Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Flash Worms

From: "Shoten" <shoten () starpower net>
Date: Wed, 22 Aug 2001 15:32:26 -0400
Now I do doubt anyone who would release this would have access to a OC-12
line to release the payload.  But that doesn't mean he/she couldn't hack
into a site that does.  Or hack into multiple sites and release the

payload

from multiple sites at one time.


Sayyyy....have any universities been compromised lately?  But the real point
here is not the initial release; it's the scanning for vulnerable IPs that
happens BEFORE that, to develop the "master list" of targets.  Any
compromised site having full saturation of an OC-12-ish line due to a
vulnerability scan of 0.0.0.0/0 is probably going to notice it, no matter
HOW braindead they might be.  But a distributed scan, in lieu of a DDoS,
would work, although it does pose its own problems.  Just build a zombie
that will scan instead of DoS, and have some method by which you can
reliably recover its results.

Oooooh, here you go...have it both scan AND DDoS...have it DDoS you with
ICMP that contains the slightly obfuscated/copyprotected (I hear Adobe's
been doing great things with XOR lately, perhaps they want to chime in?)
results of the scans.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: