I posted a query on this last year, but got no concrete responses. I've continued searching for information since then, but have come up with nothing, so I've collected what data I have and posted it at http://commons.somewhere.com/buzz/2003/zombies.html in the hopes that someone can help figure this one out. Here's the intro information from that page: The following contains a summary of hits from 1204 hosts that appear to be infected with a worm of some sort called ZOMBIES_HTTP_GET. These hits were all to http://somewhere.com/ (no www prefix). Virtually all of these hits are for either /instructions.txt or /infector.exe. Given that somewhere.com is the "fill-in-the-blank" address on the internet, our suspicion is that there is a worm out there which can pick up its instructions from an arbitrary URL--but that the programmer has set the default to somewhere.com. We're seeing the hits from when people didn't reset the default. (This just goes to show that worm authors and Microsoft have something in common. Microsoft shipped FrontPage with my webmaster address as the default address. Every day we get random questions from web users all over the world who thought they were talking to someone else. For future reference (Microsoft and worm authors), example.com/net/org exists for those of you who need an example domain. Read the RFCs.) I have contacted administrators for some of the domains listed here, asking them to a) stop whatever it is that's hitting our web server and b) tell us what it was. Nobody has ever responded. I constructed this list by finding all hits from ZOMBIES_HTTP_GET, and then going back and finding all hits from IP addresses that matched the zombies. That way we have both worm and non-worm hits from the (presumably) infected hosts. The hope was that that might shed some light on where it was coming from, but it appears that most of the non-zombie hits come from proxy servers or reused IP addresses. The table is broken down into zombie and non-zombie hits for each host. It lists the number of hits, and the first and last hit dates. For zombie hits it also lists the HTTP protocol (some use 1.0, some use 1.1). For non-zombie hits it lists the browser. Then for each of them it lists the URLs fetched, along with (for non-zombie hits) the referrer field, if any. These are listed in order, with a count next to it indicating how many times this host fetched that URL before doing something different. Host names are cross linked between summary of hits (sorted by date of first hit) and a list of hosts sorted by host name. Hopefully someone may find this information useful. If you do have any information to add to this, please let me know . -- Kee Hinckley http://www.puremessaging.com/ Junk-Free Email Filtering http://commons.somewhere.com/buzz/ Writings on Technology and Society I'm not sure which upsets me more: that people are so unwilling to accept responsibility for their own actions, or that they are so eager to regulate everyone else's. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Feb 02 2003 - 08:41:08 PST