Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

VS: slapper worm varient "cinik"

From: "Toni Heinonen" <Toni.Heinonen () teleware fi>
Date: Fri, 27 Sep 2002 16:25:36 +0300
Well, actually, I do believe the whole p2p network has some sort of password arrangement so only the intended sources 
can control it. However, that password has already been reverse-engineered from the binaries by many parties, I have 
heard. So no, you don't even have to spoof your address, all you have to do is get that password from the binaries...

-- 
Toni Heinonen, Teleware Oy
  Wireless +358 (40) 836 1815
  Telephone +358 (9) 3434 9123
  toni.heinonen () teleware fi
  www.teleware.fi



-----Alkuperäinen viesti-----
Lähettäjä: Mark [mailto:mark () uniontown com] 
Lähetetty: 26. syyskuuta 2002 18:16
Vastaanottaja: Anton A. Chuvakin; James P. Kinney III
Kopio: incidents () securityfocus com
Aihe: Re: slapper worm varient "cinik"


Which brings up another point.  It uses TCP to infect, but 
UDP for the peer communication, right?  UDP is so easily 
spoofed, what's to keep me from falsely pretending that I am 
an infected machine at Company X via a simple UDP spoof, 
causing the peers to DoS Company X, essentially DoSsing 
anyone I wished anonymously?

-Mark

----- Original Message -----
From: "Anton A. Chuvakin" <anton () chuvakin org>
To: "James P. Kinney III" <jkinney () localnetsolutions com>
Cc: <incidents () securityfocus com>
Sent: Wednesday, September 25, 2002 2:38 PM
Subject: Re: slapper worm varient "cinik"



James and all,


Apparently the intruder got rather upset I spoiled his fun 

and about 

15 minutes after I shut him out, I was a victim of a udp-based DOS 
attack.

Actually, it wasn't an intruder; the UDP flood you are 

experiencing is 

a consequence of a worm network design. Most likely the 

worm managed 

to join the network before you shut it down and now its peers are 
trying to access your machine.

For more info got to 

http://isc.incidents.org/analysis.html?id=169 > and 



http://isc.incidents.org/analysis.html?id=167


Best,
--
  Anton A. Chuvakin, Ph.D., GCIA
     http://www.chuvakin.org
   http://www.info-secure.org




----------------------------------------------------------------------

----

--

This list is provided by the SecurityFocus ARIS analyzer 

service. For 

more information on this free incident handling, management and 
tracking system please see: http://aris.securityfocus.com



--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer 
service. For more information on this free incident handling, 
management 
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: