> From: Dave Ahmad [mailto:daat_private] > Sent: 11 August 2003 11:36 > Subject: DCOM worm analysis report: W32.Blaster.Worm > .. https://tms.symantec.com/members/AnalystReports/030811-Alert-DCOMworm.pdf .. If the information contained herein is still correct, then it would appear that the algorithm used for target IP selection is far from optimal, and would result in large concentration of traffic around the IP address ranges of the initial infections. While this is probably a bad thing for those concerned, this should at least buy the rest of the 'net some time to bunker down and ensure that their systems get patched. Unfortunately, scare situations like this may be the only way to get most of the machines patched. Also, if this 80/20 rule for OS selection applies (80% XP, 20% win2k), then a lot of countries that are still predominantly running windows 2000 will experience a slower infection rate. I haven't run any figures to determine exactly what the difference will be, but given that here in South Africa, out of a web server version list of 100k odd machines, IIS/5.0 was vastly predominant, it would make some difference at least. Q: Does the exploit use shellcode that includes a call to ExitThread or the like, such as *not* to take down the RPC service? From the comment about the mutex lock, it would appear that there is some expectation of a reinfection, so I'd guess that that was the case. Still, I'd like confirmation. If the RPC service got taken down, then I'm sure that a lot of sysadmin's would notice a lot more quickly. -- Andrew G. Thomas Hobbs & Associates Chartered Accountants (SA) (o) +27-(0)21-683-0500 (f) +27-(0)21-683-0577 (m) +27-(0)83-318-4070 --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 16:41:22 PDT