Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Windows Dcom Worm planned DDoS

From: "Matthew Murphy" <mattmurphy () kc rr com>
Date: Tue, 12 Aug 2003 11:39:26 -0500
"Nick FitzGerald" <nick () virus-l demon co uk> writes:

And, of course, if MS started messing with the DNS entries for
windowsupdate.com, it would be cutting an awful lot of users off from
much needed updates. which could be as disturbing as the rest of the
worm's effects...


Well, this could potentially be the case.  However, the actual domain used
by the WU server is "windowsupdate.microsoft.com".  At this point,
"windowsupdate.com" is just a redirect for sloppy admins/users.  The WU
binaries distributed with systems (i.e, Automatic Updating on Windows XP),
and the internal Microsoft documentation all point users to
"windowsupdate.microsoft.com", so disabling the DNS of "windowsupdate.com"
would not prevent updating if the user has the proper reference material at
hand.

That said, even if Microsoft *did* mess with the DNS, that would result in a
flurry of port 53 traffic to perform the resolutions.  Also, you still have
a potential for a slight negative effect on patch distribution, and patch
distribution is a *needed* channel.  Of course, if WU gets taken down by the
floods, we're back at square one, as WU remains the primary distribution
mechanism for patches to home users.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: