[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Windows Dcom Worm planned DDoS 

"Andrew Thomas" <andrew@generator.co.za> to me to him:

> > > The examinations of the code so far indicate that the worm is
> > > coded to DoS the windowsupdate site from the 15th of August 
> > > onwards through the end of the year.
> > 
> > I'll ignore the sloppiness in that description, as several of the 
> > published descriptions have (or at least initially got) it confused 
> > through slightly wrong too...
> 
> The examinations of the code *that I have read so far* indicate 
> that...?

I've seen "15 August", "from 15 August" and "after 15 August" use dto 
describe the trigger for windowsupdate.com DoS payload.  All are 
incorrect.  The briefest of examinations of the trigger condition 
checks in the code show that first the date is checked for the current 
day of the month and if it is after the 15th, the DoS payload is run.  
If it is not after the 15th a second test condition is checked and if 
it is the eighth month or earlier the DoS payload is skipped.  Thus, 
assuming all inected machines' clocks are accurate, the DoS payload 
will start come 16 August and continue till the end of 31 December, 
then stop for fifteen days then run from 16 January till the end of the 
monthm stop for fifteen days, run from 16 February till the end of the 
month, et seq. until 16 August is hit again then run till end of year, 
et seq (there are no year tests, so the sequence runs ad infinitum).

> >And, of course, if MS started messing with the DNS entries for 
> >windowsupdate.com, it would be cutting an awful lot of users off from
> >much needed updates. which could be as disturbing as the rest of the 
> >worm's effects...
> 
> Still leaving large organisations and smaller ISP's free to make
> the decision themselves on whether the loss of Windows update
> is more or less important than the prevention of the additional
> spurious traffic.

I think cutting folk off from WindowsUpdate for about two-thirds of the 
year is quite unreasonable for any ISP.

> In countries/situations where bandwidth is paid for by traffic 
> transferred, and is often quite expensive, I suspect that more 
> decisions will be made to eliminate access to WindowsUpdate, 
> at least for a period of time, rather than paying for excess
> traffic generated. 

I understand your situation (my current deal doesn't involve a traffic 
charge component, but DSL connections here do and where I used to work 
we charged for Internet service by bandwidth used) but still feel that 
cutting off WindowsUpdate for two-thirds of the year is unreasonable.

And perhaps you are looking at it the wrong way?  Perhaps getting a 
hefty traffic bill due to unwittingly taking part in such a DoS might 
make some folk sit up and start to take the security of their machines 
seriously (all too often the "there's nothing of value on my machine, 
so why secure it" attitude can only be countered by a rude shock such 
as a hefty network traffic bill.

> It's more than a matter of degraded service.

True, but the degraded intellects that run such easy target machines as 
end up taking part in things such as this worm's DoS network are often 
only fixed through a swift kick in the gonads...


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html