Full Disclosure mailing list archives
Re: Windows Dcom Worm planned DDoS
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Tue, 12 Aug 2003 23:48:20 +1200
"Andrew Thomas" <andrewt () nmh co za> wrote:
The examinations of the code so far indicate that the worm is coded to DoS the windowsupdate site from the 15th of August onwards through the end of the year.
I'll ignore the sloppiness in that description, as several of the published descriptions have (or at least initially got) it confused through slightly wrong too...
I haven't seen anything mentioning whether or not the IP is hardcoded. If not, shouldn't Microsoft just set the forward resolve to 127.0.0.1 for a period of time? That will probably save many, many $'s of wasted traffic.
Well, despite the sometimes sloppiness in the descriptions of these things (as suggested above), the folk responsible for these descriptions also do get things right... Unlike CodeRed, which was hard-coded for a specific IP that happened, when it was written, to map to one of the two physical addresses in the www.whitehouse.gov DNS round-robin (which probably saved adding around 25% to the worm's code size), this DCOM RPC worm, being a full-blown, file-system bound, PE EXE does a GetHostByName for windowsupdate.com without so much as bloating the .EXE beyond its current cluster allocation. And, of course, if MS started messing with the DNS entries for windowsupdate.com, it would be cutting an awful lot of users off from much needed updates. which could be as disturbing as the rest of the worm's effects... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Windows Dcom Worm planned DDoS Andrew Thomas (Aug 12)
- RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 12)
- RE: Windows Dcom Worm planned DDoS Andrew Thomas (Aug 12)
- Re: [normal] RE: Windows Dcom Worm planned DDoS opticfiber (Aug 12)
- Re: [normal] RE: Windows Dcom Worm planned DDoS martin f krafft (Aug 12)
- Re: [normal] RE: Windows Dcom Worm planned DDoS martin f krafft (Aug 12)
- RE: Re: [normal] RE: Windows Dcom Worm planned DDoS Marc Maiffret (Aug 12)
- RE: Windows Dcom Worm planned DDoS Andrew Thomas (Aug 12)
- Re: [normal] RE: Windows Dcom Worm planned DDoS James Greenhalgh (Aug 12)
- Re: [normal] RE: Windows Dcom Worm planned DDoS morning_wood (Aug 12)
- RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 12)
- RE: Windows Dcom Worm planned DDoS Andrew Thomas (Aug 12)
- Re: Windows Dcom Worm planned DDoS Franky Van Liedekerke (Aug 12)
- Re: Windows Dcom Worm planned DDoS Jeremiah Cornelius (Aug 12)
- RE: Windows Dcom Worm planned DDoS Nick FitzGerald (Aug 12)
- Re: Windows Dcom Worm planned DDoS Valdis . Kletnieks (Aug 13)
- Re: Windows Dcom Worm planned DDoS Max Valdez (Aug 15)
- Re: Windows Dcom Worm planned DDoS Valdis . Kletnieks (Aug 16)
- Re: Windows Dcom Worm planned DDoS martin f krafft (Aug 12)