FW: rpc dcom worm and windowsupdate

From: Alon Tirosh (atiroshat_private)
Date: Wed Aug 13 2003 - 08:00:57 PDT

Next message: James C. Slora, Jr.: "RE: MSBlast and other known exploits.."

Previous message: Evans, Arian: "RE: Blaster Worm Rebooting Patched Machines!"
Maybe in reply to: Oliver.Gruskovnjakat_private: "rpc dcom worm and windowsupdate"
Next in thread: Steffen Kluge: "Re: rpc dcom worm and windowsupdate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This solution might work, provided that the assessment that the worm is
hitting per lookup is correct. However, it wouldn’t be a valid solution
because you're failing to address the problem. In addition, depending on the
number of infected machines you have, this plan could have a debilitating
effect on your network. Better to actually patch and clean the systems,
restore from backups, do whatever you have to do. 

If you're set on doing it this way, I would have a machine masquerade as
windowsupdate.com and windowsupdate.microsoft.com via your DNS lookup
servers, and also use your routers to shunt all traffic going to the IPs in
question at the target machine. This way you have addressed both possible
situations.

Good luck, 

Alon

-----Original Message-----
From: Oliver.Gruskovnjakat_private
[mailto:Oliver.Gruskovnjakat_private] 
Sent: Wednesday, August 13, 2003 5:04 AM
To: incidentsat_private
Subject: rpc dcom worm and windowsupdate

Hey guys,

Ok our company is owned by the msblaster worm, now we would like to keep the
ddos attack under control.
Our Idea is, that we can make that one of our proxies will identify himself
as windowsupdate.com.

Now my question is, is the Worm looking for windowsupdate.com per Lookup or
has it a fix ip in the Source ?
Does someone know anything ?
Haves some the sorce :)

PS:
What are you doing against it ?


regards

Gruskovnjak Oliver 
----------------------------------------------------------------------------
------
Bundesamt für Informatik und Telekommunikation BIT 
Bereitstellung Netzdienste / BZBN
Monbijoustrasse 74 
3003 Bern 
----------------------------------------------------------------------------
------
Tel. +41 (0) 31 323 89 84
Fax +41 (0) 31 325 90 30 
----------------------------------------------------------------------------
------
SMTP: oliver.gruskovnjakat_private

WEB: www.bit.admin.ch
----------------------------------------------------------------------------
------


---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: James C. Slora, Jr.: "RE: MSBlast and other known exploits.."
Previous message: Evans, Arian: "RE: Blaster Worm Rebooting Patched Machines!"
Maybe in reply to: Oliver.Gruskovnjakat_private: "rpc dcom worm and windowsupdate"
Next in thread: Steffen Kluge: "Re: rpc dcom worm and windowsupdate"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 17:49:08 PDT