[Dshield] Possible to get IPs hitting BlackWorm page?
Johannes B. Ullrich
jullrich at sans.org
Wed Jan 25 14:43:04 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
We do have the logs from the counter now, and I am just preparing
outbound emails to affected isps.
At this point, I can not share the complete logs. However, I can send
you a list of IPs in your network.
If you would like the list, please:
- - wait a couple of hours to see if you get one of the automated
notifications (they should start going out shortly)
- - if you don't get the automated notification, please send me an emial
with either the AS or the IP range in question, plus a pointer that you
own it ;-).
TRushing at hollandco.com wrote:
> I've read the write-up at
> on the newly dubbed BlackWorm. We do not have logs going far enough back
> to tell for certain if any of our machines have hit the counter page.
> However, our IP is static, so I was wondering if anyone involved in
> fighting this has gotten information on IPs that have hit it and if there
> are any plans to make that available (even if at a subnet level) anywhere.
> I see from the Full-Disclosure post that the plan is to contact ISPs with
> that information, but a number of ISPs are so huge (including ours) that I
> will be very surprised if they will be able to devote the resources
> required to this even for their static IP customers, let alone their
> dynamic ones.
> For the corporate settings, knowing if your IPs have checked in could be
> incredibly useful in helping to prevent a nightmare. I do realize, too,
> that there may be problems with releasing IP addresses if there are
> backdoors--you'd be giving a list of backdoored machines. I don't know
> what the ultimate answer is to this dilemma.
> If a list (even partial) exists of potentially infected IPs exists, could
> an ISC page be set up so that if you hit the ISC page from a particular
> IP, the ISC page would tell you how many hits had been seen from that IP
> at the virus counter page"Johannes B. Ullrich" <jullrich at sans.org>? That
> way, you would not be revealing a list of infected IPs to attackers, but
> for corporate accounts with static IPs, you would be providing a simple
> way to check if they may have any potential infections.
> ---Tim Rushing
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Johannes Ullrich jullrich at sans.org
Chief Research Officer (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS
"We use [isc.sans.org] every day to keep on top of
security at our bank" Matt, Network Administrator.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the list