RE: [Full-Disclosure] DDoS on the 16th - Fail if no DNS resolution?

["Chris Eagle" <cseagle@redshift.com>]

It uses the user's default locale for time.

here is the code snippet:

   GetDateFormat(LOCALE_USER_DEFAULT, 0, NULL, "d", day, 3);
   GetDateFormat(LOCALE_USER_DEFAULT, 0, NULL, "M", mon, 3);
   if (atoi(day) > 15 || atoi(mon) > 8) {
      CreateThread(NULL, 0, SynFlood, NULL, 0, &temp);
   }

Also, it only checks the date one time, at start up.  If the worm is running
at midnight on the 15/16, it will NOT initiate the DDoS.  It would have to
be shutdown and restarted again within the desired time window.

Chris


-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com]On Behalf Of Darren Reed
Sent: Wednesday, August 13, 2003 6:17 PM
To: Jason Witty
Cc: Full-Disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] DDoS on the 16th - Fail if no DNS
resolution?


In some mail from Jason Witty, sie said:
>
> All,
>
> Has anyone tested this worm yet to see what it'll do if you set up an
> internal DNS entry for windowsupdate.com to point to a black hole address
> (127.0.0.1 for example) and then set the system clock to be August 16th
> (this Saturday)?

Just to flip back to the 15th/16th thing, the significant thing here is
if it is using localtime vs GMT time then it will be the 16th in some
parts of the world before others...eg the West coast of USA is 7 hours
ahead of the East coast of Australia, but a day behind, so come 00:01
Saturday the 16th in Australia, it'll be 7:01am in Seattle on Friday the
15th...

Darren
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html