RE: msblast.exe worm FINDINGS (DDoS) ---> Can someone please confirm?

Jose,

        Something I found that maybe you or someone else on this list can validate. I've done some testing in a sandbox environment with a separate BIND server, and this worm is either retarded, or I missed something. Here are my results:

I build a BIND server (10.10.10.1/24) with a forward AND reverse DNS for windowsupdate.com as a fictitious address 10.10.20.10/24. I then put an infected client (10.10.10.5/24) on the wire, and set the date ahead to the 20th (just for kicks). This simulate a 'real' environment, since we typically won't be on the same network segment as windowsupdate.com, right? *grin*

The INFECTED CLIENT went out, did a forward DNS query, then a reverse, then started to ARP for the IP address that DNS had served up. Since it couldn't get a reply back for the IP address (from the ARP request)...it continued to arp at a high rate (~10 req/sec or so) without stop....very strange.

I then tried some other tests, I removed the reverse DNS lookup, and since the worm couldn't find the reverse DNS lookup - it stopped after attempting to - no DDoS attack...nothing.

I then also removed the forward DNS record - again, no DDoS attack, it just cached the 'cannot find' request, and continued to go merrily along its' way to infecting other machines (or trying to).

Can anyone else independantly validate these results? I'm particularly interested in the first result, of the high-ARP issue...

Your assistance is appreciated!

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

./Wiz

-----Original Message-----
From: Jose Nazario [mailto:jose@monkey.org] Sent: Thursday, August 14, 2003 1:30 AM
To: Sekurity Wizard
Subject: Re: msblast.exe --> DDoS against windowsupdate.com (research)

it should work regardless of BIOS date vs windows date. make sure it has a DNS server that will send a valid reply. i have moved the date to sunday the 17th and fired it up and had it start the flood against an IP i had entered into a local DNS server as windowsupdate.com.

in short that's my best guess, DNS. if you don't see the request, try firing it off again.

jose nazario, ph.d.			jose@monkey.org
					
http://monkey.org/~jose/

---------------------------------------------------------------------------
----------------------------------------------------------------------------