Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 03 > 082032.html (Request Expert securityfocus.com Support)

RE: msblast.exe --> DDoS against windowsupdate.com (research)

From: Christopher Lyon <cslyon(at)netsvcs.com>
Date: Thu Aug 14 2003 - 02:57:44 EDT


I did infect a machine with msblaster (Windows XP straight out of the box) and put the machine behind a cheapy firewall using private addresses. I was able to get out to the internet but I did end up blocking everything from this host outbound. Figured I didn't want to contribute spreading this thing. I confirmed that the host was running the virus and trying to go outbound on 135. Once I did that, I put the clock at 23:59 on the 15th and waited. Nothing happened so @ 00:15 I rebooted, once I rebooted, that is when the DoS started to happen. Maybe I need to wait longer or maybe it needs to restart msblaster. All you will see in port 80 connections going to windowsupdate.com. That is either 204.79.188.11 or 204.79.188.12. So, when it starts it does a query for windowsupdate.com and which ever IP address it gets first that is what it hits. You won't see your own source for the DoS either, that will be generated. Since my PC was on a 192.168.252.0, it was generating them for 192.168.x.x. That seems to be typical, the first two octets from your local host and the second two it generates.

Note: There are no DNS storms created by the DoS and the port scanning for port 135 keeps going. The spreading of the virus keeps going in other words.

Hope this helps.

Good luck,
Christopher Lyon
Sr. Security Development Engineer
Affant Communication (formerly DNS Network Services) v: 714-338-7106
f: 714-338-7101
cslyon@affant.com

> -----Original Message-----
been
> seeing, what will happen on the 16th!? Well, I've set up a named
server
> (logging ALL queries into it) and an infected Win2k box (ran
msblast.exe
> on it) into the same hub...and then set the date to the 16th......much
to
> my surprise, NOTHING happened. Literally, nothing. No scanning for
port
> 135, no DNS storms, no DDoS packets - nothing...what did I do wrong 

--

> -

>

------------------------------------------------------------------------
--

> --

> 



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Received on Thu Aug 14 14:33:38 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:17 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library