Malware in a small pot
Costin Raiu Kaspersky Labs
Just over a year ago, in early July, the Net witnessed the emergence of the first fileless automotive Windows viral code sequence, or in short `worm', now known by the name 'CodeRed'.
Due to its 'fileless' nature, CodeRed brought at least two new problems for the anti-virus developers - first, of course, detection, which requires more than the usual file scan methods and secondly, the need to implement tools to capture and study the movements of such things, directly on the Internet.
As an example, when CodeRed appeared, various methods were used to capture samples, from the crude, but effective running of a 'netcat' instance on port 80 and re-directing its output to a file, up to analysing the logs of various http servers, and extracting the first parts of the exploit data from there.
However, when more versions of CodeRed started to appear, it became very clear that if you want to monitor the spreading of such things, and moreover, to find out as soon as possible when a new variant appears, first of all the 'capture' process has to be automated, and secondly, we have to enhance it so it can be able to also provide statistics, early/urgent samples and centralization of the reports.
Between the projects attempting to accomplish this task, Smallpot, short for `Small Honeypot', is a Win32 implementation running since the early days of CodeRed.C, collecting infection reports, and attempting to do even more than just listening for HTTP requests: Smallpot also tries to fake various other Internet services such as ftp, pop3, smtp, sun-rpc, telnet, UPnP, ms-sql, ssh and even backdoor servers such as NetBus or SubSeven, monitoring hacking attempts or network scans for those services.
This presentation will show the results of the evolution and development of Smallpot, presenting and discussing the data it received until today:
- the most common types of malware received by Smallpot
- the strangest probes and data received
- statistics of connection attempts over time
- Nimda infection graphs
- exploits attempted on the various services
- future improvements and future solutions