VS: slapper worm varient "cinik"

From: Toni Heinonen (Toni.Heinonen@teleware.fi)
Date: 09/27/02


Date: Fri, 27 Sep 2002 16:25:36 +0300
From: "Toni Heinonen" <Toni.Heinonen@teleware.fi>
To: "Mark" <mark@uniontown.com>, "Anton A. Chuvakin" <anton@chuvakin.org>, "James P. Kinney III" <jkinney@localnetsolutions.com>

Well, actually, I do believe the whole p2p network has some sort of password arrangement so only the intended sources can control it. However, that password has already been reverse-engineered from the binaries by many parties, I have heard. So no, you don't even have to spoof your address, all you have to do is get that password from the binaries...

-- 
Toni Heinonen, Teleware Oy
  Wireless +358 (40) 836 1815
  Telephone +358 (9) 3434 9123
  toni.heinonen@teleware.fi
  www.teleware.fi

> -----Alkuperäinen viesti----- > Lähettäjä: Mark [mailto:mark@uniontown.com] > Lähetetty: 26. syyskuuta 2002 18:16 > Vastaanottaja: Anton A. Chuvakin; James P. Kinney III > Kopio: incidents@securityfocus.com > Aihe: Re: slapper worm varient "cinik" > > > Which brings up another point. It uses TCP to infect, but > UDP for the peer communication, right? UDP is so easily > spoofed, what's to keep me from falsely pretending that I am > an infected machine at Company X via a simple UDP spoof, > causing the peers to DoS Company X, essentially DoSsing > anyone I wished anonymously? > > -Mark > > ----- Original Message ----- > From: "Anton A. Chuvakin" <anton@chuvakin.org> > To: "James P. Kinney III" <jkinney@localnetsolutions.com> > Cc: <incidents@securityfocus.com> > Sent: Wednesday, September 25, 2002 2:38 PM > Subject: Re: slapper worm varient "cinik" > > > > James and all, > > > > >Apparently the intruder got rather upset I spoiled his fun > and about > > >15 minutes after I shut him out, I was a victim of a udp-based DOS > > >attack. > > Actually, it wasn't an intruder; the UDP flood you are > experiencing is > > a consequence of a worm network design. Most likely the > worm managed > > to join the network before you shut it down and now its peers are > > trying to access your machine. > > > > For more info got to > http://isc.incidents.org/analysis.html?id=169 > and > > > http://isc.incidents.org/analysis.html?id=167 > > > > Best, > > -- > > Anton A. Chuvakin, Ph.D., GCIA > > http://www.chuvakin.org > > http://www.info-secure.org > > > > > > > ---------------------------------------------------------------------- > > ---- > -- > > This list is provided by the SecurityFocus ARIS analyzer > service. For > > more information on this free incident handling, management and > > tracking system please see: http://aris.securityfocus.com > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus ARIS analyzer > service. For more information on this free incident handling, > management > and tracking system please see: http://aris.securityfocus.com > >

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com