[Dshield] Blaster date forward.

Johannes B. Ullrich jullrich at sans.org
Sat Aug 16 00:36:58 GMT 2003


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

yes. I did turn the clock forward. The quick summary:

if I just change the time on a machine that is already
running 'msblast.exe' (and scanning), nothing happens.
It just keep scanning.

if I start it on a machine after 'Aug 16'
- if it can resolve 'windowsupdate.com', it attacks
- if it can not resolve 'windowsupdate.com', it scans.

So in order to DDOS, it has to be started after Aug. 16th (e.g. machine
reboot)

I do see about 100 packets per second. (50 pairs)

Here is a quick sample of the DDOS traffic. msblast.exe was running
on a vmware machine at 10.1.0.129. Note the spoofed source IP.

16:36:07.815519 10.1.4.11.1103 > 204.79.188.12.http: S
24248320:24248320(0) win 16384
0x0000   4500 0028 0100 0000 8006 a368 0a01 040b        E..(.......h....
0x0010   cc4f bc0c 044f 0050 0172 0000 0000 0000        .O...O.P.r......
0x0020   5002 4000 d369 0000 0204 05b4 0101             P. at ..i........
16:36:07.815537 10.1.4.11.1103 > 204.79.188.12.http: S
24248320:24248320(0) win 16384
0x0000   4500 0028 0100 0000 8006 a368 0a01 040b        E..(.......h....
0x0010   cc4f bc0c 044f 0050 0172 0000 0000 0000        .O...O.P.r......
0x0020   5002 4000 d369 0000 0204 05b4 0101             P. at ..i........
16:36:07.851292 10.1.203.49.1473 > 204.79.188.12.http: S
456589312:456589312(0) win 16384
0x0000   4500 0028 0100 0000 8006 dc41 0a01 cb31        E..(.......A...1
0x0010   cc4f bc0c 05c1 0050 1b37 0000 0000 0000        .O.....P.7......
0x0020   5002 4000 f10b 0000 4745 5420 2f6c             P. at .....GET./l
16:36:07.851310 10.1.203.49.1473 > 204.79.188.12.http: S
456589312:456589312(0) win 16384
0x0000   4500 0028 0100 0000 8006 dc41 0a01 cb31        E..(.......A...1
0x0010   cc4f bc0c 05c1 0050 1b37 0000 0000 0000        .O.....P.7......
0x0020   5002 4000 f10b 0000 4745 5420 2f6c             P. at .....GET./l
16:36:07.879157 10.1.79.176.1144 > 204.79.188.12.http: S
1725825024:1725825024(0) win 16384
0x0000   4500 0028 0100 0000 8006 57c3 0a01 4fb0        E..(......W...O.
0x0010   cc4f bc0c 0478 0050 66de 0000 0000 0000        .O...x.Pf.......
0x0020   5002 4000 222f 0000 0204 05b4 0101             P. at ."/........




On Fri, 2003-08-15 at 19:41, Shawn Cox wrote:
> Has anyone taken a Blaster infected machine off the network and set the date
> forward to see what really happens?
> --Shawn
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/PXypR1p7hYJvB/wRAnz6AJ495wo64eTRYihKBXncCCqIujArSwCgkFWJ
mk23WzT5LMbBs5sL8LY6qbMëVC
-----END PGP SIGNATURE-----

--
SHA1



More information about the list mailing list