[Scg-sec] Any word from SCO or Microsoft

Fri Jan 30 15:41:53 EST 2004

telnet www.microsoft.com 80
get /
"bad request invalid verb"

telnet www.sco.com 80
get /
^M
"FW-1 at tw-vw-sco-ut-00: Sorry, the method you tried to use is not allowed. Sorry the method you tried to use is not allowed."

Notice the different reactions to the get. SCO identifies their firewall software :-(

Donald.Smith at qwest.com GCIA
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF00EDCC
eye reserve the write to be rong butt don't xercise it two off ten.

> -----Original Message-----
> From: Sarah Garfinkel [mailto:sbg at microsoft.com]
> Sent: Friday, January 30, 2004 12:01 PM
> To: Sean Donelan; Smith, Donald
> Cc: scg-doom at puck.nether.net
> Subject: RE: [Scg-doom] Any word from SCO or Microsoft
> 
> 
> 
> Microsoft has no plans right now to renumber to a new block for any of
> our services.  The MyDoom.B variant that has been seen and 
> tested by us
> has not proven to have a successful DoS attack vector, and if someone
> were to fix the variant without a total rewrite it would keep 
> doing DNS
> queries, so changing to a new IP address would seem a very temporary
> measure at best.  I have not been looking as much at the (maybe more
> successful) variant aimed at SCO so not sure if that is the 
> same set up
> or not.  Obviously, if the virus mutated to a different 
> threat, we will
> respond to the new attack style as best we can and would consider
> renumbering if it made sense (sorry, we do not currently have a
> throwaway block to give out for such a scenario).  
> 
> We are basically in a full alert status and have all hands standing by
> to start working if the network/service starts getting attacked.  If
> anyone has done any tests on the MyDoom.B that seem to show something
> different from our conclusions I would be appreciate hearing the
> details, either on-list or off-list.
> 
> We are here and want to keep the communications channels open.  I am
> monitoring this list and I am going to get a couple of my security
> conscious coworkers on here as well so we can make sure we have no
> single person failure.
> 
> Again, my phone number at work is 425-707-3926.  My Service Operations
> Center (please don't redistribute or abuse as this is not a public
> number ;) is: 425-705-2686 and just ask for the Networking 
> group (called
> SOCNet).  They can escalate to an on-call engineer (by coincidence
> myself until Wednesday) if they cannot handle the issue in house.
> 
> 
> Thanks for the help!
> Sarah Garfinkel
> MSN Global Network Engineering
> 
> > -----Original Message-----
> > From: scg-doom-bounces at puck.nether.net [mailto:scg-doom-
> > bounces at puck.nether.net] On Behalf Of Sean Donelan
> > Sent: Friday, January 30, 2004 9:57 AM
> > To: Smith, Donald
> > Cc: scg-doom at puck.nether.net
> > Subject: RE: [Scg-doom] Any word from SCO or Microsoft
> > 
> > On Fri, 30 Jan 2004, Smith, Donald wrote:
> > > Actually it would be helpful if they moved it right 
> before the ddos
> > starts even if they are not affected.
> > > It would make it easier for us to acquire the list of infected
> hosts.
> > > Justin, do you know when they will be moving this dns 
> entry to point
> at
> > the new_to_be_blackholed_address?
> > 
> > Its SCO's call, but from a public relations viewpoint I think both
> targets
> > want to try to keep their sites up for as long as possible.  Just
> likethe
> > ISPs plan on forwarding the packets for as long as possible.
> > 
> > 1. attack fizzles
> > 2. attack succeeds, but they withstand it
> > 3. attack succeeds and they go down in flames
> > 4. they pack up and go home, attack succeeds by default
> > 
> > We'll be standing by if anyone needs help putting out the 
> flames.  But
> > until someone calls for help, we'll let the packets flow.
> > 
> > sean donelan
> > sbc security guy
> > _______________________________________________
> > Scg-doom mailing list
> > Scg-doom at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/scg-doom
> 
> 