The best way to not get hit...

Aug. 15th, 2003 10:04 pm
doc_strange: (Default)
[personal profile] doc_strange
...is to not be anywhere?

In a not even vaguely bold move, Microsoft went and pulled all DNS for windowsupdate.com. They indicate how it's a smart move.

What they don't tell you is that the worm, given NO IP address to attack... will flood 255.255.255.255 -- a broadcast address, causing it to wreak more havoc on the infected system's segment than it would have before.

SO:
1) MS has a hole for years in their now heavily-code-reviewed software.
2) MS releases a patch and begs everyone to apply it
3) a worm comes out, which will target a DDoS attack at a prominent MS site just 6 days after release
4) MS pulls their address so the worm beats the daylight out of the local victim's network.

THANKS Microsoft!
  • Current Mood: cynical
  • Current Music: Barenaked Ladies - Sell Sell Sell
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Incidentally

Date: 2003-08-16 09:49 am (UTC)
From: [identity profile] vokzal.livejournal.com
Where'd you find this one out?

"Hey, bugtraq hasn't said /that/!"

So I'm curious as to who has...

Or have you been combing the source? And you know the secret of windows system calls?

Re: Incidentally

Date: 2003-08-16 10:01 am (UTC)
From: [identity profile] docstrange.livejournal.com
My sources are as the grains of sand in my shoe.

Which is to say, the MS pulling DNS, I figured out with dnsq and dnstrace.

The action the worm will take upon receiving no DNS for windowsupdate.com information was provided by Symantec.

That and some friends set it up in their lab, and ran it through its paces. It's almost too straightforward to spend time with a debugger.

Re: Incidentally

Date: 2003-08-16 10:32 am (UTC)
From: [identity profile] vokzal.livejournal.com
Ah!

Thanks!

(I forwarded it to my Friend, who is trying to start a consulting business. Maybe this will give him some clients, who knows.)

Re: Incidentally

Date: 2003-08-17 02:32 am (UTC)
From: [identity profile] cheesetruck.livejournal.com
talking to one of the folks I used to work with today at the bar, and discussing worm... cuz he had oh so much fun with it this week (I'd explain but you can imagine, wireless devices from cop shops with infections...)

I forgot what I was gonna say.

Anyway, what debugger you using for the harder ones? Just wondering if someone sprung for a copy of IDA pro for ya. I managed to pull that off once (: Sure, I've mostly used it for dissasembling 6502 stuff but it was useful for code red, if only for a few minutes before someone beat me to the full dissasembly (:

Re: Incidentally

Date: 2003-08-17 08:58 am (UTC)
From: [identity profile] docstrange.livejournal.com
We actually licensed 2 copies of IDA Pro. Our two sec bug geniuses do that work, rather than me (unless it's a Z80 worm :-)). Many of the worms are also compressed (not a big problem), and a few have been code obfuscated or partially encrypted, so there's a bit more work to it as well. The tools used to prevent code reversing to protect intellectual property do a good job of keeping a worm, etc.'s function obscure.
  • Add Memory
  • Share This Entry
Flat | Top-Level Comments Only

Profile

doc_strange: (Default)doc_strange

Navigation

April 2025

S M T W T F S
  12345
67891011 12
13141516171819
20212223242526
27282930   

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Aug. 10th, 2025 03:34 am
Powered by Dreamwidth Studios