Worm charming: taking SMB Lure to the next level
Martin Overton IBM Global Services, UK
Worm charming: taking SMB Lure to the next level
Over the last two years, worms have resurfaced as a major headache, especially for the companies that
get hit by them. Worms aren't new; they have been around since almost the dawn of computing.
With the likes of Nimda, Code Red, and last year's quietly successful worm Opaserv, the rules have
changed and the stakes are now significantly higher than ever before.
This paper will use the SMB Lure design as presented by John Morris of Nortel Networks at VB2002
as a staring point and cover how it can be extended to improve its usefulness, not just to corporates but
also to researchers in the AV companies, these improvements will include:
Sample Capture, via custom scripts/tools.
Sample Recognition, MD5 hashes and anti-virus tools and storage.
Integration with other technologies, such as IDS, Integrity Checking, anti-virus and custom.
Scripts and other useful tools.
Automation.
By the time VB2003 arrives a prototype system, based on the technologies and methodologies
mentioned above will have been running for almost a year, so there should be some very interesting
statistics as well as lessons learnt along the way to share.
Early statistics and information obtained using a very early version of this system was used
in the article entitled 'Are You Being [Opa]Serve[d]?' in the January 2003 issue of
Virus Bulletin magazine.
del.icio.us 
digg this
