|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Fw: Impending (mydoom) DOS attack
OK, enough ppl are asking so I will post this public, instead of just sending this to those who asked. Since I do not understand assembly or FORTH I cannot verify what this guy on the full disclosure list said & so far no one on the list is commenting on this persons post. So I make NO claims about this. James Edwards Routing and Security Administrator [email protected] At the Santa Fe Office: Internet at Cyber Mesa Store hours: 9-6 Monday through Friday 505-988-9200 SIP:1(747)669-1965 This is from the full disclosure list: : : : : Here's why people have been getting inconsistent results when setting : : the system date forward and looking for the DoS attack to start: : : : : Begining of DDoS date check subroutine: : : : : 4A3DB0 PUSH EBP ; callCreateSCOddos : : 4A3DB1 MOV EBP,ESP : : 4A3DB3 SUB ESP,10 : : : : : : Get the current system time as a FILETIME struct: : : : : 4A3DB6 LEA EAX,DWORD PTR SS:[EBP-8] : : 4A3DB9 PUSH EAX : : 4A3DBA CALL DWORD PTR DS:[<&KERNEL32.GetSystemTimeAsFileTime>] : : : : : : Convert the stored DoS start date from SystemTime to FileTime: : : : : 4A3DC0 LEA EAX,DWORD PTR SS:[EBP-10] : : 4A3DC3 PUSH EAX : : 4A3DC4 MOV EAX,DWORD PTR SS:[EBP+8] : : 4A3DC7 ADD EAX,214 : : 4A3DCC PUSH EAX ; Feb 1, 2004 : : 4A3DCD CALL DWORD PTR DS:[<&KERNEL32.SystemTimeToFileTime>] : : : : : : Compare high-order dword dwHighDateTime: : : : : 4A3DD3 MOV EAX,DWORD PTR SS:[EBP-4] : : 4A3DD6 CMP EAX,DWORD PTR SS:[EBP-C] : : 4A3DD9 JB SHORT <message.skipDoS> : : : : : : Compare low-order dword wLowDateTime: : : : : 4A3DDB MOV EAX,DWORD PTR SS:[EBP-8] : : 4A3DDE CMP EAX,DWORD PTR SS:[EBP-10] : : 4A3DE1 JB SHORT <message.skipDoS> : : : : : : Start the DoS: : : : : 4A3DE3 CALL <message.createSCOddos> ; DoS_Loop : : 4A3DE8 PUSH 400 : : 4A3DED CALL DWORD PTR DS:[<&KERNEL32.Sleep>] : : 4A3DF3 JMP SHORT <message.DoS_Loop> : : 4A3DF5 LEAVE ; skipDos : : 4A3DF6 RETN : : : : >From MSDN: : : The FILETIME structure is a 64-bit value representing the number of : : 100-nanosecond intervals since January 1, 1601 (UTC). : : : : typedef struct _FILETIME { : : DWORD dwLowDateTime; : : DWORD dwHighDateTime; : : } FILETIME, : : *PFILETIME; : : : : The stored starttime as filetime is: : : 0xbe9ecb00 : : 0x01c3e8dd : : : : Because the dwords are compared independently, the DoS will not start : : anytime the current dwLowDateTime is less than 0xbe9ecb00, no matter : : what the dwHighDateTime is. Obviously, this is close to three-quarters : : of the time. : : : : -Joe : : : : -- : : Joe Stewart, GCIH : : Senior Security Researcher : : LURHQ http://www.lurhq.com/ : : : : _______________________________________________ : : Full-Disclosure - We believe in it. : : Charter: http://lists.netsys.com/full-disclosure-charter.html : : ----- Original Message ----- : : From: "bcm" <[email protected]> : : To: <[email protected]> : : Sent: Friday, January 30, 2004 2:18 PM : : Subject: Impending (mydoom) DOS attack : :
|