On Thu, Jul 19, 2001 at 05:11:35PM -0500, Bob Tanner wrote:
> To top it all off, the source address are probably spoofed.

I don't think that's so likely.  HTTP reqests go over TCP, so spoofing
the address would have to involve TCP sequence prediction.  Given that
this worm exclusively targets IIS, why would the writer bother to include
sufficient complexity to do sequence prediction on Linux when something
Windows-specific would be significantly easier?

Also, if the theory that the deterministic set of "random" addresses
was chosen such that one of them is the author's IP so that he'll know
which machines are infected is correct, spoofing would defeat the purpose.

(OTOH, maybe that's why I've only seen 30 of these requests instead
of several thousand.  I suppose there could have been thousands of
attempts to infect my apache, but it only followed a Redmondian sequence
progression 30 times...)

-- 
It's as if we outlawed cars on the principle that they could be used
to help crooks escape from bank robberies. - Dan Gillmore on the DMCA