[PLUG] A little worm sniffing

Elliott Mitchell ehem at m5p.com
Sun Jun 22 14:27:02 UTC 2003 

> From: srau at rauhaus.org (Stafford A. Rau)
> * Elliott Mitchell <ehem at m5p.com> [030621 23:34]:
> > I'd say there is no need to notify no-ip.org though. Notice the IP
> > address they're returning? 255.255.255.255 is the global broadcast IP
> > address.
> 
> Yes, I'm well enough versed in ip fundamentals to know what an all-ones
> broadcast is. However, returning 255.255.255.255 in the answer section
> of a DNS reply is not the same thing as trying to send unicast (or
> broadcast) traffic to that address.

Exactly. At worst the packets will merely be dropped, disabling the worm.
At best the packets will show up very prominently on someone's logs and
get the infected system noticed. Unless you've got other infected systems
on your network?

> No-ip.org is, now that I've taken a look, a dynamic dns registration
> service. Say, for instance, that I had a host on a cable internet
> service and had to get my ip via dhcp. However, suppose I wanted all my
> buddies to be able to get to that host by name whenever it was up and
> running. I could install the no-ip.org client on my host, and whenever
> that host gets a dhcp-assigned address, the no-ip.org client then calls
> up no-ip.org, does some sort of authentication (not address-based,
> obviously), and tells no-ip.org to return my dhcp address as the reply
> to dns queries for stafford-at-home.no-ip.org.
> 
> It may be that no-ip.org returns 255.255.255.255 for all hostnames that
> they have registered but which they have not heard from the client with
> a new address.

$ host stafford-at-home.no-ip.org
Host stafford-at-home.no-ip.org not found: 3(NXDOMAIN)
$ host nonexistantreallymeaninglessstring.no-ip.org
Host nonexistantreallymeaninglessstring.no-ip.org not found: 3(NXDOMAIN)
$ host fucktard.no-ip.org
fucktard.no-ip.org has address 255.255.255.255

Doesn't look like it.

> Regardless, whoever registered "fucktard" with them is using it as the
> phone-home signal for their bit of irc remote control nastiness, and the
> no-ip.org folks need to not accept new ip address client requests for
> that hostname.

Looks like that is already the case.


-- 
(\___(\___(\______          --=> 8-) EHM <=--          ______/)___/)___/)
 \   (    |         EHeM at gremlin.m5p.com PGP 8881EF59         |    )   /
  \_  \   |  _____  -O #include <stddisclaimer.h> O-   _____  |   /  _/
    \___\_|_/82 04 A1 3C C7 B1 37 2A*E3 6E 84 DA 97 4C 40 E6\_|_/___/

More information about the PLUG mailing list