Re: RPC errors - DDoS on the 16th?

[Eric Kuhnke <eric () fnordsystems com>]

http://www.theinquirer.net/?article=10986

Has anyone else seen this claim?  Somebody at F-Secure thinks the worm will begin a DDoS against 
windowsupdate.microsoft.com on the 16th.

At 03:08 PM 8/12/2003 -0700, you wrote:
> This should help some for people who are worried
> <http://securityresponse.symantec.com/avcenter/FixBlast.exe>http://securityresponse.symantec.com/avcenter/FixBlast.exe
>
> -Henry
>
> "Steven M. Bellovin" <smb () research att com> wrote:
>
> In message , 
> "Dominic J. Eidson" writes:
> > On Mon, 11 Aug 2003, Jack Bates wrote:
> >
> > > Sean Donelan wrote:
> > >
> > > > http://isc.sans.org/diary.html?date=2003-08-11
> > > > The worm uses the RPC DCOM vulnerability to propagate. One it finds a
> > > > vulnerable system, it will spawn a shell and use it to download the actual
> > > > worm via tftp.
> > > >
> > > > The name of the binary is msblast.exe. It is packed with UPX and will self
> > > > extract. The size of the binary is about 11kByte unpacked, and 6kBytes
> > > > packed:
> >
> > Has anyone seen/heard of this virus propagating through email in any way?
> >
> > We appear to have been infected on a network that is very heavily
> > firewalled from the outside, and are trying to track down possibly entry
> > methods the worm might have had...
>
> A large number of networks have unknown and unauthorized back doors. 
> If it's a decent-sized network and you haven't audited it, don't assume 
> that the firewalling is effective. (My co-author on "Firewalls and 
> Internet Security" book, Bill Cheswick, is CTO of a startup that maps 
> intranets for just this reason.)
>
>
> --Steve Bellovin, http://www.research.att.com/~smb