RE: rpc dcom worm and windowsupdate

From: Flowers, Katie (Katie.Flowers_at_savvis.net)
Date: 08/13/03

  • Next message: Jay Woody: "Re: rpc dcom worm and windowsupdate"
    Date: Wed, 13 Aug 2003 10:02:27 -0500
    To: <Oliver.Gruskovnjak@BIT.admin.ch>, <incidents@securityfocus.com>
    
    

    hope the below helps you out oliver ;)

    <source elided>

    Hi Team,

    Just tinkering w/ the "wurm" a little and thought I'd make a couple of
    observations on the AUG 16 date.

    At some time on or after Aug 16, the worm will issue a DNS request for
    the A record of windowsupdate.com to the locally configured DNS server
    with the +recusion option set. When the clock strikes Aug 16, it does
    NOT appear to immediately attack windowsupdate.com. My guess is that
    the loop iterating the /16 scan needs to complete before the code checks
    the clock again for attacking Microsoft.

    Assuming the query succeeds, the two current A records will be returned:

    207.46.134.30
    207.46.134.94

    The worm will then begin to send 60 byte (20 bytes ethernet padding) TCP
    SYN packets to windowsupdate.com port 80.

    The source IP will be spoofed out of the /16 of the local LAN subnet,
    the source port will be in the range of 1000-2000, IP TTL of 128, and IP
    ID 256.

    Note the very consistent parameters in the IP packets. A combination of
    source ports and/or IP ID checking may be another way to fingerprint the
    attack.

    The worm appears to select the first IP of the two returned in the DNS
    reply consistently, so it may be possible to simply block access to the
    first IP if necessary as a mitigation method.

    While sending TCP floods it will issue a PTR Lookup for the IP it is
    attacking

    30.134.46.207.in-addr.arpa

    The rate of packets sent may vary based on hardware platform, CPU, and
    bandwidth, but I've noticed a rate of approximately 50pps for the SYN
    attack. Packets appear to be spaced about 20ms apart.

    The TCP 135 scans appear to run at about 12pps. At this rate it would
    take approximately 93.29 minutes to scan an entire /16.

    As Rob suggested, there appears to be approximately a 1.5-2 second delay
    between each 20 socket connects(). The TCP port 80 SYN Flood does not
    appear to exhibit the same behavior.

    The TCP port 135 scans carry the following TCP options:

    MSS (1460)
    SACK

    The TCP port 80 SYN packets do not carry any TCP options.

    -----Original Message-----
    From: Oliver.Gruskovnjak@BIT.admin.ch
    [mailto:Oliver.Gruskovnjak@BIT.admin.ch]
    Sent: Wednesday, August 13, 2003 4:04 AM
    To: incidents@securityfocus.com
    Subject: rpc dcom worm and windowsupdate

    Hey guys,

    Ok our company is owned by the msblaster worm, now we would like to keep the
    ddos attack under control.
    Our Idea is, that we can make that one of our proxies will identify himself
    as windowsupdate.com.

    Now my question is, is the Worm looking for windowsupdate.com per Lookup or
    has it a fix ip in the Source ?
    Does someone know anything ?
    Haves some the sorce :)

    PS:
    What are you doing against it ?

    regards

    Gruskovnjak Oliver
    ----------------------------------------------------------------------------
    ------
    Bundesamt für Informatik und Telekommunikation BIT
    Bereitstellung Netzdienste / BZBN
    Monbijoustrasse 74
    3003 Bern
    ----------------------------------------------------------------------------
    ------
    Tel. +41 (0) 31 323 89 84
    Fax +41 (0) 31 325 90 30
    ----------------------------------------------------------------------------
    ------
    SMTP: oliver.gruskovnjak@bit.admin.ch

    WEB: www.bit.admin.ch
    ----------------------------------------------------------------------------
    ------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------


  • Next message: Jay Woody: "Re: rpc dcom worm and windowsupdate"

    Relevant Pages