lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: p.nolan at comcast.net (Patrick Nolan)
Subject: RE: URLs used by W32/MyDoom-O (aka .AX,
	.BB) to query search engines?

> -----Original Message-----
> From: full-disclosure-bounces@...ts.netsys.com 
> Sent: Thursday, February 17, 2005 5:01 PM
> Subject: URLs used by W32/MyDoom-O (aka .AX,.BB) to query search engines?
> 
> Hello List,
> 
> Does anyone have a list of query URLs used by W32/MyDoom-O 
> (Sophos name: 
> http://www.sophos.com/virusinfo/analyses/w32mydoomo.html)
> to dig e-mail addresses from search engines?

Here are examples of the 4 URLs used by that virus, where %domain% is like
the comcast.net in my email address =>

#1 - www.altavista.com

GET /web/results?q=%domain%+email&kgs=0&kls=0&nbq=20 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.altavista.com
Connection: Keep-Alive

#2 - www.google.com

GET /search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+%domain%&num=100 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: www.google.com

#3 - Search.Lycos.com

GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+%domain% HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: search.lycos.com

#4 - search.yahoo.com

GET /search?p=email+ %domain% &ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab=
HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Host: search.yahoo.com


> Are these specific enough that there's a chance to catch them 
> in the config of a web proxy (e.g. Squid) and avoid being 
> "blacklisted" by the search engines? (seems to me that Google 
> temporarily blacklists IPs that drown them under such requests)

You could use an IDP signature to block the requesting traffic.

> Greets,
> _Alain_

Regards, 

Patrick Nolan
Virus Researcher - Fortinet Inc.
http://www.fortinet.com 

To Submit A Virus:
pkzip/winzip password infected to
submitvirus at fortinet dot com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ