RE: msblast.exe worm FINDINGS (DDoS) ---> Can someone please confirm?

From: Sekurity Wizard (s.wizardat_private)
Date: Thu Aug 14 2003 - 07:00:57 PDT

Next message: Jay Woody: "Re: MSBlast and other known exploits.."

Previous message: steveat_private: "Re: Tools for monitoring port scans / connection attmempts?"
Next in thread: David Gillett: "RE: msblast.exe worm FINDINGS (DDoS) ---> Can someone please confirm?"
Reply: David Gillett: "RE: msblast.exe worm FINDINGS (DDoS) ---> Can someone please confirm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jose,
	Something I found that maybe you or someone else on this list
can validate.  I've done some testing in a sandbox environment with a
separate BIND server, and this worm is either retarded, or I missed
something.  Here are my results:

I build a BIND server (10.10.10.1/24) with a forward AND reverse DNS for
windowsupdate.com as a fictitious address 10.10.20.10/24.  I then put an
infected client (10.10.10.5/24) on the wire, and set the date ahead to
the 20th (just for kicks).  This simulate a 'real' environment, since we
typically won't be on the same network segment as windowsupdate.com,
right?  *grin*

The INFECTED CLIENT went out, did a forward DNS query, then a reverse,
then started to ARP for the IP address that DNS had served up.  Since it
couldn't get a reply back for the IP address (from the ARP request)...it
continued to arp at a high rate (~10 req/sec or so) without stop....very
strange.

I then tried some other tests, I removed the reverse DNS lookup, and
since the worm couldn't find the reverse DNS lookup - it stopped after
attempting to - no DDoS attack...nothing.

I then also removed the forward DNS record - again, no DDoS attack, it
just cached the 'cannot find' request, and continued to go merrily along
its' way to infecting other machines (or trying to).

Can anyone else independantly validate these results?  I'm particularly
interested in the first result, of the high-ARP issue...

Your assistance is appreciated!

./Wiz

-----Original Message-----
From: Jose Nazario [mailto:joseat_private] 
Sent: Thursday, August 14, 2003 1:30 AM
To: Sekurity Wizard
Subject: Re: msblast.exe --> DDoS against windowsupdate.com (research)


it should work regardless of BIOS date vs windows date. make sure it has
a DNS server that will send a valid reply. i have moved the date to
sunday the 17th and fired it up and had it start the flood against an IP
i had entered into a local DNS server as windowsupdate.com.

in short that's my best guess, DNS. if you don't see the request, try
firing it off again.

___________________________
jose nazario, ph.d.			joseat_private
					http://monkey.org/~jose/

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Jay Woody: "Re: MSBlast and other known exploits.."
Previous message: steveat_private: "Re: Tools for monitoring port scans / connection attmempts?"
Next in thread: David Gillett: "RE: msblast.exe worm FINDINGS (DDoS) ---> Can someone please confirm?"
Reply: David Gillett: "RE: msblast.exe worm FINDINGS (DDoS) ---> Can someone please confirm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 11:46:47 PDT