Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: BlackWorm technical information
From: Valdis.Kletnieks () vt edu
Date: Tue, 24 Jan 2006 14:30:55 -0500

On Tue, 24 Jan 2006 18:35:08 +0100, "ad () heapoverflow com" said:

"The worm has an interesting feature. When it infects a computer it
opens a web browser on a certain webpage. This increments the counter
on that webpage."

no much informations about this ?

There are zillions of "You are visitor number NNNN to this page since.."
scripts for people to put on their web pages.  The worm makes an HTTP
connection to the URL.

The *interesting* question is whether it's possible to use this to count
the *actual* number of affected machines by excluding all the rubberneckers
that are visiting the page and hitting "refresh" to see the numbers go up.
Maybe by looking at the Referer or User-Agent values?

Attachment: _bin

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]