[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: malicious scans

On Mon, May 17, 2004 at 01:39:39PM +0200, Jens Simmoleit wrote:
> >
> > Hi,
> >
> > 	Anybody know where I can get some detailed info on the
> > characteristics of trojans/viruses that scan for vulnerabilities ?
> > Specifically, I'm trying to determine if a pattern of scanned ports I have
> > noticed on my machine is characteristic of any particular
> > trojan/virus/malicious programme that a user might not be aware
> > of on their
> > machine (ie, not something they are not consciously running, but which has
> > been installed without their knowledge).
> >
> > 	My googling so far hasn't turned up that kind of detail.  For
> > instance, I found a long list of trojans whose purpose in life is to scan
> > for windows vulnerabilities.  One name I can remember (I did the
> > research on
> > a different machine than the one from which I write) for example was AGEG
> > (AGressive Exploit Groper?Grabber), but I don't know if it was written to
> > scan a specific set of vulnerable ports, or if it is configurable.  I've
> > done a little surfing at the SANS website without coming up with much.
> >
> > 	I'm not really too sure where to look for this kind of info, or even
> > how likely it is to exist.  Like is there any kind of trend for
> > these kinds
> > of programmes to be configurable or to be preset.  I thought maybe there
> > would be people with more security experience on this list that
> > could share
> > some ideas or resources.
> >
> http://securityresponse.symantec.com/ - here are the TOP10 and the LATEST 10
> Virus(s?)es
> http://www.symantec.com/search/ - use different search words like ports and
> make sure to check the boxes for Virus & Exploit
> http://security.symantec.com/ssc/home.asp?j=1&langid=ie&venid=sym&plfid=22&p
> kj=WZMHDTKJBTVISBYWWYP - online virus scan :-) if you might need this
> I think the best one is this here -
> http://securityresponse.symantec.com/avcenter/vinfodb.html
> But those will list more or less ALL virus(s?)es regardless if it's a
> trojan, worm or else.....

Thanks for the response.  I realize, though, that I probably wasn't clear
enough in my request.  I've been to sites like symantec, but they don't have
the kind of detail I am looking for.  I realize this is off-topic, but I am
going to try to clear it up, just in case there is someone on this list who
can point me to some other resources, or even suggest the likelihood of
discovering what I am after.

Scans have been noticed coming from a certain machines on an network
segment.  These scans have been of ports which are known to be potential
vulnerabilities.  These aren't general look around scans, but have been
targetting very specific ports, eg. 3127, 445, 2745 and 6129, amongst

I know that scanning programmes such as nmap can be configured to probe
certain ports, as above.  I suspect that many, if not all the
trojans/virii/etc in the wild can be configured in like manner.  But I want
to leave no stone unturned and am trying to discover if there are any
trojans/virii/etc with a scanning pattern that matches what has been noticed
in logs.

My own research hasn't turned up much yet.  Googling terms such as "port
scanning trojans" has uncovered lists of such beasts without telling me
anything specific about their characteristics.  Last night I even tried
googling for warez sites, but that kind of makes my skin crawl, especially
since many of the sites don't seem to have much useful info.

Let me word it this way, suppose I wanted to scan the above ports, and
exploit any vulnerabilities found, and I didn't want to do it from my own
machine, but rather by infecting someone else's, and I didn't know how to do
it myself, where would I look to find a premade programme that would do this
for me ?

Any thoughts ?


Reply to: