RE: malicious scans
http://www.dshield.org/pipermail/list/2004-April/030804.php
Matt Joyce
Children's Cancer Institute Australia
http://www.ccia.org.au
> -----Original Message-----
> From: gcrimp@vcn.bc.ca [mailto:gcrimp@vcn.bc.ca] On Behalf Of
> ghcbc@yahoo.com
> Sent: Wednesday, 19 May 2004 5:20 AM
> To: Debian User List
> Subject: Re: malicious scans
>
>
> On Mon, May 17, 2004 at 01:39:39PM +0200, Jens Simmoleit wrote:
> >
> > >
> > > Hi,
> > >
> > > Anybody know where I can get some detailed info on the
> > > characteristics of trojans/viruses that scan for
> vulnerabilities ?
> > > Specifically, I'm trying to determine if a pattern of
> scanned ports
> > > I have noticed on my machine is characteristic of any particular
> > > trojan/virus/malicious programme that a user might not be
> aware of
> > > on their machine (ie, not something they are not consciously
> > > running, but which has been installed without their knowledge).
> > >
> > > My googling so far hasn't turned up that kind of detail. For
> > > instance, I found a long list of trojans whose purpose in
> life is to
> > > scan for windows vulnerabilities. One name I can remember (I did
> > > the research on a different machine than the one from
> which I write)
> > > for example was AGEG (AGressive Exploit Groper?Grabber),
> but I don't
> > > know if it was written to scan a specific set of
> vulnerable ports,
> > > or if it is configurable. I've done a little surfing at the SANS
> > > website without coming up with much.
> > >
> > > I'm not really too sure where to look for this kind of info, or
> > > even how likely it is to exist. Like is there any kind
> of trend for
> > > these kinds of programmes to be configurable or to be preset. I
> > > thought maybe there would be people with more security
> experience on
> > > this list that could share
> > > some ideas or resources.
> > >
> >
> > http://securityresponse.symantec.com/ - here are the TOP10 and the
> > LATEST 10 Virus(s?)es
> >
> > http://www.symantec.com/search/ - use different search words like
> > ports and make sure to check the boxes for Virus & Exploit
> >
> >
> http://security.symantec.com/ssc/home.asp?j=1&langid=ie&venid=sym&plfi
> > d=22&p
> > kj=WZMHDTKJBTVISBYWWYP - online virus scan :-) if you might
> need this
> >
> >
> > I think the best one is this here -
> > http://securityresponse.symantec.com/avcenter/vinfodb.html
> >
> > But those will list more or less ALL virus(s?)es regardless
> if it's a
> > trojan, worm or else.....
> >
>
> Thanks for the response. I realize, though, that I probably
> wasn't clear enough in my request. I've been to sites like
> symantec, but they don't have the kind of detail I am looking
> for. I realize this is off-topic, but I am going to try to
> clear it up, just in case there is someone on this list who
> can point me to some other resources, or even suggest the
> likelihood of discovering what I am after.
>
> Scans have been noticed coming from a certain machines on an
> network segment. These scans have been of ports which are
> known to be potential vulnerabilities. These aren't general
> look around scans, but have been targetting very specific
> ports, eg. 3127, 445, 2745 and 6129, amongst others.
>
> I know that scanning programmes such as nmap can be
> configured to probe certain ports, as above. I suspect that
> many, if not all the trojans/virii/etc in the wild can be
> configured in like manner. But I want to leave no stone
> unturned and am trying to discover if there are any
> trojans/virii/etc with a scanning pattern that matches what
> has been noticed in logs.
>
> My own research hasn't turned up much yet. Googling terms
> such as "port scanning trojans" has uncovered lists of such
> beasts without telling me anything specific about their
> characteristics. Last night I even tried googling for warez
> sites, but that kind of makes my skin crawl, especially since
> many of the sites don't seem to have much useful info.
>
> Let me word it this way, suppose I wanted to scan the above
> ports, and exploit any vulnerabilities found, and I didn't
> want to do it from my own machine, but rather by infecting
> someone else's, and I didn't know how to do it myself, where
> would I look to find a premade programme that would do this for me ?
>
> Any thoughts ?
>
> gerry
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
Reply to: