ZOMBIES_HTTP_GET

From: Kee Hinckley (nazgul@somewhere.com)
Date: 02/01/03

  • Next message: Tomasz Papszun: "Re: Packets from 255.255.255.255(80) (was: Packet from port 80 with spoofed microsoft.com ip)" 
    Date: Fri, 31 Jan 2003 20:46:20 -0500
To: incidents@securityfocus.com
From: Kee Hinckley <nazgul@somewhere.com>

    I posted a query on this last year, but got no concrete responses.
    I've continued searching for information since then, but have come up
    with nothing, so I've collected what data I have and posted it at
    http://commons.somewhere.com/buzz/2003/zombies.html in the hopes that
    someone can help figure this one out.

    Here's the intro information from that page:

    The following contains a summary of hits from 1204 hosts that appear
    to be infected with a worm of some sort called ZOMBIES_HTTP_GET.
    These hits were all to http://somewhere.com/ (no www prefix).
    Virtually all of these hits are for either /instructions.txt or
    /infector.exe. Given that somewhere.com is the "fill-in-the-blank"
    address on the internet, our suspicion is that there is a worm out
    there which can pick up its instructions from an arbitrary URL--but
    that the programmer has set the default to somewhere.com. We're
    seeing the hits from when people didn't reset the default. (This just
    goes to show that worm authors and Microsoft have something in
    common. Microsoft shipped FrontPage with my webmaster address as the
    default address. Every day we get random questions from web users
    all over the world who thought they were talking to someone else.
    For future reference (Microsoft and worm authors),
    example.com/net/org exists for those of you who need an example
    domain. Read the RFCs.)

    I have contacted administrators for some of the domains listed here,
    asking them to a) stop whatever it is that's hitting our web server
    and b) tell us what it was. Nobody has ever responded.

    I constructed this list by finding all hits from ZOMBIES_HTTP_GET,
    and then going back and finding all hits from IP addresses that
    matched the zombies. That way we have both worm and non-worm hits
    from the (presumably) infected hosts. The hope was that that might
    shed some light on where it was coming from, but it appears that most
    of the non-zombie hits come from proxy servers or reused IP addresses.

    The table is broken down into zombie and non-zombie hits for each
    host. It lists the number of hits, and the first and last hit
    dates. For zombie hits it also lists the HTTP protocol (some use
    1.0, some use 1.1). For non-zombie hits it lists the browser. Then
    for each of them it lists the URLs fetched, along with (for
    non-zombie hits) the referrer field, if any. These are listed in
    order, with a count next to it indicating how many times this host
    fetched that URL before doing something different. Host names are
    cross linked between summary of hits (sorted by date of first hit)
    and a list of hosts sorted by host name.

    Hopefully someone may find this information useful. If you do have
    any information to add to this, please let me know . 

    -- 
Kee Hinckley
http://www.puremessaging.com/        Junk-Free Email Filtering
http://commons.somewhere.com/buzz/   Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
    • Quantcast