Jose, Something I found that maybe you or someone else on this list can validate. I've done some testing in a sandbox environment with a separate BIND server, and this worm is either retarded, or I missed something. Here are my results: I build a BIND server (10.10.10.1/24) with a forward AND reverse DNS for windowsupdate.com as a fictitious address 10.10.20.10/24. I then put an infected client (10.10.10.5/24) on the wire, and set the date ahead to the 20th (just for kicks). This simulate a 'real' environment, since we typically won't be on the same network segment as windowsupdate.com, right? *grin* The INFECTED CLIENT went out, did a forward DNS query, then a reverse, then started to ARP for the IP address that DNS had served up. Since it couldn't get a reply back for the IP address (from the ARP request)...it continued to arp at a high rate (~10 req/sec or so) without stop....very strange. I then tried some other tests, I removed the reverse DNS lookup, and since the worm couldn't find the reverse DNS lookup - it stopped after attempting to - no DDoS attack...nothing. I then also removed the forward DNS record - again, no DDoS attack, it just cached the 'cannot find' request, and continued to go merrily along its' way to infecting other machines (or trying to). Can anyone else independantly validate these results? I'm particularly interested in the first result, of the high-ARP issue... Your assistance is appreciated! ./Wiz -----Original Message----- From: Jose Nazario [mailto:joseat_private] Sent: Thursday, August 14, 2003 1:30 AM To: Sekurity Wizard Subject: Re: msblast.exe --> DDoS against windowsupdate.com (research) it should work regardless of BIOS date vs windows date. make sure it has a DNS server that will send a valid reply. i have moved the date to sunday the 17th and fired it up and had it start the flood against an IP i had entered into a local DNS server as windowsupdate.com. in short that's my best guess, DNS. if you don't see the request, try firing it off again. ___________________________ jose nazario, ph.d. joseat_private http://monkey.org/~jose/ --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 11:46:47 PDT