www.windowsupdate.com isn't used for anything. It used to redirect to windowsupdate.microsoft.com If customers need to download patches they should be going to Windows Update link in their start menus which goes to windowsupdate.microsoft.com or www.windows.com 30 mins to go... Regards Nathan Microsoft NZ -----Original Message----- From: Malcolm Lockyer [mailto:ipvariance(a)hotmail.com] Sent: Friday, 15 August 2003 11:23 p.m. To: lennon(a)orcon.net.nz; simon.lyall(a)ihug.co.nz Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] blaster worm --snippity--
Subject: Re: [nznog] blaster worm Date: 15 Aug 2003 21:56:15 +1200
--snippity--
Make www.windowsupdate.com point to 127.0.0.1 so it doesn't do anything or what?
Except that it makes it a more effective DOS. Because then NOBODY can reach windowsupdate regardless - instead of just painfully slowly - or decently for whatever Akamai based reason. Time to hold onto whatever body part you guys value - here comes the storm. Although on a side note I hope the blaster infections are lower than I think they are - because all of you have been blocking netbios / 139tcp / etc. since this thing broke out. Right? Should be a more interesting 24 hours then eh? :-| m
Thanks Craig Whitmore Orcon Internet http://www.orcon.net.nz
--snippity-- _________________________________________________________________ Download MSN Messenger @ http://messenger.xtramsn.co.nz - talk to family and friends overseas! _______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Maybe every ISP should point it to windowsupdate.microsoft.com instead of
127.0.0.1 *chuckle*. That would only favour the person that wrote the virus
.
Guess we can't all win.
10mins to go...
Barry
----- Original Message -----
From: "Nathan Mercer"
Subject: Re: [nznog] blaster worm Date: 15 Aug 2003 21:56:15 +1200
--snippity--
Make www.windowsupdate.com point to 127.0.0.1 so it doesn't do anything or what?
Except that it makes it a more effective DOS. Because then NOBODY can reach windowsupdate regardless - instead of just painfully slowly - or decently for whatever Akamai based reason. Time to hold onto whatever body part you guys value - here comes the storm. Although on a side note I hope the blaster infections are lower than I think they are - because all of you have been blocking netbios / 139tcp / etc. since this thing broke out. Right? Should be a more interesting 24 hours then eh? :-| m
Thanks Craig Whitmore Orcon Internet http://www.orcon.net.nz
--snippity-- _________________________________________________________________ Download MSN Messenger @ http://messenger.xtramsn.co.nz - talk to family and friends overseas! _______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog _______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
Maybe every ISP should point it to windowsupdate.microsoft.com instead of 127.0.0.1 *chuckle*. That would only favour the person that wrote the virus .
Guess we can't all win. 10mins to go...
Uh, everyone seems to be assuming that this worm uses local time zones to decide when to start its attack ? Have any of the anti-virus firms or security advisories actually said that ? Would it not be more logical for the worm to use something like GMT time so that worms all around the world will actually start sending at the *same* time instead of spreading their start times out over 24 hours ? Guess we'll find out for sure in little under 3 hours :) Regards, Simon
According to the latest article on CNET http://news.com.com/2100-1002_3-5064433.html?tag=fd_top Quote : "The worm is programmed to start attacking Windowsupdate.com at midnight Friday in each time zone. As a result, Australia was among the first countries slated to be affected, with its midnight hitting at 7 a.m. PDT" Regards, Jithen -----Original Message----- From: Simon Byrnand [mailto:simon(a)igrin.co.nz] Sent: Saturday, 16 August 2003 9:26 a.m. To: Barry Murphy Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] blaster worm
Maybe every ISP should point it to windowsupdate.microsoft.com instead of 127.0.0.1 *chuckle*. That would only favour the person that wrote the virus .
Guess we can't all win. 10mins to go...
Uh, everyone seems to be assuming that this worm uses local time zones to decide when to start its attack ? Have any of the anti-virus firms or security advisories actually said that ? Would it not be more logical for the worm to use something like GMT time so that worms all around the world will actually start sending at the *same* time instead of spreading their start times out over 24 hours ? Guess we'll find out for sure in little under 3 hours :) Regards, Simon _______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
According to the latest article on CNET
http://news.com.com/2100-1002_3-5064433.html?tag=fd_top
Quote: "The worm is programmed to start attacking Windowsupdate.com at midnight Friday in each time zone. As a result, Australia was among the first countries slated to be affected, with its midnight hitting at 7 a.m. PDT"
Ok cheers, hadn't spotted that one.... Well I guess it could have been much worse then, if worms all around the world had actually started attacking at the same instant... Regards, Simon
<paste> daork(a)hermes daork $ host -t a windowsupdate.com dns3.uk.msft.net Using domain server: Name: dns3.uk.msft.net Addresses: 213.199.144.151 daork(a)hermes daork $ host -t soa windowsupdate.com dns3.uk.msft.net Using domain server: Name: dns3.uk.msft.net Addresses: 213.199.144.151 windowsupdate.com start of authority dns.cp.msft.net msnhst.microsoft.com( 2003081503 ;serial (version) 900 ;refresh period 600 ;retry refresh this often 600000 ;expiration period 3600 ;minimum TTL ) </paste> ... And on XTRA <paste> daork(a)hermes daork $ host -t a windowsupdate.com alien.xtra.co.nz Using domain server: Name: alien.xtra.co.nz Addresses: 202.27.184.3 windowsupdate.com has address 204.79.188.11 windowsupdate.com has address 204.79.188.12 daork(a)hermes daork $ host -t soa windowsupdate.com alien.xtra.co.nz Using domain server: Name: alien.xtra.co.nz Addresses: 202.27.184.3 windowsupdate.com start of authority alien.xtra.co.nz soa.xtra.co.nz( 2003150807 ;serial (version) 10800 ;refresh period 3600 ;retry refresh this often 360000 ;expiration period 1800 ;minimum TTL ) </paste> Now thats just plain un-cool. This was not the case yesterday when I tried alien and terminator for windowsupdate.com I don't thing. I also notice the dates in the serial on the official Microsoft DNS.. silly American dates.. I wonder if thats caused them any problems using dates like in a logical number format like that? I'm betting on yes. Nathan Ward On Fri, Aug 15, 2003 at 09:32:43PM +1000, Nathan Mercer wrote:
www.windowsupdate.com isn't used for anything. It used to redirect to windowsupdate.microsoft.com
If customers need to download patches they should be going to Windows Update link in their start menus which goes to windowsupdate.microsoft.com or www.windows.com
30 mins to go...
Regards Nathan Microsoft NZ
-----Original Message----- From: Malcolm Lockyer [mailto:ipvariance(a)hotmail.com] Sent: Friday, 15 August 2003 11:23 p.m. To: lennon(a)orcon.net.nz; simon.lyall(a)ihug.co.nz Cc: nznog(a)list.waikato.ac.nz Subject: Re: [nznog] blaster worm
--snippity--
Subject: Re: [nznog] blaster worm Date: 15 Aug 2003 21:56:15 +1200
--snippity--
Make www.windowsupdate.com point to 127.0.0.1 so it doesn't do anything or what?
Except that it makes it a more effective DOS. Because then NOBODY can reach windowsupdate regardless - instead of just painfully slowly - or decently for whatever Akamai based reason.
Time to hold onto whatever body part you guys value - here comes the storm. Although on a side note I hope the blaster infections are lower than I think they are - because all of you have been blocking netbios / 139tcp / etc.
since this thing broke out. Right?
Should be a more interesting 24 hours then eh? :-|
m
Thanks Craig Whitmore Orcon Internet http://www.orcon.net.nz
--snippity--
_________________________________________________________________ Download MSN Messenger @ http://messenger.xtramsn.co.nz - talk to family and friends overseas!
_______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
_______________________________________________ Nznog mailing list Nznog(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog
On Sat, 2003-08-16 at 17:34, nward(a)esphion.com wrote: [snip]
daork(a)hermes daork $ host -t a windowsupdate.com alien.xtra.co.nz Using domain server: Name: alien.xtra.co.nz Addresses: 202.27.184.3
windowsupdate.com has address 204.79.188.11 windowsupdate.com has address 204.79.188.12 daork(a)hermes daork $ host -t soa windowsupdate.com alien.xtra.co.nz Using domain server: Name: alien.xtra.co.nz Addresses: 202.27.184.3
windowsupdate.com start of authority alien.xtra.co.nz soa.xtra.co.nz( 2003150807 ;serial (version) 10800 ;refresh period 3600 ;retry refresh this often 360000 ;expiration period 1800 ;minimum TTL ) </paste>
Now thats just plain un-cool. This was not the case yesterday when I tried alien and terminator for windowsupdate.com I don't thing.
That can't be right, what's soa.xtra.co.nz doing in there? Has Xtra become authoritative for windowsupdate.com with a serial number much higher than Microsoft's and still serving A records after MS have taken them down? I figuring most DNS systems will eventually disregard it as undelegated, but still there's something odd going on. -- Kerry Thompson, CISSP IT Security Consultant Auckland, New Zealand http://www.crypt.gen.nz
participants (6)
-
Barry Murphy -
Jithen Singh -
Kerry Thompson -
Nathan Mercer -
nward@esphion.com -
Simon Byrnand