New MS Advisory
A few days ago, a POC for a DOS on RPC was published on Full-Disclosure. Now, MS has released an advisory for this.
Although according to the author of the POC:
[Start Quote]
After sometime the memory usage comes down and the target system would work as normal.
However this code when continuosly executed against a target leads to a sustained DOS attack.
[/End Quote]
And MS says:
[Start Quote]
Mitigating Factors:
[End Quote]
Update: Bot Honeypot
Hmmm I wonder… will this DOS attack be incorporated into BOTS?
And speaking of BOTS, what’s new with the BOT Honeypot you say?
Introduction
Here at TMIRT, we have a case monitoring system wherein we track the source of the samples that we submit. When the BOT Honeypot was first setup and exposed to the “world”, the case monitoring system was not yet updated to reflect the source as “Bot Honeypot”. Around 10-20 samples were submitted that did not have “BOT Honeypot” as the source (they were submitted as “Others”).
With that introduction, here are now the current number of submitted samples from the time the “BOT Honeypot” source was added:
A few days ago, a POC for a DOS on RPC was published on Full-Disclosure. Now, MS has released an advisory for this.
Although according to the author of the POC:
[Start Quote]
After sometime the memory usage comes down and the target system would work as normal.
However this code when continuosly executed against a target leads to a sustained DOS attack.
[/End Quote]
And MS says:
[Start Quote]
Mitigating Factors:
- On Windows XP Service Pack 1 an attacker must have valid logon credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts. In certain configurations, anonymous users could authenticate as the Guest account. For more information, see Microsoft Security Advisory 906574.
- Customers who are running Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1 are not affected by this vulnerability.
- Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
[End Quote]
Update: Bot Honeypot
Hmmm I wonder… will this DOS attack be incorporated into BOTS?
And speaking of BOTS, what’s new with the BOT Honeypot you say?
Introduction
Here at TMIRT, we have a case monitoring system wherein we track the source of the samples that we submit. When the BOT Honeypot was first setup and exposed to the “world”, the case monitoring system was not yet updated to reflect the source as “Bot Honeypot”. Around 10-20 samples were submitted that did not have “BOT Honeypot” as the source (they were submitted as “Others”).
With that introduction, here are now the current number of submitted samples from the time the “BOT Honeypot” source was added:
- November 10: 10
- November 11: 8
- November 12: 4
- November 13: 3
- November 14: 1
- November 15: 2
- *when i noticed the numbers dropping, i modified the scripts (yes, i know there was a drawback from my previous scriptj, or it may just be coincidence that after i modified it, the count went up again ehehehe)
- November 16: 3
- November 17: 7