[SURBL-Discuss] RFC: Storm URI IPs to XS list?

Joseph Brennan brennan at columbia.edu
Sat Aug 18 20:48:57 CEST 2007

--On Saturday, August 18, 2007 1:45 PM -0400 "Kevin A. McGrail" 
<kmcgrail at pccc.com> wrote:

> You have two customers (A & B) of an ISP that uses DHCP.  Customer A gets
> an IP address, has a storm infection and sends out some emails that list
> his IP address (or possibly even other machines in the P2P Storm Network).

The botnet host that sends the mail is never the botnet host mentioned
in the message.  We analyzed about 10,000 examples.

Data from one day, July 15:

6,511 Storm messages

3,352 hosts sent mail to columbia.edu
2,030 web sites were given
5,381 different IP addresses involved
    1 IP address both sent mail (12:42) and was a web site (16:01)

Very roughly, 2 messages per mail host, and 3 references per web site.

It is probably the case that every infected host is both a mail sender
and a web server, maybe at different times.

The botnet is believed to be millions.  Observers have wondered what
the owner is planning, because this well exceeds what is needed for a
spam botnet.  Yet so far all they have done is send stock pump-n-dump.

All of it could be stopped by one simple regexp, for five weeks or so.
On August 14 the entire botnet suddenly changed to a different pattern,
in about an hour's time.  It could happen again.

Because of the size and volatility of the botnet, I wonder how useful
it is to list the URIs.  But we could find out.  I won't be at work for
a week, but after that, if you put this into SURBL, we could report how
much of Storm worm it catches.

Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology

More information about the Discuss mailing list