[60466] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: RPC errors - DDoS on the 16th?

daemon@ATHENA.MIT.EDU (Eric Kuhnke)
Tue Aug 12 20:56:54 2003

X-Qmail-Scanner-Mail-From: eric@fnordsystems.com via server4.saturnbandwidth.net
Date: Tue, 12 Aug 2003 17:54:17 -0700
To: nanog@merit.edu
From: Eric Kuhnke <eric@fnordsystems.com>
In-Reply-To: <20030812220801.60969.qmail@web80104.mail.yahoo.com>
Errors-To: owner-nanog-outgoing@merit.edu


http://www.theinquirer.net/?article=10986

Has anyone else seen this claim?  Somebody at F-Secure thinks the worm will begin a DDoS against windowsupdate.microsoft.com on the 16th.

At 03:08 PM 8/12/2003 -0700, you wrote:
>This should help some for people who are worried
><http://securityresponse.symantec.com/avcenter/FixBlast.exe>http://securityresponse.symantec.com/avcenter/FixBlast.exe
> 
>-Henry
>
>"Steven M. Bellovin" <smb@research.att.com> wrote:
>
>In message , 
>"Dominic J. Eidson" writes:
>>
>>On Mon, 11 Aug 2003, Jack Bates wrote:
>>
>>> Sean Donelan wrote:
>>>
>>> > http://isc.sans.org/diary.html?date=2003-08-11
>>> > The worm uses the RPC DCOM vulnerability to propagate. One it finds a
>>> > vulnerable system, it will spawn a shell and use it to download the actual
>>> > worm via tftp.
>>> >
>>> > The name of the binary is msblast.exe. It is packed with UPX and will self
>>> > extract. The size of the binary is about 11kByte unpacked, and 6kBytes
>>> > packed:
>>
>>Has anyone seen/heard of this virus propagating through email in any way?
>>
>>We appear to have been infected on a network that is very heavily
>>firewalled from the outside, and are trying to track down possibly entry
>>methods the worm might have had...
>
>A large number of networks have unknown and unauthorized back doors. 
>If it's a decent-sized network and you haven't audited it, don't assume 
>that the firewalling is effective. (My co-author on "Firewalls and 
>Internet Security" book, Bill Cheswick, is CTO of a startup that maps 
>intranets for just this reason.)
>
>
>--Steve Bellovin, http://www.research.att.com/~smb
home help back first fref pref prev next nref lref last post