Security Incidents mailing list archives
VS: slapper worm varient "cinik"
From: "Toni Heinonen" <Toni.Heinonen () teleware fi>
Date: Fri, 27 Sep 2002 16:25:36 +0300
Well, actually, I do believe the whole p2p network has some sort of password arrangement so only the intended sources can control it. However, that password has already been reverse-engineered from the binaries by many parties, I have heard. So no, you don't even have to spoof your address, all you have to do is get that password from the binaries... -- Toni Heinonen, Teleware Oy Wireless +358 (40) 836 1815 Telephone +358 (9) 3434 9123 toni.heinonen () teleware fi www.teleware.fi
-----Alkuperäinen viesti----- Lähettäjä: Mark [mailto:mark () uniontown com] Lähetetty: 26. syyskuuta 2002 18:16 Vastaanottaja: Anton A. Chuvakin; James P. Kinney III Kopio: incidents () securityfocus com Aihe: Re: slapper worm varient "cinik" Which brings up another point. It uses TCP to infect, but UDP for the peer communication, right? UDP is so easily spoofed, what's to keep me from falsely pretending that I am an infected machine at Company X via a simple UDP spoof, causing the peers to DoS Company X, essentially DoSsing anyone I wished anonymously? -Mark ----- Original Message ----- From: "Anton A. Chuvakin" <anton () chuvakin org> To: "James P. Kinney III" <jkinney () localnetsolutions com> Cc: <incidents () securityfocus com> Sent: Wednesday, September 25, 2002 2:38 PM Subject: Re: slapper worm varient "cinik"James and all,Apparently the intruder got rather upset I spoiled his funand about15 minutes after I shut him out, I was a victim of a udp-based DOS attack.Actually, it wasn't an intruder; the UDP flood you areexperiencing isa consequence of a worm network design. Most likely theworm managedto join the network before you shut it down and now its peers are trying to access your machine. For more info got tohttp://isc.incidents.org/analysis.html?id=169 > andhttp://isc.incidents.org/analysis.html?id=167Best, -- Anton A. Chuvakin, Ph.D., GCIA http://www.chuvakin.org http://www.info-secure.org----------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzerservice. Formore information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com-------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- VS: slapper worm varient "cinik" Toni Heinonen (Sep 27)