[Dshield] Could this be done ?

Ed Truitt ed.truitt at etee2k.net
Mon Sep 9 01:51:01 GMT 2002


Sort of a "trojan mirror" program?  Interesting, if not quite practical -
since many trojans are spread via automated means, do you gain any benefit
by attacking the machine that just nailed you?

Even worse, what if someone spoofs the source address of the packets sending
the Trojan, so instead of mucking up the perp's machine you cause some
"collateral damage"?

I think I will stay with LaBrea - it does a good enough job of slowing down
scans/hacktivity, combined with the LaBrea::Tarpit module it creates pretty
Web pages that cause some of the folks I show it to to go "ooh" and "ahh"
(while others just say "what the heck is this?" :-), and I don't think any
hacker is likely to take me to court and sue me for interfering with his
attacks on the network (unless he is working on behalf of the RIAA, that
is.)

BTW, Tom, any chance of making LaBrea even more enticing to the RIAA, maybe
via an option that would make it look like a *real* file-swapper?  Not that
I advocate or condone music piracy or any of that stuff, I just don't like
people who attack networks - and I especially don't like it when they lobby
our congresscritters for legal sanction to attack our networks.  After all,
those are OUR congresscritters, bought and paid for with OUR campaign
contributions...

Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

----- Original Message -----
From: "Mrcorp" <mrcorp at yahoo.com>
To: <list at dshield.org>
Sent: Sunday, September 08, 2002 1:49 PM
Subject: Re: [Dshield] Could this be done ?


> interesting, and if I were the hacker, I would put the same on my system,
thus creating a dos
> between our systems...
>
> mrcorp
>
> --- andy <andy at a-jones.demon.co.uk> wrote:
> > I was thinking along the lines of attacking the hacker with his own
trojan
> > (I know this would make me as bad as him but I`m just being theoretical
if
> > not making sense.)
> >
> > Cheers,
> > andy
> >
> > >----- Original Message -----
> > >From: "Johannes Ullrich" <jullrich at euclidian.com>
> > >To: <list at dshield.org>
> > >Sent: Sunday, September 08, 2002 12:52 AM
> > >Subject: Re: [Dshield] Could this be done ?
> > >
> > >Well, virus scanners do isolate trojans. But I don't quite understand
the
> > >part about 'directing it back'.
> > >
> > >
> > >--
> > >--------------------------------------------------------------------
> > >jullrich at euclidian.com             Collaborative Intrusion Detection
> > >                                         join http://www.dshield.org
> >
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes
> http://finance.yahoo.com
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list