Security threats Toolkit

Story: Lycos army shoots itself in foot?

Posted by: Anonymous (Friday 3 December 2004, 11:10 AM)

The "defacement" is not likely to have been a defacement - the nanog@nanog.org mailing list of the north american network operator group has a post stating that at least one backbone seems to have redirected any IP addresses it controls, that try to hit the makelovenotspam page (presumably to download the screensaver) to a warning page saying it had logged their IP.

Here's a post on the nanog mailing list, which gives a full sequence -

Hannigan, Martin wrote:
>> -----Original Message-----
>> From: Lionel [mailto:nop@alt.net]
>> Sent: Thursday, December 02, 2004 8:40 AM
>> To: Hannigan, Martin
>> Cc: nanog list
>> Subject: Re: How many backbones here are filtering the
>> makelovenotspam scr eensaver site?
>>
>>
>> On Thu, 2 Dec 2004 08:27:38 -0500 , "Hannigan, Martin"
>> wrote:
>>
>>>>> Hosted on a cablemodem? Tch, tch, how the mighty have fallen
>>>
>>>
>>> The blocks are widespread.
>>>
>>> The reports of hackers are incorrect. The blackholes are
>> what is stopping
>>> them.
>>
>> What amazing efficiency. I can't help but wonder if these
>> same providers
>> are as quick at blackholing spamsite hosts, or blocking the zombies
>> on their user networks from spewing spam on port 25?
>
> If you tied all the spammers into a few controllers, you see it happen
> immediately.
>
> I've been following the news reports on this. Here's a quick summary
> of "what I know" without making any judgement or opinion:
>
>
> - The lycos screensaver campaign activated Tuesday
> - Major networks began activating blocks
> - When the controllers can't be reached, the clients die off
> - If screensaver is active when controllers die, it runs
> off the current target list.
> - If screensaver deactivates, then activates, it can't
> contact the servers and tells the user it's "off the internet"
> (I can't verify the veracity of the update process i.e. if it
> will die while active)
> - Blocks started going up early Wednesday morning
> - The press began reporting hackers due to an apparentdefacement
> being seen by many users. What they actually saw was the banner of
> an ISP that had blackholed the traffic and redirected port
> 80 to a notice.
> - Lycos moved their application to a hosting facility with bigger
> pipes
> - Target sites began using redirects sending the traffic back
> to Lycos
> - Press reports are coming out today regarding the blackholes
> - SpamCop is the source of the target list via a page that is public
> off of the SpamCop site (SpamCop is does not appear to have
> complicity)
> - The effectiveness of the blackholes is rising
> - There are a reported 100K clients downloaded. Less than you would
> expect due to the voluminous press coverage. Probably a result of
> the blackhole activity as well.
>
> I'm really not sure if Lycos knows about the blackholes at
> this point as the press has been reporting "hackers" all the while.
> If you think it's hacked, check the route.
>
> Here's some operational data captured via ethereal
>
> The target list generated by the botnet controller:
>
> GET
> /xml/69426058014054/94772079193788/35264029467456/12122010129438/CONFIG_2865
> 2023942308.xml HTTP/1.1
> Referer:
> http://backend.makelovenotspam.com/xml/69426058014054/94772079193788/3526402
> 9467456/12122010129438/CONFIG_28652023942308.xml
> x-flash-version: 7,0,19,0
> User-Agent: Shockwave Flash
> Host: backend.makelovenotspam.com
> Cache-Control: no-cache
>
> HTTP/1.1 200 OK
> Server: Resin/2.1.14
> Content-Type: text/xml; charset=UTF-8
> Content-Length: 2889
> Connection: close
> Date: Thu, 02 Dec 2004 15:22:00 GMT
>
>
> domain="myshopinternetcompany.com"
> url="http://myshopinternetcompany.com/?e=aa5100" bytes="357460680"
> hits="2572309" percentage