It works fine long term if you really want, but it would be a good idea to remove the record after this worm has subsided. Windowsupdate.com is only one way of getting your patches. Try: windowsupdate.microsoft.com V3.windowsupdate.microsoft.com V4.windowsupdate.microsoft.com Etc. You can safely set a dns record for windowsupdate.com to 127.0.0.1 without affecting most users ability to update. This worm is very poorly written, perhaps another candidate for a conspiracy theory regarding certain sources releasing mainly harmless worms in order to force the world to patch before something more sinister is released. :) -----Original Message----- From: Chris Barber [mailto:cbarberat_private] Sent: Thursday, 14 August 2003 1:24 AM To: incidentsat_private Subject: RE: rpc dcom worm and windowsupdate That will work short term. Once you have your network Clean do not forget to take that pointer out so that Windows update will work so when Bill's next security hole is released you can update your PCs via this Wonderful feature. -----Original Message----- From: Compton, Rich [mailto:RComptonat_private] Sent: Wednesday, August 13, 2003 10:57 AM To: 'Oliver.Gruskovnjakat_private'; incidentsat_private Subject: RE: rpc dcom worm and windowsupdate The worm does a lookup on windowsupdate.com so if you put in a record on your dns servers to point to, say, 127.0.0.1 you can redirect the attack to target the host computer loopback instead of taking out your network bandwidth. -Rich -----Original Message----- From: Oliver.Gruskovnjakat_private [mailto:Oliver.Gruskovnjakat_private] Sent: Wednesday, August 13, 2003 4:04 AM To: incidentsat_private Subject: rpc dcom worm and windowsupdate Hey guys, Ok our company is owned by the msblaster worm, now we would like to keep the ddos attack under control. Our Idea is, that we can make that one of our proxies will identify himself as windowsupdate.com. Now my question is, is the Worm looking for windowsupdate.com per Lookup or has it a fix ip in the Source ? Does someone know anything ? Haves some the sorce :) PS: What are you doing against it ? regards Gruskovnjak Oliver ---------------------------------------------------------------------------- ------ Bundesamt für Informatik und Telekommunikation BIT Bereitstellung Netzdienste / BZBN Monbijoustrasse 74 3003 Bern ---------------------------------------------------------------------------- ------ Tel. +41 (0) 31 323 89 84 Fax +41 (0) 31 325 90 30 ---------------------------------------------------------------------------- ------ SMTP: oliver.gruskovnjakat_private WEB: www.bit.admin.ch ---------------------------------------------------------------------------- ------ --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 19:41:26 PDT