Re: slapper worm varient "cinik"

From: James P. Kinney III (jkinneyat_private)
Date: Thu Sep 26 2002 - 08:35:03 PDT

Next message: Troy Ablan: "AIM-based worm?"

Previous message: Mark: "Re: slapper worm varient "cinik""
In reply to: Mark: "Re: slapper worm varient "cinik""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My understanding is that tcp is used during the breakin process. UDP is
then used to communicate with "home base" and other infected machines.
It sets a P2P network using UDP protocols.

I expect that false blocking will occur.

On Thu, 2002-09-26 at 11:16, Mark wrote:
> Which brings up another point.  It uses TCP to infect, but UDP for the peer
> communication, right?  UDP is so easily spoofed, what's to keep me from
> falsely pretending that I am an infected machine at Company X via a simple
> UDP spoof, causing the peers to DoS Company X, essentially DoSsing anyone I
> wished anonymously?
> 
> -Mark
> 
> ----- Original Message -----
> From: "Anton A. Chuvakin" <antonat_private>
> To: "James P. Kinney III" <jkinneyat_private>
> Cc: <incidentsat_private>
> Sent: Wednesday, September 25, 2002 2:38 PM
> Subject: Re: slapper worm varient "cinik"
> 
> 
> > James and all,
> >
> > >Apparently the intruder got rather upset I spoiled his fun and about 15
> > >minutes after I shut him out, I was a victim of a udp-based DOS attack.
> > Actually, it wasn't an intruder; the UDP flood you are experiencing is a
> > consequence of a worm network design. Most likely the worm managed to join
> > the network before you shut it down and now its peers are trying to access
> > your machine.
> >
> > For more info got to http://isc.incidents.org/analysis.html?id=169 and
> > http://isc.incidents.org/analysis.html?id=167
> >
> > Best,
> > --
> >   Anton A. Chuvakin, Ph.D., GCIA
> >      http://www.chuvakin.org
> >    http://www.info-secure.org
> >
> >
> > --------------------------------------------------------------------------
> --
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinneyat_private>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7

application/pgp-signature attachment: This is a digitally signed message part

Next message: Troy Ablan: "AIM-based worm?"
Previous message: Mark: "Re: slapper worm varient "cinik""
In reply to: Mark: "Re: slapper worm varient "cinik""
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 21:16:06 PDT