RE: rpc dcom worm and windowsupdate

From: Chris Barber (cbarber_at_stginc.com)
Date: 08/13/03

  • Next message: Flowers, Katie: "RE: rpc dcom worm and windowsupdate"
    To: <incidents@securityfocus.com>
    Date: Wed, 13 Aug 2003 11:24:25 -0400
    
    

    That will work short term. Once you have your network Clean do not forget
    to take that pointer out so that Windows update will work so when Bill's
    next security hole is released you can update your PCs via this Wonderful
    feature.

    -----Original Message-----
    From: Compton, Rich [mailto:RCompton@chartercom.com]
    Sent: Wednesday, August 13, 2003 10:57 AM
    To: 'Oliver.Gruskovnjak@BIT.admin.ch'; incidents@securityfocus.com
    Subject: RE: rpc dcom worm and windowsupdate

    The worm does a lookup on windowsupdate.com so if you put in a record on
    your dns servers to point to, say, 127.0.0.1 you can redirect the attack to
    target the host computer loopback instead of taking out your network
    bandwidth.

    -Rich

    -----Original Message-----
    From: Oliver.Gruskovnjak@BIT.admin.ch
    [mailto:Oliver.Gruskovnjak@BIT.admin.ch]
    Sent: Wednesday, August 13, 2003 4:04 AM
    To: incidents@securityfocus.com
    Subject: rpc dcom worm and windowsupdate

    Hey guys,

    Ok our company is owned by the msblaster worm, now we would like to keep the
    ddos attack under control. Our Idea is, that we can make that one of our
    proxies will identify himself as windowsupdate.com.

    Now my question is, is the Worm looking for windowsupdate.com per Lookup or
    has it a fix ip in the Source ? Does someone know anything ? Haves some the
    sorce :)

    PS:
    What are you doing against it ?

    regards

    Gruskovnjak Oliver
    ----------------------------------------------------------------------------
    ------
    Bundesamt für Informatik und Telekommunikation BIT
    Bereitstellung Netzdienste / BZBN
    Monbijoustrasse 74
    3003 Bern
    ----------------------------------------------------------------------------
    ------
    Tel. +41 (0) 31 323 89 84
    Fax +41 (0) 31 325 90 30
    ----------------------------------------------------------------------------
    ------
    SMTP: oliver.gruskovnjak@bit.admin.ch

    WEB: www.bit.admin.ch
    ----------------------------------------------------------------------------
    ------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Flowers, Katie: "RE: rpc dcom worm and windowsupdate"