NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2004-05

RE: TCP port 5000 syn increasing

From: Nick FitzGerald (nickvirus-l.demon.co.uk)
Date: Tue May 18 2004 - 17:30:45 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Frank Knobbe <frankknobbe.us> wrote:

> That begs the question if it isn't becoming useless nowadays to count
> port scans. Perhaps we should focus instead on catching the worms and
> provide payload, or payload hashes. Otherwise, how would you pick up the
> new strain of SQL slammer amongst all the existing SQL port scans?

Well, some of us not only are doing this, but have been for several
years (at least for a select group of likely ports).

I know of several "home brew" projects in the anti-malware community
that more or less do what you propose, and at least one of them is
publicly available and looking for more dedicated nodes. If you're up
for running a well-configured Windows box with open Internet access,
have a look at WormRadar:

http://www.wormradar.com/

This is an offshoot of an earlier, similar effort which, among other
things, was the first to detect several variants of CodeRed. I'm not
directly related to this project, but was one of the very early users
of WormRadar's forbear, WormCatcher. WormRadar is a private project of
Roger Thompson, one of the very early AV industry folk (he developed at
least two detection engines for two different product lines), more
recently Director of Malware Research at ICSA and now VP of Product
Development at PestPatrol.

--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040517
----------------------------------------------------------------------------

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]