RE: rpc dcom worm and windowsupdate

From: Chris Barber (cbarberat_private)
Date: Wed Aug 13 2003 - 08:24:25 PDT

Next message: Flowers, Katie: "RE: rpc dcom worm and windowsupdate"

Previous message: Alon Tirosh: "RE: MSBlast and other known exploits.."
In reply to: Compton, Rich: "RE: rpc dcom worm and windowsupdate"
Next in thread: Flowers, Katie: "RE: rpc dcom worm and windowsupdate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That will work short term.  Once you have your network Clean do not forget
to take that pointer out so that Windows update will work so when Bill's
next security hole is released you can update your PCs via this Wonderful
feature.

-----Original Message-----
From: Compton, Rich [mailto:RComptonat_private] 
Sent: Wednesday, August 13, 2003 10:57 AM
To: 'Oliver.Gruskovnjakat_private'; incidentsat_private
Subject: RE: rpc dcom worm and windowsupdate

The worm does a lookup on windowsupdate.com so if you put in a record on
your dns servers to point to, say, 127.0.0.1 you can redirect the attack to
target the host computer loopback instead of taking out your network
bandwidth.

-Rich

-----Original Message-----
From: Oliver.Gruskovnjakat_private
[mailto:Oliver.Gruskovnjakat_private]
Sent: Wednesday, August 13, 2003 4:04 AM
To: incidentsat_private
Subject: rpc dcom worm and windowsupdate

Hey guys,

Ok our company is owned by the msblaster worm, now we would like to keep the
ddos attack under control. Our Idea is, that we can make that one of our
proxies will identify himself as windowsupdate.com.

Now my question is, is the Worm looking for windowsupdate.com per Lookup or
has it a fix ip in the Source ? Does someone know anything ? Haves some the
sorce :)

PS:
What are you doing against it ?

regards

Gruskovnjak Oliver 
----------------------------------------------------------------------------
------
Bundesamt für Informatik und Telekommunikation BIT 
Bereitstellung Netzdienste / BZBN
Monbijoustrasse 74 
3003 Bern 
----------------------------------------------------------------------------
------
Tel. +41 (0) 31 323 89 84
Fax +41 (0) 31 325 90 30 
----------------------------------------------------------------------------
------
SMTP: oliver.gruskovnjakat_private

WEB: www.bit.admin.ch
----------------------------------------------------------------------------
------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Flowers, Katie: "RE: rpc dcom worm and windowsupdate"
Previous message: Alon Tirosh: "RE: MSBlast and other known exploits.."
In reply to: Compton, Rich: "RE: rpc dcom worm and windowsupdate"
Next in thread: Flowers, Katie: "RE: rpc dcom worm and windowsupdate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 17:22:37 PDT