|reply to jeisenberg |
Re: Blackice "Witty" Worm: source port 4000 UDP
That is one of the things that made this worm unique, in that the source port is usually dynamic and the destination port is static (but this was reversed in the Witty worm), now certainly this is somewhat unique to ISS products and I would think that it was meant as a security measure to vary the ports used between installations, but if it coded it can be cracked, just takes some time (cracking code is like trying to figure out where a train goes when your standing on the tracks, just takes some time).
Given that this worm is clearly malicious/criminal and has 'real' damage associated directly to it, if they ever catch who is responsible I can see real jail time and such in their future, not to mention pretty well endless civil suits. I would also hope that eEye and ISS worked together in harmony on this.
A week might not be long enough to patch 6000 laptops considering some might be used by remote users (for example traveling sales dudes who have been out of town for longer then a week). This exploit didn't take very long to hit the streets so either they were working on it independently (most likely), or they were totally tipped off by eEye announcement which would be bad as then we might have to rethink delays between patch releases and announcements of vuls.
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel