[unisog] worm that looks for 139, 1433 and 2967

H. Morrow Long morrow.long at yale.edu
Sun Feb 18 13:31:07 GMT 2007


Four projects (particularly the first 3) are interrelated to a degree:

1.	nepenthes - http://nepenthes.mwcollect.org/

	'low interaction' malware collector
	(named after the genus of the tropical pitcher plant -  
en.wikipedia.org/wiki/Nepenthes)

2.	mwcollect (http://www.mwcollect.org/)

	now apparently subsumed/merged into an alliance with nepenthes/ 
honeybow, etc.

3.	Honeybow (http://honeybow.mwcollect.org/)

	'High Interaction' honeypot/sensor to collect malware

4.	Honeytrap (http://honeytrap.sourceforge.net/start.html)

	sensor/trap has plug-in modules to save/collect malware code

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS



On Feb 17, 2007, at 8:13 PM, power less wrote:

> No. I didn't get it in my tiny little purview (that I know  
> about ... yet)
> What is the method of choice these days for collecting specimens  
> (other than real windows machines that get viruses)?  I have a  
> machine that acts as a sensor that could get a makeover into a sort  
> of honeypot.
>
> On 2/17/07, C. Hamby <fixer at gci.net> wrote:
> Sounds like it could be one of the endless
> Agobot/Phatbox/xbot-of-the-week variants.  Have you managed to recover
> any specimens?
>
> -cdh
>
> power less wrote:
> > I noticed a bunch of hosts on our campus were infected yesterday  
> with
> > something
> > which caused them to scan for 139,1433 and 2967. Anyone else see  
> that?
> > Anyone have any info?
> > seems to me the previous round of malware that included 2967 also  
> looked
> > for 5900
> > so this could be somewhat different?
> >
> >
> >  
> ---------------------------------------------------------------------- 
> --
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.dshield.org
> > https://lists.sans.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070218/b7dd0e54/attachment-0001.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5330 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20070218/b7dd0e54/attachment-0001.bin 


More information about the unisog mailing list