[Dshield] Possible to get IPs hitting BlackWorm page?

TRushing@hollandco.com TRushing at hollandco.com
Wed Jan 25 14:13:54 GMT 2006


I've read the write-up at 

http://isc.sans.org/blackworm
 
on the newly dubbed BlackWorm.  We do not have logs going far enough back 
to tell for certain if any of our machines have hit the counter page. 
However, our IP is static, so I was wondering if anyone involved in 
fighting this has gotten information on IPs that have hit it and if there 
are any plans to make that available (even if at a subnet level) anywhere.

I see from the Full-Disclosure  post that the plan is to contact ISPs with 
that information, but a number of ISPs are so huge (including ours) that I 
will be very surprised if they will be able to devote the resources 
required to this even for their static IP customers, let alone their 
dynamic ones.

For the corporate settings, knowing if your IPs have checked in could be 
incredibly useful in helping to prevent a nightmare.  I do realize, too, 
that there may be problems with releasing IP addresses if there are 
backdoors--you'd be giving a list of backdoored machines.  I don't know 
what the ultimate answer is to this dilemma. 

If a list (even partial) exists of potentially infected IPs exists, could 
an ISC page be set up so that if you hit the ISC page from a particular 
IP, the ISC page would tell you how many hits had been seen from that IP 
at the virus counter page"Johannes B. Ullrich" <jullrich at sans.org>?  That 
way, you would not be revealing a list of infected IPs to attackers, but 
for corporate accounts with static IPs, you would be providing a simple 
way to check if they may have any potential infections.

      ---Tim Rushing


More information about the list mailing list