[Dshield] RE: FriendGreetings Worm is back

Russell Washington russ.washington at vaultsentry.com
Thu Oct 31 18:06:01 GMT 2002


It sounds like they're moving the www sites around to avoid folks doing
exactly what we're trying to do.  With that in mind I'd say the best
blackholing strategy might just be to spoof authoritative DNS on your own
DNS server so that the thing just plain won't resolve.

At least that way they (the folks at Permissioned Media) have to come up
with new domain names and tweak the message content that is being sent out
so that it uses different domain names, rather than simply reorganizing IP
addresses behind the scenes.

-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora at phra.com] 
Sent: Thursday, October 31, 2002 9:28 AM
To: list at dshield.org
Subject: [Dshield] RE: FriendGreetings Worm is back


Friendgreetings sites best as I can tell last time I checked were: Web
sites: *.friendgreetings.com Web sites: *.cool-downloads.com Web sites:
*.cool-downloads.net IP addresses: 65.89.168.0-65.89.168.255
(cool-downloads.* class C - www, dns, etc) IP addresses:
207.21.232.0-207.21.232.255 (friendgreetings.com class C) IP addresses:
12.165.116.0-12.165.116.255 (HostPanama nameservers and
infrastructure)

Plus subject blocking, content filtering, etc.

These are just band-aid measures. The download site could change daily, and
the message subject and text could just as easily be changed. The success of
this perfectly legal social engineering worm will certainly not go unnoticed
by other unscrupulous sites.

Richard Roy wrote Thu, 31 Oct 2002 07:35:31 -0700

> does anyone have the ip(s) to block?  I would also like to reconfig my 
> dns to remap it to say...  www.gettowork.com so when my users go there 
> they get the message!  ;-)

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list