[Dshield] anti-mydoom worm

John Draper lists at webcrunchers.com
Thu Feb 12 21:47:04 GMT 2004


On Feb 12, 2004, at 9:48 AM, Jonathan wrote:

> Its frustrating that there dosent seem to be any concerted
> effort to actually find the people responsible; unless we
> count the FBI grabbing a kid in his bedroom in the next
> week or so and making "an example" of them.

Yes - this is a serious problem.   For many weeks and months
I've proposed some possible solutions on how we can catch the
perpetrator,  and unfortunately, due to the fact I'm always
broke,  I cannot afford to do this,  but it IS within the realm
of others on the list.

My proposal was to setup a honeypot machine,  deliberately
infect it,  and monitor ALL connections made to and from this
honeypot.

I've gotten SOME indications that people are doing this,  but
no results have been posted,  but it seems like a reasonable
approach to this problem.

In fact,  while I was speaking at the IT Defense in Ludwigsburg
in Germany,  I brought this to the attention of Lance Spitzner
of the HoneyNet project,  and he also thinks this is a worthy
endeaver,  but he hasn't the resources at present to start up
this project.

We need to setup as many of these as possible,  to increase our
chances of catching someone attempting to control them.

I also proposed this idea to my FBI contact,  a field agent assigned
to the Sobig case,  but they are bound by legal problems in setting
up a honeypot system,  but was informed that a private effort to set
these up for the purpose of detecting the hackers attempt in controlling
it,   would be legal and worthwhile.

My problem is that I don't have a spare PC I can devote to this project,
nor offer a connection for it.

I'm sure,  others in this list who are employed,  or have the backing of
a company,  might be willing to partake in this project.   Assuming 
there
are anymore jobs left out there,  and people are still employed and have
jobs that haven't gone to India.

My idea is simple - put out as many infected hosts as possible,  watch 
them
carefully,  and see what happens,  but always be ready to halt or stop 
them,
if huge ass DDOS'es start happening.

john




More information about the list mailing list