Security Incidents mailing list archives

Re: slapper worm varient "cinik"

From: "James P. Kinney III" <jkinney () localnetsolutions com>
Date: 26 Sep 2002 11:35:03 -0400

My understanding is that tcp is used during the breakin process. UDP is
then used to communicate with "home base" and other infected machines.
It sets a P2P network using UDP protocols.

I expect that false blocking will occur.

On Thu, 2002-09-26 at 11:16, Mark wrote:

Which brings up another point.  It uses TCP to infect, but UDP for the peer
communication, right?  UDP is so easily spoofed, what's to keep me from
falsely pretending that I am an infected machine at Company X via a simple
UDP spoof, causing the peers to DoS Company X, essentially DoSsing anyone I
wished anonymously?

-Mark

----- Original Message -----
From: "Anton A. Chuvakin" <anton () chuvakin org>
To: "James P. Kinney III" <jkinney () localnetsolutions com>
Cc: <incidents () securityfocus com>
Sent: Wednesday, September 25, 2002 2:38 PM
Subject: Re: slapper worm varient "cinik"

James and all,

Apparently the intruder got rather upset I spoiled his fun and about 15
minutes after I shut him out, I was a victim of a udp-based DOS attack.

Actually, it wasn't an intruder; the UDP flood you are experiencing is a
consequence of a worm network design. Most likely the worm managed to join
the network before you shut it down and now its peers are trying to access
your machine.

For more info got to http://isc.incidents.org/analysis.html?id=169 and
http://isc.incidents.org/analysis.html?id=167

Best,
--
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

-- 
James P. Kinney III   \Changing the mobile computing world/
President and CEO      \          one Linux user         /
Local Net Solutions,LLC \           at a time.          /
770-493-8244             \.___________________________./

GPG ID: 829C6CA7 James P. Kinney III (M.S. Physics)
<jkinney () localnetsolutions com>
Fingerprint = 3C9E 6366 54FC A3FE BA4D 0659 6190 ADC3 829C 6CA7

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

slapper worm varient "cinik" James P. Kinney III (Sep 25)
- Re: slapper worm varient "cinik" Anton A. Chuvakin (Sep 25)
  - Re: slapper worm varient "cinik" Mark (Sep 26)
    - Re: slapper worm varient "cinik" James P. Kinney III (Sep 26)