Forwarded by: Paul Cardon <paulat_private> InfoSec News wrote: > In fact, raw sockets have no relevance to this particular worm. I > actually have examined it, and while I'm impressed by its compactness > and power, and the speed with which it was hacked out, it's clear that > the author wanted to know which machines it had infected. Packet > spoofing would have frustrated that ambition perfectly. (Oh, and > because the .IDA hole which the worm exploits yields system-level > access, knowing which among thousands of boxes are infected is a whole > lot nastier than any spoofed-packet flood could hope to be.) > > I'm not alone here. Vmyths founder Rob Rosenberger, who, like myself, > has debunked Gibson at length before an ungrateful army of GRC > patsies, agrees. > > "[Gibson] contends Code Red would've been more effective if it used > raw sockets. I contend it would've been less effective. The > router/spoofing RFCs would've negated some of the zombies by refusing > to let them push," Rosenberger says. It would be so much more ineffective than that. Code Red makes a TCP connection in order to infect other systems. That can't be done from a spoofed source unless you have the ability to reliably predict ISNs (initial sequence numbers). Gibson is choosing to ignore that very important detail. Some NT systems may have weaker (but not trivially guessable) ISNs. Win2k and WinXP systems should be in good shape since Newsham's statistical analysis of ISNs is not really feasible for use in worm code. -paul - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 06:55:38 PDT