Virus Guy wrote:
> Whoever wrote:
>
>> I'm having trouble understanding how he would pass the URL of the
>> originally requested page to the temporary web server from the
>> original DNS request.
>
> You don't know from the DNS request what the client machine has in mind
> (http, https, ftp, smtp, pop, etc).
>
> If the client wants to do anything other than a few protocals (http,
> https, maybe ftp) then it's true that there's no way to make a message
> appear in front of the user's eyeballs.
>
> The odds are that it's going to be http or https (probably 95%
> certainty).
>
> So you always return a result of 1.2.3.4 anyways.
>
> If the infected machine comes back and tries to hit your server located
> at 1.2.3.4 on a port other than HTTP/HTTPS, then there's no clear
> strategy - things become more complicated.

The bottom line is when you shut them down, they'll get the message.