Re: [ISN] Code Red Tribulation is nigh, Steve Gibson warns

From: InfoSec News (isnat_private)
Date: Wed Aug 01 2001 - 02:49:12 PDT

  • Next message: InfoSec News: "[ISN] Gaming regulators discuss security of Internet gambling"

    Forwarded by: Paul Cardon <paulat_private>
    InfoSec News wrote:
    > In fact, raw sockets have no relevance to this particular worm. I
    > actually have examined it, and while I'm impressed by its compactness
    > and power, and the speed with which it was hacked out, it's clear that
    > the author wanted to know which machines it had infected. Packet
    > spoofing would have frustrated that ambition perfectly. (Oh, and
    > because the .IDA hole which the worm exploits yields system-level
    > access, knowing which among thousands of boxes are infected is a whole
    > lot nastier than any spoofed-packet flood could hope to be.)
    > I'm not alone here. Vmyths founder Rob Rosenberger, who, like myself,
    > has debunked Gibson at length before an ungrateful army of GRC
    > patsies, agrees.
    > "[Gibson] contends Code Red would've been more effective if it used
    > raw sockets. I contend it would've been less effective. The
    > router/spoofing RFCs would've negated some of the zombies by refusing
    > to let them push," Rosenberger says.
    It would be so much more ineffective than that.  Code Red makes a TCP
    connection in order to infect other systems.  That can't be done from a
    spoofed source unless you have the ability to reliably predict ISNs
    (initial sequence numbers).  Gibson is choosing to ignore that very
    important detail.  Some NT systems may have weaker (but not trivially
    guessable) ISNs. Win2k and WinXP systems should be in good shape since
    Newsham's statistical analysis of ISNs is not really feasible for use in
    worm code.
    ISN is currently hosted by
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 06:55:38 PDT