3DCD CALL DWORD PTR DS:[<&KERNEL32.SystemTimeToFileTime>]


Compare high-order dword dwHighDateTime:

4A3DD3 MOV EAX,DWORD PTR SS:[EBP-4]
4A3DD6 CMP EAX,DWORD PTR SS:[EBP-C]
4A3DD9 JB SHORT <message.skipDoS>    


Compare low-order dword wLowDateTime:

4A3DDB MOV EAX,DWORD PTR SS:[EBP-8]
4A3DDE CMP EAX,DWORD PTR SS:[EBP-10]
4A3DE1 JB SHORT <message.skipDoS>


Start the DoS:

4A3DE3 CALL <message.createSCOddos>             ; DoS_Loop
4A3DE8 PUSH 400
4A3DED CALL DWORD PTR DS:[<&KERNEL32.Sleep>]
4A3DF3 JMP SHORT <message.DoS_Loop>
4A3DF5 LEAVE                                    ; skipDos
4A3DF6 RETN

>From MSDN:
The FILETIME structure is a 64-bit value representing the number of 
100-nanosecond intervals since January 1, 1601 (UTC).

typedef struct _FILETIME {
  DWORD dwLowDateTime;
  DWORD dwHighDateTime;
} FILETIME, 
*PFILETIME;

The stored starttime as filetime is:
0xbe9ecb00
0x01c3e8dd

Because the dwords are compared independently, the DoS will not start 
anytime the current dwLowDateTime is less than 0xbe9ecb00, no matter 
what the dwHighDateTime is. Obviously, this is close to three-quarters 
of the time.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ