[unisog] worm that looks for 139, 1433 and 2967

Jeff Kell jeff-kell at utc.edu
Sun Feb 18 16:23:01 GMT 2007


power less wrote:
> What is the method of choice these days for collecting specimens
> (other than real windows machines that get viruses)?  I have a machine
> that acts as a sensor that could get a makeover into a sort of honeypot. 
I would recommend nepenthes (http://nepenthes.sourceforge.net a.k.a.
http://nepenthes.mwcollect.org), it emulates a large number of
vulnerabilities (even current ones like the SAV exploit if you pull the
CVS code and roll your own).  It also requires a degree of care and
feeding depending on how many "flies" it attracts at your location.

This will collect binaries (saved in a directory with names = md5sums of
the binary), and log where they came from.  What you do with them
afterward is an exercise for the reader, it includes automated
submission modules for the MW Alliance and Norman.

As for a "worm that looks for x,y,z" -- this is an ambiguous question. 
Not all malware has a "predetermined plan" of infection.  Bots typically
come bundled with exploit code for a wide variety of exploits but
receive their actual "instructions" from their C&C host[s] at startup
connection, listening for commands in IRC, or periodically polling the
C&C.  As such, the observed behavior of the malware may or may not have
any correlation with the actual binary in question, depending on the
commands provided by the C&C.

Jeff


More information about the unisog mailing list