[Dshield] Possible to get IPs hitting BlackWorm page?
TRushing at hollandco.com
Wed Jan 25 14:13:54 GMT 2006
I've read the write-up at
on the newly dubbed BlackWorm. We do not have logs going far enough back
to tell for certain if any of our machines have hit the counter page.
However, our IP is static, so I was wondering if anyone involved in
fighting this has gotten information on IPs that have hit it and if there
are any plans to make that available (even if at a subnet level) anywhere.
I see from the Full-Disclosure post that the plan is to contact ISPs with
that information, but a number of ISPs are so huge (including ours) that I
will be very surprised if they will be able to devote the resources
required to this even for their static IP customers, let alone their
For the corporate settings, knowing if your IPs have checked in could be
incredibly useful in helping to prevent a nightmare. I do realize, too,
that there may be problems with releasing IP addresses if there are
backdoors--you'd be giving a list of backdoored machines. I don't know
what the ultimate answer is to this dilemma.
If a list (even partial) exists of potentially infected IPs exists, could
an ISC page be set up so that if you hit the ISC page from a particular
IP, the ISC page would tell you how many hits had been seen from that IP
at the virus counter page"Johannes B. Ullrich" <jullrich at sans.org>? That
way, you would not be revealing a list of infected IPs to attackers, but
for corporate accounts with static IPs, you would be providing a simple
way to check if they may have any potential infections.
More information about the list