[Dshield] Possible to get IPs hitting BlackWorm page?

Johannes B. Ullrich jullrich at sans.org
Wed Jan 25 14:43:04 GMT 2006

Hash: RIPEMD160

We do have the logs from the counter now, and I am just preparing
outbound emails to affected isps.

At this point, I can not share the complete logs. However, I can send
you a list of IPs in your network.

If you would like the list, please:
- - wait a couple of hours to see if you get one of the automated
notifications (they should start going out shortly)
- - if you don't get the automated notification, please send me an emial
with either the AS or the IP range in question, plus a pointer that you
own it ;-).

TRushing at hollandco.com wrote:
> I've read the write-up at 
> http://isc.sans.org/blackworm
> on the newly dubbed BlackWorm.  We do not have logs going far enough back 
> to tell for certain if any of our machines have hit the counter page. 
> However, our IP is static, so I was wondering if anyone involved in 
> fighting this has gotten information on IPs that have hit it and if there 
> are any plans to make that available (even if at a subnet level) anywhere.
> I see from the Full-Disclosure  post that the plan is to contact ISPs with 
> that information, but a number of ISPs are so huge (including ours) that I 
> will be very surprised if they will be able to devote the resources 
> required to this even for their static IP customers, let alone their 
> dynamic ones.
> For the corporate settings, knowing if your IPs have checked in could be 
> incredibly useful in helping to prevent a nightmare.  I do realize, too, 
> that there may be problems with releasing IP addresses if there are 
> backdoors--you'd be giving a list of backdoored machines.  I don't know 
> what the ultimate answer is to this dilemma. 
> If a list (even partial) exists of potentially infected IPs exists, could 
> an ISC page be set up so that if you hit the ISC page from a particular 
> IP, the ISC page would tell you how many hits had been seen from that IP 
> at the virus counter page"Johannes B. Ullrich" <jullrich at sans.org>?  That 
> way, you would not be revealing a list of infected IPs to attackers, but 
> for corporate accounts with static IPs, you would be providing a simple 
> way to check if they may have any potential infections.
>       ---Tim Rushing
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

- --
- ---------
Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS

"We use [isc.sans.org] every day to keep on top of
 security at our bank" Matt, Network Administrator.

Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the list mailing list