|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: rpc dcom worm and windowsupdate
From: Flowers, Katie (Katie.Flowers
savvis.net)
Date: Wed Aug 13 2003 - 10:02:27 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
hope the below helps you out oliver ;)
<source elided>
Hi Team,
Just tinkering w/ the "wurm" a little and thought I'd make a couple of
observations on the AUG 16 date.
At some time on or after Aug 16, the worm will issue a DNS request for
the A record of windowsupdate.com to the locally configured DNS server
with the +recusion option set. When the clock strikes Aug 16, it does
NOT appear to immediately attack windowsupdate.com. My guess is that
the loop iterating the /16 scan needs to complete before the code checks
the clock again for attacking Microsoft.
Assuming the query succeeds, the two current A records will be returned:
207.46.134.30
207.46.134.94
The worm will then begin to send 60 byte (20 bytes ethernet padding) TCP
SYN packets to windowsupdate.com port 80.
The source IP will be spoofed out of the /16 of the local LAN subnet,
the source port will be in the range of 1000-2000, IP TTL of 128, and IP
ID 256.
Note the very consistent parameters in the IP packets. A combination of
source ports and/or IP ID checking may be another way to fingerprint the
attack.
The worm appears to select the first IP of the two returned in the DNS
reply consistently, so it may be possible to simply block access to the
first IP if necessary as a mitigation method.
While sending TCP floods it will issue a PTR Lookup for the IP it is
attacking
30.134.46.207.in-addr.arpa
The rate of packets sent may vary based on hardware platform, CPU, and
bandwidth, but I've noticed a rate of approximately 50pps for the SYN
attack. Packets appear to be spaced about 20ms apart.
The TCP 135 scans appear to run at about 12pps. At this rate it would
take approximately 93.29 minutes to scan an entire /16.
As Rob suggested, there appears to be approximately a 1.5-2 second delay
between each 20 socket connects(). The TCP port 80 SYN Flood does not
appear to exhibit the same behavior.
The TCP port 135 scans carry the following TCP options:
MSS (1460)
SACK
The TCP port 80 SYN packets do not carry any TCP options.
-----Original Message-----
From: Oliver.GruskovnjakBIT.admin.ch
[mailto:Oliver.GruskovnjakBIT.admin.ch]
Sent: Wednesday, August 13, 2003 4:04 AM
To: incidentssecurityfocus.com
Subject: rpc dcom worm and windowsupdate
Hey guys,
Ok our company is owned by the msblaster worm, now we would like to keep the
ddos attack under control.
Our Idea is, that we can make that one of our proxies will identify himself
as windowsupdate.com.
Now my question is, is the Worm looking for windowsupdate.com per Lookup or
has it a fix ip in the Source ?
Does someone know anything ?
Haves some the sorce :)
PS:
What are you doing against it ?
regards
Gruskovnjak Oliver
----------------------------------------------------------------------------
------
Bundesamt für Informatik und Telekommunikation BIT
Bereitstellung Netzdienste / BZBN
Monbijoustrasse 74
3003 Bern
----------------------------------------------------------------------------
------
Tel. +41 (0) 31 323 89 84
Fax +41 (0) 31 325 90 30
----------------------------------------------------------------------------
------
SMTP: oliver.gruskovnjakbit.admin.ch
WEB: www.bit.admin.ch
----------------------------------------------------------------------------
------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]