Full Disclosure mailing list archives

RE: Windows Dcom Worm planned DDoS

From: "Andrew Thomas" <andrewt () nmh co za>
Date: Tue, 12 Aug 2003 13:37:15 +0200

From: Chris Eagle [mailto:cseagle () redshift com] 
Sent: 12 August 2003 01:31
Subject: RE: [Full-disclosure] Windows Dcom Worm planned DDoS


The IP is not hard coded.  It does a lookup on "windowsupdate.com"


Allowing the option for corporates and/or isp's to dns poison that
to resolve to 127.0.0.1, or even dns race with tools like team teso's
if one doesn't use internal/cacheing NS.

Might save some traffic on 15 August. Alternative, route all traffic
to the resolved IP addresses to /dev/null, but with the above, the
traffic shouldn't even leave the machine in question.

--
Andrew G. Thomas
Hobbs & Associates Chartered Accountants (SA)
(o) +27-(0)21-683-0500
(f) +27-(0)21-683-0577
(m) +27-(0)83-318-4070 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Windows Dcom Worm planned DDoS Andrew Thomas (Aug 12)
- RE: Windows Dcom Worm planned DDoS Chris Eagle (Aug 12)
  - RE: Windows Dcom Worm planned DDoS Andrew Thomas (Aug 12)
    - Re: [normal] RE: Windows Dcom Worm planned DDoS opticfiber (Aug 12)
    - Re: [normal] RE: Windows Dcom Worm planned DDoS martin f krafft (Aug 12)
    - Re: [normal] RE: Windows Dcom Worm planned DDoS martin f krafft (Aug 12)
    - RE: Re: [normal] RE: Windows Dcom Worm planned DDoS Marc Maiffret (Aug 12)
    - Re: [normal] RE: Windows Dcom Worm planned DDoS James Greenhalgh (Aug 12)
    - Re: [normal] RE: Windows Dcom Worm planned DDoS morning_wood (Aug 12)
- Re: Windows Dcom Worm planned DDoS Nick FitzGerald (Aug 12)
  - RE: Windows Dcom Worm planned DDoS Andrew Thomas (Aug 12)
    - Re: Windows Dcom Worm planned DDoS Franky Van Liedekerke (Aug 12)
    - Re: Windows Dcom Worm planned DDoS Jeremiah Cornelius (Aug 12)

(Thread continues...)