"Andrew Thomas" <andrewtat_private> wrote: > The examinations of the code so far indicate that the worm is > coded to DoS the windowsupdate site from the 15th of August > onwards through the end of the year. I'll ignore the sloppiness in that description, as several of the published descriptions have (or at least initially got) it confused through slightly wrong too... > I haven't seen anything mentioning whether or not the IP is > hardcoded. If not, shouldn't Microsoft just set the forward > resolve to 127.0.0.1 for a period of time? > > That will probably save many, many $'s of wasted traffic. Well, despite the sometimes sloppiness in the descriptions of these things (as suggested above), the folk responsible for these descriptions also do get things right... Unlike CodeRed, which was hard-coded for a specific IP that happened, when it was written, to map to one of the two physical addresses in the www.whitehouse.gov DNS round-robin (which probably saved adding around 25% to the worm's code size), this DCOM RPC worm, being a full-blown, file-system bound, PE EXE does a GetHostByName for windowsupdate.com without so much as bloating the .EXE beyond its current cluster allocation. And, of course, if MS started messing with the DNS entries for windowsupdate.com, it would be cutting an awful lot of users off from much needed updates. which could be as disturbing as the rest of the worm's effects... -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 05:49:57 PDT