dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
11
share rss forum feed


atangel
Now What??
Premium
join:2002-02-18
Mount Vernon, NY
reply to justin

Re: Blackice "Witty" Worm: source port 4000 UDP

I agree with Justin, the "good ole days" where viruses destroyed the system they were on may be back, and I had thought the same thing. Can't destroy the PC you are on if you want to use it, but it also has contributed to the general apathy, I think, of most people. They hear about pop-ups (or get them and think it is part of the net) or they hear about a friend who got a virus, but no big deal, because there were no consequences really (they weren't inconvenienced).

Some people are in for a rude surprise. And they will also be the ones screaming loudest.
--
The reason you think I'm way on the left is 'cause you're so far to the right.
Dell Dimension, XP Pro, 2.4 Ghz, 512MB, BEFSX41, ZAP 4.5, NOD32, BOClean, Adaware, Spybot, MW Pro, The Bat!

psloss
Premium
join:2002-02-24
Lebanon, KS
said by atangel:
Can't destroy the PC you are on if you want to use it, but it also has contributed to the general apathy, I think, of most people. They hear about pop-ups (or get them and think it is part of the net) or they hear about a friend who got a virus, but no big deal, because there were no consequences really (they weren't inconvenienced).
This factors into the miscreants' "strategy", though, too. Apathy is good for them, and of course the opposite isn't. Dead PCs are just as bad for those miscreants as they are for their owners -- for completely different reasons.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org


SYNACK
Just Firewall It
Premium,Mod
join:2001-03-05
Venice, CA
reply to atangel
It is ironic how in this case running a "security product" makes you actually more vulnerable.

This is just a reminder that computer security is never a "set-it-and-forget-it" process.

I wonder why the author decided to keep the source port constant? Implementation of a random source port would have made this even nastier to track.

psloss
Premium
join:2002-02-24
Lebanon, KS
said by SYNACK:
I wonder why the author decided to keep the source port constant? Implementation of a random source port would have made this even nastier to track.
I was/am wondering that, too, but it occurred to me that it's probably faster to bind to a single port and then fire out 20000 packets than to both grab a new source port (indirectly via the OS) and send out the packet 20000 times. (Notice how I made the former sound faster... )

That's what I was speculating about with "performance" above.

I do agree that letting the OS pick an open ephemeral port would make this harder to track.

Philip Sloss
--
Feedback? e-mail: stuff@lupwa.org