ZOMBIES_HTTP_GET

[Kee Hinckley <nazgul () somewhere com>]

I posted a query on this last year, but got no concrete responses. 
I've continued searching for information since then, but have come up 
with nothing, so I've collected what data I have and posted it at 
http://commons.somewhere.com/buzz/2003/zombies.html in the hopes that 
someone can help figure this one out.

Here's the intro information from that page:

The following contains a summary of hits from 1204 hosts that appear 
to be infected with a worm of some sort called ZOMBIES_HTTP_GET. 
These hits were all to http://somewhere.com/ (no www prefix). 
Virtually all of these hits are for either /instructions.txt or 
/infector.exe. Given that somewhere.com is the "fill-in-the-blank" 
address on the internet, our suspicion is that there is a worm out 
there which can pick up its instructions from an arbitrary URL--but 
that the programmer has set the default to somewhere.com.  We're 
seeing the hits from when people didn't reset the default. (This just 
goes to show that worm authors and Microsoft have something in 
common. Microsoft shipped FrontPage with my webmaster address as the 
default address.  Every day we get random questions from web users 
all over the world who thought they were talking to someone else. 
For future reference (Microsoft and worm authors), 
example.com/net/org exists for those of you who need an example 
domain.  Read the RFCs.)

I have contacted administrators for some of the domains listed here, 
asking them to a) stop whatever it is that's hitting our web server 
and b) tell us what it was.  Nobody has ever responded.

I constructed this list by finding all hits from ZOMBIES_HTTP_GET, 
and then going back and finding all hits from IP addresses that 
matched the zombies.  That way we have both worm and non-worm hits 
from the (presumably) infected hosts.  The hope was that that might 
shed some light on where it was coming from, but it appears that most 
of the non-zombie hits come from proxy servers or reused IP addresses.

The table is broken down into zombie and non-zombie hits for each 
host.   It lists the number of hits, and the first and last hit 
dates.  For zombie hits it also lists the HTTP protocol (some use 
1.0, some use 1.1).  For non-zombie hits it lists the browser.  Then 
for each of them it lists the URLs fetched, along with (for 
non-zombie hits) the referrer field, if any.  These are listed in 
order, with a count next to it indicating how many times this host 
fetched that URL before doing something different. Host names are 
cross linked between summary of hits (sorted by date of first hit) 
and a list of hosts sorted by host name.

Hopefully someone may find this information useful. If you do have 
any information to add to this, please let me know .
--
Kee Hinckley
http://www.puremessaging.com/        Junk-Free Email Filtering
http://commons.somewhere.com/buzz/   Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com