Re: Code Red Tribulation is nigh, Steve Gibson warns

[InfoSec News <isn () c4i org>]

Forwarded by: Paul Cardon <paul () moquijo com>

InfoSec News wrote:
 
> In fact, raw sockets have no relevance to this particular worm. I
> actually have examined it, and while I'm impressed by its compactness
> and power, and the speed with which it was hacked out, it's clear that
> the author wanted to know which machines it had infected. Packet
> spoofing would have frustrated that ambition perfectly. (Oh, and
> because the .IDA hole which the worm exploits yields system-level
> access, knowing which among thousands of boxes are infected is a whole
> lot nastier than any spoofed-packet flood could hope to be.)
>
> I'm not alone here. Vmyths founder Rob Rosenberger, who, like myself,
> has debunked Gibson at length before an ungrateful army of GRC
> patsies, agrees.
>
> "[Gibson] contends Code Red would've been more effective if it used
> raw sockets. I contend it would've been less effective. The
> router/spoofing RFCs would've negated some of the zombies by refusing
> to let them push," Rosenberger says.

It would be so much more ineffective than that.  Code Red makes a TCP
connection in order to infect other systems.  That can't be done from a
spoofed source unless you have the ability to reliably predict ISNs
(initial sequence numbers).  Gibson is choosing to ignore that very
important detail.  Some NT systems may have weaker (but not trivially
guessable) ISNs. Win2k and WinXP systems should be in good shape since
Newsham's statistical analysis of ISNs is not really feasible for use in
worm code.

-paul



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.