[unisog] Windows Update

Dave Ellingsberg dave.ellingsberg at csu.mnscu.edu
Thu Aug 14 16:46:42 GMT 2003


Peter wrote:

	Do we know what port or ports the DOS is going to use? 

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada
**************************
from www.f-prot.com the only place I could find anything on it.
* * * * * * * *

The worm has a built-in DOS routine, aimed at windowsupdate.com.
Whether this function is executed, depends on the local system date
settings. If the day is above the 15th, then the DOS routine is executed
in parallel to the main scanning procedure. By constructing a
raw-socket, the worm sends out a TCP packet with the SYN flag set (the
first step of the three-way handshake required by the TCP protocol) this
packet has a spoofed source-address to the webserver located at
windowsupdate.com. This is a classic example of a SYN-flood attack. When
performing this routine, the worm modifies the last two octals of the
localhost IP address and replaces them with random ones. The traffic
might look like the following, where xxx.xxx are the first octals of the
local systems IP address:
Source: Destination: Protocol: Info:
xxx.xxx.ran.ran IP-address of the server TCP (Source port) http [SYN]
SequenceNumber Ack=0 Win=16384 Len=0
xxx.xxx.ran.ran IP-address of the server TCP (Source port) http [SYN]
SequenceNumber Ack=0 Win=16384 Len=0
xxx.xxx.ran.ran IP-address of the server TCP (Source port) http [SYN]
SequenceNumber Ack=0 Win=16384 Len=0
xxx.xxx.ran.ran IP-address of the server TCP (Source port) http [SYN]
SequenceNumber Ack=0 Win=16384 Len=0
xxx.xxx.ran.ran IP-address of the server TCP (Source port) http [SYN]
SequenceNumber Ack=0 Win=16384 Len=0
***************************************
bigfoot



More information about the unisog mailing list