Re: [Full-disclosure] BlackWorm technical information
On 1/24/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > The *interesting* question is whether it's possible to use this to count > the *actual* number of affected machines by excluding all the rubberneckers > that are visiting the page and hitting "refresh" to see the numbers go up. > Maybe by looking at the Referer or User-Agent values? > > That's what the Snort rule looks for, a connection to that page without a Referer: tag. Not perfect, but it works well enough. Mike ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BlackWorm technical information
On Tue, 24 Jan 2006 18:35:08 +0100, "[EMAIL PROTECTED]" said: > "The worm has an interesting feature. When it infects a computer it > opens a web browser on a certain webpage. This increments the counter > on that webpage." > no much informations about this ? There are zillions of "You are visitor number to this page since.." scripts for people to put on their web pages. The worm makes an HTTP connection to the URL. The *interesting* question is whether it's possible to use this to count the *actual* number of affected machines by excluding all the rubberneckers that are visiting the page and hitting "refresh" to see the numbers go up. Maybe by looking at the Referer or User-Agent values? pgpmJLgRTYvgg.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BlackWorm technical information
does anyone have a binary they'd like to share ? [EMAIL PROTECTED] wrote: Old Signed by an unknown key: 01/24/06 at 11:35:07 "The worm has an interesting feature. When it infects a computer it opens a web browser on a certain webpage. This increments the counter on that webpage." no much informations about this ? Gadi Evron wrote: Technical information on the worm itself can be found here: http://www.f-secure.com/v-descs/nyxem_e.shtml and http://blogs.securiteam.com/index.php/archives/229 Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . * Unknown Key * 0xA7C69C5F (L) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BlackWorm technical information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 "The worm has an interesting feature. When it infects a computer it opens a web browser on a certain webpage. This increments the counter on that webpage." no much informations about this ? Gadi Evron wrote: > Technical information on the worm itself can be found here: > http://www.f-secure.com/v-descs/nyxem_e.shtml and > http://blogs.securiteam.com/index.php/archives/229 > > Gadi. > > ___ Full-Disclosure - > We believe in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and > sponsored by Secunia - http://secunia.com/ > > > . > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ9ZlS6+LRXunxpxfAQK+OA/+PVSNyDH1LCfatX5Qw/maTeD0CfP+2osK NqoD9wpbAZPnuhfnFyuhj6NKSZtq7BH4HkGmnUt1Q9PLQEAUh/CTZTx1KOlwjH3h nZ0LtV8hk3wN4aXDPgQEJxGc8GeLY6tmriDpSE9FAQ/wNImdvNVL+qL/kW7CC3mq Nfp/ADN0Pr1Vnjz3U1BNhrF94Kqc/7CRTIJHLxbN3t6Uwb5XS1riSDslhGqmL5EZ 0brqAKvDtss7iz8AF15lGAc0TpcbaIe8N2rbBVeXPMUTGlELDPOfibJ71tNMgFqE JldSSz96bevfOSEBq/f5dFNccO9UtYDeuXwjcO/ClAknVNuboIFj1DP12JHZwiyq 7l0gRj6fObH7MbQUvyCI4vD9dcEUyDPMy2K8GjVBWl31E3qmiNX2B1OnWHquWsqG YsqUR0H6dLgY7416keL9JJB1SJHIaoqzZVpjAry/afKGJSXb++iZG2lbfzH/SiK8 YhlgOw+5G/XtrvzmA/cim1qVahxjqS/IMCcJJuD23wiKjl+u4qgBmUxBwzWhcaBe eWXWeH9JLOzrGmv0EQl+RrYkXxEuiWjC8AQVMNw1wGbPDOf4dsv/rTFP5SMALiLj JTpPNT1h2kiOABnppne8YpMVxIuB4BXo3G+4Q+Az0aUlu6qJF53qmGjUGFuJ+UVR e1/ig2R8k/Q= =RgjS -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BlackWorm technical information
Technical information on the worm itself can be found here: http://www.f-secure.com/v-descs/nyxem_e.shtml and http://blogs.securiteam.com/index.php/archives/229 Gadi. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/