WINS increase, UDP Mystery Solved(?), Black Tuesday Teaser

Published: 2004-12-13
Last Updated: 2004-12-14 00:13:21 UTC
by Cory Altheide (Version: 1)
0 comment(s)
WINS scanning increase

It looks like the s'kiddies finally got their hands on the super-secret-underground WINS 'sploit (or are simply setting up a target list for when they do), as evidenced by the increase in records and targets for port 42 scans: http://isc.sans.org/port_details.php?port=42

If you're running WINS exposed on the internet, uhm, please stop it?

Update: Mysterious UDP Solved?

One of our diligent handlers was able to locate a compromised system sending out malformed UDP packets identical to those we've been describing over the past few days. The proposed solution to this conundrum is as follows:

Mr. L. Haxor lives in the 83.102.166.0/24 netblock. Haxor irritates some of his fellow kiddies on IRC. One decides to teach Mr. Haxor a lesson, by at least partially custom coding a severely broken implementation of a relfective amplification attack via recursive DNS queries. Had his packet-fu not been so bad, this probably would have been a pretty decent attack. As it stands, it ended up being a limited resource exhaustion attack against analysts' cycles.

A big thanks to everyone who submitted packets and assisted with analysis.

For more information on how to prevent your resources from being used in a *successful* DoS attack, check out the following guide: http://www.sans.org/dosstep/

Update: Top Ten Diaries

We've received a ton of suggestions for the Top Ten Diares of 2004 - keep em coming!

We all love Tom Liston's "Follow The Bouncing Malware," too. ;)

Microsoft Black Tuesday Coming Attractions!

As a disinterested observer in the world of cyclical patching of Windows boxes, I'm always fascinated with the quasi-ritualistic undertones given to updating since Microsoft's shift to a (allegedly) monthly patch-and-release program. It's as if promptly patching on MS Tuesday is an offering of sorts to the old gods, Lovecraftian horrors the likes of which we dare not speak of lest we invoke their terrible wrath.*

... sorry 'bout that ...

* Tune in tomorrow for the chills, spills and thrills of no less than *FIVE* security bulletins!

* Recoil in horror as you realize one or more of these bulletins will be *IMPORTANT* in severity!

* Cry out as you may or may not be forced to reboot!


All this and MUCH MORE awaits you at the Microsoft Security Bulletin Advance Notification site! http://www.microsoft.com/technet/security/bulletin/advance.mspx

**********************

Cory Altheide

Handler on Duty

caltheide@isc.sans.org

**********************

*Please don't let my observations imply any sort of disdain for conscientious Tuesday patchers or those forced to admin Windows boxes. I greatly admire the sacrifices you make in order to keep the Great Old Ones from devouring the net.
Keywords:
0 comment(s)

Comments


Diary Archives