Malware in a small pot

Costin Raiu Kaspersky Labs

Just over a year ago, in early July, the Net witnessed the emergence of the first fileless automotive Windows viral code sequence, or in short `worm', now known by the name 'CodeRed'.

Due to its 'fileless' nature, CodeRed brought at least two new problems for the anti-virus developers - first, of course, detection, which requires more than the usual file scan methods and secondly, the need to implement tools to capture and study the movements of such things, directly on the Internet.

As an example, when CodeRed appeared, various methods were used to capture samples, from the crude, but effective running of a 'netcat' instance on port 80 and re-directing its output to a file, up to analysing the logs of various http servers, and extracting the first parts of the exploit data from there.

However, when more versions of CodeRed started to appear, it became very clear that if you want to monitor the spreading of such things, and moreover, to find out as soon as possible when a new variant appears, first of all the 'capture' process has to be automated, and secondly, we have to enhance it so it can be able to also provide statistics, early/urgent samples and centralization of the reports.

Between the projects attempting to accomplish this task, Smallpot, short for `Small Honeypot', is a Win32 implementation running since the early days of CodeRed.C, collecting infection reports, and attempting to do even more than just listening for HTTP requests: Smallpot also tries to fake various other Internet services such as ftp, pop3, smtp, sun-rpc, telnet, UPnP, ms-sql, ssh and even backdoor servers such as NetBus or SubSeven, monitoring hacking attempts or network scans for those services.

This presentation will show the results of the evolution and development of Smallpot, presenting and discussing the data it received until today:

  • the most common types of malware received by Smallpot
  • the strangest probes and data received
  • statistics of connection attempts over time
  • Nimda infection graphs
  • exploits attempted on the various services
  • future improvements and future solutions

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

SMI Oil and Gas Cyber Security 2014

VB2014
VB2014 VB2014 will take place 24 - 26 September 2014 at the Westin Seattle hotel, Seattle, WA, USA.

Virus Bulletin currently has 231,305 registered users.