RE: Worm's Potential

From: Kuo, Jimmy (Jimmy_Kuo@private)
Date: Mon Jul 23 2001 - 10:24:34 PDT

  • Next message: Andy Johnson-Laird: "RE: Worm's Potential"

    Yes, those too.  And number of other web enabled interfaces.
    
    Things will be quiet until the 1st of August.  You have until then to
    pressure whichever providers to fix whatever broke.
    
    (I was away from home throughout all this.  I don't even know if my own DSL
    box will stand up.)
    
    When you say "y'day", did you mean 7/22?  Things should have been quiet
    since 7/19 5PM PDT.  If indeed it was yesterday and lots more people
    experience this, we have to keep an eye out for another worm.  Hope it's
    just coincidence.
    
    Jimmy
    
    -----Original Message-----
    From: Andy Johnson-Laird
    To: Kuo, Jimmy; 'Jimmy Sadri '; 'George Heuston '
    Cc: ''crime@private' '
    Sent: 7/23/01 10:19 AM
    Subject: RE: Worm's Potential
    
    I had an instance y'day where a Qwest DSL modem was wedged and, on
    calling Qwests main support number, the greeting message indicated they
    were seeing instances of this virus wedging modems...the fix
    (fortunately) was just to power cycle the modem. I did this and the
    modem re-started normal operation.
    
    Andy
    
    At 06:27 PM 7/21/2001, Kuo, Jimmy wrote:
    >sigh
    >
    >The worm sent packets to every IP address it computed.
    >
    >If your machine was an unpatched IIS server, it took command via the
    >exploit.
    >
    >If your IIS server was in English, it replaced the pages going out.
    >
    >Then it DoS'ed ...91, which was one of the www.whitehouse.gov sites.
    >
    >In 7 days, it'll go to sleep.
    >
    >In 10days, someone will unleash it again.
    >
    >There will be fewer machines to take over.
    >
    >We'll still suffer the network overload.  Cablemodems will crash, and
    any
    >number of other Internet machines that process HTTP GETs will crash.
    >
    >But if they change the payload, someone will just come up with another
    >clever way to detour that payload.
    >
    >You're dealing with all the best minds of our great USA working
    together.
    >Certainly, someone has thought.
    >
    >And it's not over.  We're still working on it.
    >
    >Jimmy Kuo
    >
    >-----Original Message-----
    >From: Jimmy Sadri
    >To: George Heuston
    >Cc: 'crime@private'
    >Sent: 7/21/01 4:04 PM
    >Subject: Worm's Potential
    >
    >
    >
    >   Has anyone thought of that whoever wrote this worm could have done
    >much
    >worse?  Somehow I think that if someone where to take this code and
    >change
    >it so it affects all versions (Not just English) of MS IIS server and
    >then
    >attack a DNS name like www.microsoft.com or www.yahoo.com I think we'd
    >be
    >in big trouble... Since this worm only affected the English version of
    >IIS
    >that leaves the rest of the IIS servers out there in the world still
    >potentially vulnerable.  Like I said maybe whoever wrote this worm
    >wanted
    >to have a second shot at it by only infecting English version boxes he
    >now
    >only has to modify his code a little bit to have another shot this time
    >fixing where he went wrong... attacking an IP address that can be
    easily
    >changed instead of attacking the name www.whitehouse.gov
    >
    >Just some food for thought...
    >
    >
    >=======================================================
    >Jimmy Sadri                           jimmys@private
    >Network Engineer/                     jimmys@private
    >Security Consultant
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:23:58 PDT