Full Disclosure mailing list archives
RE: URLs used by W32/MyDoom-O (aka .AX, .BB) to query search engines?
From: "Patrick Nolan" <p.nolan () comcast net>
Date: Thu, 17 Feb 2005 22:44:11 -0800
-----Original Message----- From: full-disclosure-bounces () lists netsys com Sent: Thursday, February 17, 2005 5:01 PM Subject: URLs used by W32/MyDoom-O (aka .AX,.BB) to query search engines? Hello List, Does anyone have a list of query URLs used by W32/MyDoom-O (Sophos name: http://www.sophos.com/virusinfo/analyses/w32mydoomo.html) to dig e-mail addresses from search engines?
Here are examples of the 4 URLs used by that virus, where %domain% is like the comcast.net in my email address => #1 - www.altavista.com GET /web/results?q=%domain%+email&kgs=0&kls=0&nbq=20 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.altavista.com Connection: Keep-Alive #2 - www.google.com GET /search?hl=en&ie=UTF-8&oe=UTF-8&q=mailto+%domain%&num=100 HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.google.com #3 - Search.Lycos.com GET /default.asp?lpv=1&loc=searchhp&tab=web&query=mailto+%domain% HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: search.lycos.com #4 - search.yahoo.com GET /search?p=email+ %domain% &ei=UTF-8&fr=fp-tab-web-t&cop=mss&tab= HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: search.yahoo.com
Are these specific enough that there's a chance to catch them in the config of a web proxy (e.g. Squid) and avoid being "blacklisted" by the search engines? (seems to me that Google temporarily blacklists IPs that drown them under such requests)
You could use an IDP signature to block the requesting traffic.
Greets, _Alain_
Regards, Patrick Nolan Virus Researcher - Fortinet Inc. http://www.fortinet.com To Submit A Virus: pkzip/winzip password infected to submitvirus at fortinet dot com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- URLs used by W32/MyDoom-O (aka .AX, .BB) to query search engines? Alain Fauconnet (Feb 17)
- RE: URLs used by W32/MyDoom-O (aka .AX, .BB) to query search engines? Patrick Nolan (Feb 18)