I think the idea is to either use a buffer overflow or somesuch (yes, they exist on Windows) to either get the machine to run a .vbs/ActiveX/wsh at the time of penetration, or plant something that will get run when the user does certain things or the machine's rebooted. There are several tools which can do spoofing on NT/2000 using the Win32 version of libpcap, and there are tools for Win9x into which the coders wrote their own functions. A five-minute search on google.com will reveal them. The bottom line is that Gibson's an hysteric crank who doesn't know what he's talking about. Yes, providers and customers need to secure their boxes/do egress filtering/implement CAR and/or WFQ and/or SPD and/or TurboACLs wherever possible; yes, users need to know how to get hold of their providers' NOCs/support staff -ahead of time-; yes, they need to look at Cisco 7600-type and/or 6500/MSFC2/Sup2s to process ACLs wherever possible; no, none of this is new. He hadn't secured his routers in the least, and betrays a stunning ignorance of how the Internet in general and IP specifically works. Then he gets on his soapbox about it and proclaims that he, and only he, knows how to save the Internet. There're plenty of things to bash Microsoft over, both generally and in regards to XP in general - but the fact that they implemented a standard socket interface in XP isn't one of them. Do realize that in the last year or so, Gibson claimed to've invented 'stealth' scanning a la nmap. He also published some crazy method for supposedly optimizing ZIP drives which has the effect of destroying your ZIP cartridges. I personally think he's unhinged, and a huckster to boot. His latest folly is to automagically post logs of what he says are the IPs of machines launching DoS attacks against his site, and urge users to contact Bill Gates and blame Microsoft for it. Needless to say, most of the machines on the list seem to supposedly be routers or switches of one stripe or another, and/or *NIX boxes. My guess is that the vast majority of those IPs are spoofed. He also urges service providers to take action against the supposed offenders. Although I hate Microsoft with a passion, I hope that they sue him for slander - I'd love to see these two FUD-spreaders go after one another. Hell, I'd be willing to serve for free as an 'expert witness' for the purpose of taking him apart in court. Gibson's an idiot. Ignore him. Paul Vixie wrote:
I'm having a hard time understanding this. Wouldn't it be easier/simpler for these crackers to just install their bots on, oh say, 20 million machines running XP than the crackers having to deal with installing the bot -and- the code to do the spoofing on Win95/98/98SE/98ME?
Doesn't matter. Either way it's an automated script-kiddie tool. No way either approach works if it requires manual keystrokes by the attacker.
-- ------------------------------------------------------------ Roland Dobbins <rdobbins@netmore.net> // 408.859.4137 voice