[unisog] worm that looks for 139, 1433 and 2967

C. Hamby fixer at gci.net
Sun Feb 18 15:17:56 GMT 2007


Hmmm, well as I see it you've really got 3 methods for capturing the
critter:

1) Get it off an infected machine.
2) Set up a honeypot and capture it that way
3) Set up a virtual machine with an unpatched Windows system and let it
get whacked.
You might consider setting up some sort of outbound filtering so it can
get in but not out.
The only obvious drawback there is that you won't get any "part 2" that
the critter has since
outbound communications would be blocked.  Regardless though I'd suggest
running a sniffer
on it to capture the traffic the bot generates.

Was there any current AV on the systems that have been hit so far?  If
not it might just be a case of
an old bot just being opportunistic.  If so I'd bet on a new(er) variant.

At the very least you could setup a few netcat listeners on those ports
(I'd use the win32 version with the
-L option) and see what the beastie is throwing at your systems.  Not as
good as a full capture but still
better than nothing.

Have you gotten any traffic captures, maybe to find out if the bot is
trying to connect to any remote systems
to try and phone home?

-cdh


power less wrote:
> No. I didn't get it in my tiny little purview (that I know about ... yet)
> What is the method of choice these days for collecting specimens (other
> than real windows machines that get viruses)?  I have a machine that
> acts as a sensor that could get a makeover into a sort of honeypot.
> 
> On 2/17/07, *C. Hamby* <fixer at gci.net <mailto:fixer at gci.net>> wrote:
> 
>     Sounds like it could be one of the endless
>     Agobot/Phatbox/xbot-of-the-week variants.  Have you managed to recover
>     any specimens?
> 
>     -cdh
> 
>     power less wrote:
>     > I noticed a bunch of hosts on our campus were infected yesterday with
>     > something
>     > which caused them to scan for 139,1433 and 2967. Anyone else see that?
>     > Anyone have any info?
>     > seems to me the previous round of malware that included 2967 also
>     looked
>     > for 5900
>     > so this could be somewhat different?
>     >
>     >
>     >
>     ------------------------------------------------------------------------
>     >
>     > _______________________________________________
>     > unisog mailing list
>     > unisog at lists.dshield.org <mailto:unisog at lists.dshield.org>
>     > https://lists.sans.org/mailman/listinfo/unisog
> 
>     _______________________________________________
>     unisog mailing list
>     unisog at lists.dshield.org <mailto:unisog at lists.dshield.org>
>     https://lists.sans.org/mailman/listinfo/unisog
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list