sigh The worm sent packets to every IP address it computed. If your machine was an unpatched IIS server, it took command via the exploit. If your IIS server was in English, it replaced the pages going out. Then it DoS'ed ...91, which was one of the www.whitehouse.gov sites. In 7 days, it'll go to sleep. In 10days, someone will unleash it again. There will be fewer machines to take over. We'll still suffer the network overload. Cablemodems will crash, and any number of other Internet machines that process HTTP GETs will crash. But if they change the payload, someone will just come up with another clever way to detour that payload. You're dealing with all the best minds of our great USA working together. Certainly, someone has thought. And it's not over. We're still working on it. Jimmy Kuo -----Original Message----- From: Jimmy Sadri To: George Heuston Cc: 'crime@private' Sent: 7/21/01 4:04 PM Subject: Worm's Potential Has anyone thought of that whoever wrote this worm could have done much worse? Somehow I think that if someone where to take this code and change it so it affects all versions (Not just English) of MS IIS server and then attack a DNS name like www.microsoft.com or www.yahoo.com I think we'd be in big trouble... Since this worm only affected the English version of IIS that leaves the rest of the IIS servers out there in the world still potentially vulnerable. Like I said maybe whoever wrote this worm wanted to have a second shot at it by only infecting English version boxes he now only has to modify his code a little bit to have another shot this time fixing where he went wrong... attacking an IP address that can be easily changed instead of attacking the name www.whitehouse.gov Just some food for thought... ======================================================= Jimmy Sadri jimmys@private Network Engineer/ jimmys@private Security Consultant
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:23:56 PDT