Hosting Provided By

Re: msblast.exe --> DDoS against windowsupdate.com (research)

From: Nick FitzGerald <nick(at)virus-l.demon.co.uk>
Date: Wed Aug 13 2003 - 21:52:08 EDT

"Sekurity Wizard" <s.wizard@boundariez.com> wrote:

> Thought I'd do some research into this little hypothesis we've all been
> seeing, what will happen on the 16th!? Well, I've set up a named server
> (logging ALL queries into it) and an infected Win2k box (ran msblast.exe
> on it) into the same hub...and then set the date to the 16th......much to
> my surprise, NOTHING happened. Literally, nothing. No scanning for port
> 135, no DNS storms, no DDoS packets - nothing...what did I do wrong
> or...what does this mean?

Did you restart the "infected" box after changing the date?

Is the "infected" box actually properly infected?

Is the "infected" box configured such that the InternetGetConnectedState API will return true? (If not, almost the first thing the worm will do is fall into a tight loop checking InternetGetConnectedState, sleeping for 20 seconds, rechecking...)

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Received on Wed Aug 13 23:04:05 2003

This message: [ Message body ]
Next message: edelweiss: "Re: Tools for monitoring port scans / connection attmempts?"
Previous message: Brad Pryce: "Re: msblast.exe --> DDoS against windowsupdate.com (research)"
In reply to: Sekurity Wizard: "msblast.exe --> DDoS against windowsupdate.com (research)"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:17 EDT