SCAN Wiki - Question2

Recently Viewed: Home > SotM > ToolsUsed > Question1 > Question2

Question2

Question N2

What possible evidence of malware is there? what types? what are the malware trends you can observe?

What To Look At

We should p[roperly check trend of worms in february first; I have NOT been much uptodate this time to be honest.... There have been way too many new worms and their variants daily, that is not humanly possible to remeber them all. We googled sometimes, but put emphasis on collaborative reviewing and discussing of what observed in the raw log data and their summary stats and counts.

Check on http://isc.incidents.org/alldiaries.html?month=2&year=2004 and http://isc.incidents.org/alldiaries.html?month=1&year=2004 (yeah, also January, since some stuff came out in January but it still was very active at beginning of february)

•	Investigations

•

Timeline

Malware Observed

•	DstPort3127 - MyDoom

•	DstPort4000 - Connect-BackBackdoor - maybe pre-scans for Witty Worm / ISS vulnerability ?

•	DstPort6129 - W32.mockbot.a.worm (and Pre-Scans)

•	DstPort135 - MsBlaster , WelchiaA, WelchiaB, Messenger Pop-Up Spam, etc...

•	127.0.0.1 - MsBlaster workaround shit

•	DstPort445 - SmbDevice (Microsoft new replacement for netbios - SMB over IP) Used in a Blaster Variant, for exaple - see also DailyFeb3

•	DstPort1434 - MS SQL Slammer

•

OpaServ

•	Microsoft - Blaster or WelchiaA / WelchiaB ?

•	DailyFeb3 - WelchiaA ?

•

NetSky

•

BagleWorm

•

WelchiaB

•

WelchiaA

•	Question3 - Reconnaissance activity

•	Question4 - Scans observed

•	Question5 - Various Internet noise

External References

•	http://www.chuvakin.org/honeynet/worms/

•	http://www.muscetta.org/research/worms/