Educause Security Discussion mailing list archives
Identifying Blaster worm (and possibly variants?)
From: "Jon E. Mitchiner" <jon.mitchiner () GALLAUDET EDU>
Date: Tue, 19 Aug 2003 10:41:45 -0400
I was looking for a way last week to be able to automatically identify someone who is infected with the blaster worm and take appropriate action quickly. I found the easiest way to do this was to monitor the DNS servers. I tried following Symantec's suggestion to make a DNS entry for windowsupdate.com -- this didnt work because Blaster spoofed the IPs and making it difficult and too long to track the origin. While I was monitoring the DNS server I noticed a strange characteristic with the Blaster worm. The worm would initially attempt to look up "windowsupdate.com". This could also be an individual who mis-typed the website as windowsupdate.com rather than windowsupdate.microsoft.com. The strange thing is when the lookup for windowsupdate.com fails -- blaster appends the domain name next. For instance our domain name is Gallaudet.edu -- blaster would then look up "windowsupdate.com.gallaudet.edu". If anyone looks up this address at Gallaudet we assume immediately they are probably infected with the blaster worm. This has made identification a lot easier especially when students are plugging their computers in their dorms and they were infected elsewhere (e.g. from their home, etc.) I hope this helps someone. Jon Mitchiner ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Identifying Blaster worm (and possibly variants?) Jon E. Mitchiner (Aug 19)