[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Re: [normal] RE: Windows Dcom Worm planned DDoS

To: "martin f krafft" <madduck@madduck.net>, <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] Re: [normal] RE: Windows Dcom Worm planned DDoS
From: "Marc Maiffret" <marc@eeye.com>
Date: Tue, 12 Aug 2003 11:19:02 -0700

Everyone seems a little confused on the windowsupdate.com DDoS. It is a
rather mute point as it is easily fixable. They just need to remap it to
127.0.0.1 and all the SYN's will die on the local host of the infected
machine. Routing windowsupdate.com to 127.0.0.1 will not break anyone's
ability to get patches as "windowsupdate.com" is not directly used.

That is only a workaround for this single host attack though, in the end
everyone (even patched people) can get screwed by this flaw and new worms
until enough people have patched.

eEye Blaster Worm Analysis
http://www.eeye.com/html/Research/Advisories/AL20030811.html

Signed,
Marc Maiffret
Chief Hacking Officer
eEye Digital Security
T.949.349.9062
F.949.349.9538
http://eEye.com/Retina - Network Security Scanner
http://eEye.com/Iris - Network Traffic Analyzer
http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

| -----Original Message-----
| From: full-disclosure-admin@lists.netsys.com
| [mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of martin f
| krafft
| Sent: Tuesday, August 12, 2003 9:27 AM
| To: full-disclosure@lists.netsys.com
| Subject: [Full-Disclosure] Re: [normal] RE: Windows Dcom Worm planned
| DDoS
|
|
| also sprach martin f krafft <madduck@madduck.net> [2003.08.12.1654 +0200]:
| > Why on earth would you want to help protect Micro$oft's service?
| > Either they can deal with their crap themselves, or you should be
| > using proper software. I'll probably make sure to infect a couple of
| > computers on Saturday just for the sake of DoS'ing their site.
|
| And aside, we are talking about a SYN flood attack here, no? If
| Micro$oft can't deal with those, knowing of their advent, then they
| aren't worth being helped.
|
| --
| martin;              (greetings from the heart of the sun.)
|   \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
|
| invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
|
| tempt not a desperate man.
|                                                 -- william shakespeare
|

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Re: [normal] RE: Windows Dcom Worm planned DDoS
  - From: martin f krafft <madduck@madduck.net>

Prev by Date: Re: [Full-Disclosure] Windows Dcom Worm planned DDoS
Next by Date: [Full-Disclosure] CERT Advisory CA-2003-20 W32/Blaster worm (fwd)
Prev by thread: [Full-Disclosure] Re: [normal] RE: Windows Dcom Worm planned DDoS
Next by thread: Re: [normal] RE: [Full-Disclosure] Windows Dcom Worm planned DDoS
Index(es):
- Date
- Thread