Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Mydoom DoS attack bug

From: Joe Stewart <jstewart () lurhq com>
Date: Thu, 29 Jan 2004 17:24:53 -0500
Here's why people have been getting inconsistent results when setting 
the system date forward and looking for the DoS attack to start:

Begining of DDoS date check subroutine:

4A3DB0 PUSH EBP                                 ;  callCreateSCOddos
4A3DB1 MOV EBP,ESP
4A3DB3 SUB ESP,10


Get the current system time as a FILETIME struct:

4A3DB6 LEA EAX,DWORD PTR SS:[EBP-8]
4A3DB9 PUSH EAX
4A3DBA CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>]


Convert the stored DoS start date from SystemTime to FileTime:

4A3DC0 LEA EAX,DWORD PTR SS:[EBP-10]
4A3DC3 PUSH EAX
4A3DC4 MOV EAX,DWORD PTR SS:[EBP+8]
4A3DC7 ADD EAX,214                              
4A3DCC PUSH EAX                                  ; Feb 1, 2004
4A3DCD CALL DWORD PTR DS:[<&KERNEL32.SystemTimeToFileTime>]


Compare high-order dword dwHighDateTime:

4A3DD3 MOV EAX,DWORD PTR SS:[EBP-4]
4A3DD6 CMP EAX,DWORD PTR SS:[EBP-C]
4A3DD9 JB SHORT <message.skipDoS>    


Compare low-order dword wLowDateTime:

4A3DDB MOV EAX,DWORD PTR SS:[EBP-8]
4A3DDE CMP EAX,DWORD PTR SS:[EBP-10]
4A3DE1 JB SHORT <message.skipDoS>


Start the DoS:

4A3DE3 CALL <message.createSCOddos>             ; DoS_Loop
4A3DE8 PUSH 400
4A3DED CALL DWORD PTR DS:[<&KERNEL32.Sleep>]
4A3DF3 JMP SHORT <message.DoS_Loop>
4A3DF5 LEAVE                                    ; skipDos
4A3DF6 RETN


From MSDN:

The FILETIME structure is a 64-bit value representing the number of 
100-nanosecond intervals since January 1, 1601 (UTC).

typedef struct _FILETIME {
  DWORD dwLowDateTime;
  DWORD dwHighDateTime;
} FILETIME, 
*PFILETIME;

The stored starttime as filetime is:
0xbe9ecb00
0x01c3e8dd

Because the dwords are compared independently, the DoS will not start 
anytime the current dwLowDateTime is less than 0xbe9ecb00, no matter 
what the dwHighDateTime is. Obviously, this is close to three-quarters 
of the time.

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: