Re: Re: BlackWorm: 2 million infected? ISP notifications.

[Top Secret Battle squad <topsecretbattlesquad () gmail com>]

On 1/25/06, TheGesus <thegesus () gmail com> wrote:
> On 1/25/06, Top Secret Battle squad <topsecretbattlesquad () gmail com> wrote:
> > > A new list of IP's that hit the (still secret) counter address is being
> > > compiled, so we can make another run of ISP notifications.
> >
> > You mean this address? :
> >
> >
> > http://webstats.web.rcn.net/cgi-bin/Count.cgi?df=765247
> >
> > It's only been in the Symantec description this whole time as:
> >
> > [http://]webstats.web.rcn.net/[REMOVED]/Count.cgi?df=765247
>
> 3 million now.  hehe
>
> Is it just me or is this whole thing getting overblown?

Undoubtably.  There is simply no way that something with such a dumb
vector for spreading is infecting hosts so quickly.

It was at about 600k when I first took a look at the counter, and
bumping up by 5 or 10 in the time it took me to read the number and
hit reload.  Earlier today it was bumping by a few hundred each time,
and it's about the same rate now.  I know that as more hosts get
compromised, it should spread faster, but it really seems more like
some guys with scripts are having a good laugh.

Also, this counter script is pretty common, for those of you playing
around with options.  You can find a list of options and source code
out there if you just look.  If you don't want to contribute to the
count when you poke it, for example, use incr=F.

Love,
The Top Secret Battle Squad
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/