RE: Worm's Potential

From: Andy Johnson-Laird (andy@private)
Date: Mon Jul 23 2001 - 11:01:17 PDT

  • Next message: George Heuston: "FW: NIPC Daily Report 24 July 01"

    At 10:24 AM 7/23/2001, Kuo, Jimmy wrote:
    >Yes, those too.  And number of other web enabled interfaces.
    >
    >Things will be quiet until the 1st of August.  You have until then to
    >pressure whichever providers to fix whatever broke.
    >
    >(I was away from home throughout all this.  I don't even know if my own DSL
    >box will stand up.)
    >
    >When you say "y'day", did you mean 7/22?
    
    Yes.
    
    >  Things should have been quiet
    >since 7/19 5PM PDT.
    
    The user was away and didn't report the problem until yesterday. It appears that the modem may have wedged on 7/14 or thereabouts (by inference from the date/time of the email traffic that arrived once the modem was unwedged), but I don't think we can pin point it accurately.
    
    >  If indeed it was yesterday and lots more people
    >experience this, we have to keep an eye out for another worm.  Hope it's
    >just coincidence.
    
    Sorry to have caused potential confusion...I don't think it's YAW (yet another worm).
    
    A.
    
    
    
    >Jimmy
    >
    >-----Original Message-----
    >From: Andy Johnson-Laird
    >To: Kuo, Jimmy; 'Jimmy Sadri '; 'George Heuston '
    >Cc: ''crime@private' '
    >Sent: 7/23/01 10:19 AM
    >Subject: RE: Worm's Potential
    >
    >I had an instance y'day where a Qwest DSL modem was wedged and, on
    >calling Qwests main support number, the greeting message indicated they
    >were seeing instances of this virus wedging modems...the fix
    >(fortunately) was just to power cycle the modem. I did this and the
    >modem re-started normal operation.
    >
    >Andy
    >
    >At 06:27 PM 7/21/2001, Kuo, Jimmy wrote:
    >>sigh
    >>
    >>The worm sent packets to every IP address it computed.
    >>
    >>If your machine was an unpatched IIS server, it took command via the
    >>exploit.
    >>
    >>If your IIS server was in English, it replaced the pages going out.
    >>
    >>Then it DoS'ed ...91, which was one of the www.whitehouse.gov sites.
    >>
    >>In 7 days, it'll go to sleep.
    >>
    >>In 10days, someone will unleash it again.
    >>
    >>There will be fewer machines to take over.
    >>
    >>We'll still suffer the network overload.  Cablemodems will crash, and
    >any
    >>number of other Internet machines that process HTTP GETs will crash.
    >>
    >>But if they change the payload, someone will just come up with another
    >>clever way to detour that payload.
    >>
    >>You're dealing with all the best minds of our great USA working
    >together.
    >>Certainly, someone has thought.
    >>
    >>And it's not over.  We're still working on it.
    >>
    >>Jimmy Kuo
    >>
    >>-----Original Message-----
    >>From: Jimmy Sadri
    >>To: George Heuston
    >>Cc: 'crime@private'
    >>Sent: 7/21/01 4:04 PM
    >>Subject: Worm's Potential
    >>
    >>
    >>
    >>   Has anyone thought of that whoever wrote this worm could have done
    >>much
    >>worse?  Somehow I think that if someone where to take this code and
    >>change
    >>it so it affects all versions (Not just English) of MS IIS server and
    >>then
    >>attack a DNS name like www.microsoft.com or www.yahoo.com I think we'd
    >>be
    >>in big trouble... Since this worm only affected the English version of
    >>IIS
    >>that leaves the rest of the IIS servers out there in the world still
    >>potentially vulnerable.  Like I said maybe whoever wrote this worm
    >>wanted
    >>to have a second shot at it by only infecting English version boxes he
    >>now
    >>only has to modify his code a little bit to have another shot this time
    >>fixing where he went wrong... attacking an IP address that can be
    >easily
    >>changed instead of attacking the name www.whitehouse.gov
    >>
    >>Just some food for thought...
    >>
    >>
    >>=======================================================
    >>Jimmy Sadri                           jimmys@private
    >>Network Engineer/                     jimmys@private
    >>Security Consultant
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:23:59 PDT