In the referenced message, Clayton Fiske said:
On Sun, Jul 07, 2002 at 03:08:14PM -0400, Richard A Steenbergen wrote:
On Sat, Jul 06, 2002 at 06:24:40PM -0500, Rob Thomas wrote:
Hmm, not according to the data I collect. I track numerous botnets and DoSnets, and a bit over 80% of them use the real IPs as the source of the floods. Then again, with 500 - 18000 bots, it isn't all that necessary to mask the source IPs. :/
There are only two situations where a DoS uses its real IP, 1) the network filters spoofed source addresses, 2) they havn't compromised root.
Don't forget 3) the machine compromised isn't capable of spoofing. In Win95/98/ME/NT, there is no raw socket functionality. I don't know the breakdown of botnets in terms of which platform they typically harvest for hosts, but I'd imagine Windows represents a significant portion of non-spoofed attacks.
-c
I believe it is fairly trivial to add this functionality to these machines. Even if the addons weren't part of the payload, the worm could go snag it off the public internet and install it.