Full Disclosure mailing list archives

Re: msblast is starting now


From: "Bernie, CTA" <cta () hcsin net>
Date: Fri, 15 Aug 2003 12:59:24 -0400

Now I don't think that was such a smart move. 

It wouldn't take much to setup a bunch of bogus DNS servers to 
answer as "windowsupdate.com" with a pointer to a new A record, 
or better yet, round-robin to an infinite number of FQDN, or IP 
addresses.  In fact, a new variant placed on compromised system 
could help (direct) windows TCP/IP to find and use these bogus 
NS, giving almost endless control of the target address.

Hey, great pre-school project for the script kiddies!


On 15 Aug 2003 at 12:05, Jonathan Rickman wrote:

-----BEGIN PGP SIGNED MESSAGE-----

On Friday 15 August 2003 07:03, B3r3n wrote:
msblast start now on far eastern countries. We have a site in
Auckland and so I'll know soon if our DNS to localhost
protection is valuable.

It is irrelevant now. MS has removed the DNS entries for
windowsupdate.com.

-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta () hcsin net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: