Re: [Full-Disclosure] Windows Dcom Worm planned DDoS

["Matthew Murphy" <mattmurphy@kc.rr.com>]

"Nick FitzGerald" <nick@virus-l.demon.co.uk> writes:
> And, of course, if MS started messing with the DNS entries for
> windowsupdate.com, it would be cutting an awful lot of users off from
> much needed updates. which could be as disturbing as the rest of the
> worm's effects...

Well, this could potentially be the case.  However, the actual domain used
by the WU server is "windowsupdate.microsoft.com".  At this point,
"windowsupdate.com" is just a redirect for sloppy admins/users.  The WU
binaries distributed with systems (i.e, Automatic Updating on Windows XP),
and the internal Microsoft documentation all point users to
"windowsupdate.microsoft.com", so disabling the DNS of "windowsupdate.com"
would not prevent updating if the user has the proper reference material at
hand.

That said, even if Microsoft *did* mess with the DNS, that would result in a
flurry of port 53 traffic to perform the resolutions.  Also, you still have
a potential for a slight negative effect on patch distribution, and patch
distribution is a *needed* channel.  Of course, if WU gets taken down by the
floods, we're back at square one, as WU remains the primary distribution
mechanism for patches to home users.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html