The best way to not get hit...

[doc_strange]

...is to not be anywhere?

In a not even vaguely bold move, Microsoft went and pulled all DNS for windowsupdate.com. They indicate how it's a smart move.

What they don't tell you is that the worm, given NO IP address to attack... will flood 255.255.255.255 -- a broadcast address, causing it to wreak more havoc on the infected system's segment than it would have before.

SO:
1) MS has a hole for years in their now heavily-code-reviewed software.
2) MS releases a patch and begs everyone to apply it
3) a worm comes out, which will target a DDoS attack at a prominent MS site just 6 days after release
4) MS pulls their address so the worm beats the daylight out of the local victim's network.

THANKS Microsoft!

Comments

Re: Incidentally

[cheesetruck.livejournal.com]

talking to one of the folks I used to work with today at the bar, and discussing worm... cuz he had oh so much fun with it this week (I'd explain but you can imagine, wireless devices from cop shops with infections...)

I forgot what I was gonna say.

Anyway, what debugger you using for the harder ones? Just wondering if someone sprung for a copy of IDA pro for ya. I managed to pull that off once (: Sure, I've mostly used it for dissasembling 6502 stuff but it was useful for code red, if only for a few minutes before someone beat me to the full dissasembly (:

Re: Incidentally

[docstrange.livejournal.com]

We actually licensed 2 copies of IDA Pro. Our two sec bug geniuses do that work, rather than me (unless it's a Z80 worm :-)). Many of the worms are also compressed (not a big problem), and a few have been code obfuscated or partially encrypted, so there's a bit more work to it as well. The tools used to prevent code reversing to protect intellectual property do a good job of keeping a worm, etc.'s function obscure.