http://www.dshield.org/pipermail/list/2004-April/030804.php
Matt Joyce Children's Cancer Institute Australia http://www.ccia.org.au > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Wednesday, 19 May 2004 5:20 AM > To: Debian User List > Subject: Re: malicious scans > > > On Mon, May 17, 2004 at 01:39:39PM +0200, Jens Simmoleit wrote: > > > > > > > > Hi, > > > > > > Anybody know where I can get some detailed info on the > > > characteristics of trojans/viruses that scan for > vulnerabilities ? > > > Specifically, I'm trying to determine if a pattern of > scanned ports > > > I have noticed on my machine is characteristic of any particular > > > trojan/virus/malicious programme that a user might not be > aware of > > > on their machine (ie, not something they are not consciously > > > running, but which has been installed without their knowledge). > > > > > > My googling so far hasn't turned up that kind of detail. For > > > instance, I found a long list of trojans whose purpose in > life is to > > > scan for windows vulnerabilities. One name I can remember (I did > > > the research on a different machine than the one from > which I write) > > > for example was AGEG (AGressive Exploit Groper?Grabber), > but I don't > > > know if it was written to scan a specific set of > vulnerable ports, > > > or if it is configurable. I've done a little surfing at the SANS > > > website without coming up with much. > > > > > > I'm not really too sure where to look for this kind of info, or > > > even how likely it is to exist. Like is there any kind > of trend for > > > these kinds of programmes to be configurable or to be preset. I > > > thought maybe there would be people with more security > experience on > > > this list that could share > > > some ideas or resources. > > > > > > > http://securityresponse.symantec.com/ - here are the TOP10 and the > > LATEST 10 Virus(s?)es > > > > http://www.symantec.com/search/ - use different search words like > > ports and make sure to check the boxes for Virus & Exploit > > > > > http://security.symantec.com/ssc/home.asp?j=1&langid=ie&venid=sym&plfi > > d=22&p > > kj=WZMHDTKJBTVISBYWWYP - online virus scan :-) if you might > need this > > > > > > I think the best one is this here - > > http://securityresponse.symantec.com/avcenter/vinfodb.html > > > > But those will list more or less ALL virus(s?)es regardless > if it's a > > trojan, worm or else..... > > > > Thanks for the response. I realize, though, that I probably > wasn't clear enough in my request. I've been to sites like > symantec, but they don't have the kind of detail I am looking > for. I realize this is off-topic, but I am going to try to > clear it up, just in case there is someone on this list who > can point me to some other resources, or even suggest the > likelihood of discovering what I am after. > > Scans have been noticed coming from a certain machines on an > network segment. These scans have been of ports which are > known to be potential vulnerabilities. These aren't general > look around scans, but have been targetting very specific > ports, eg. 3127, 445, 2745 and 6129, amongst others. > > I know that scanning programmes such as nmap can be > configured to probe certain ports, as above. I suspect that > many, if not all the trojans/virii/etc in the wild can be > configured in like manner. But I want to leave no stone > unturned and am trying to discover if there are any > trojans/virii/etc with a scanning pattern that matches what > has been noticed in logs. > > My own research hasn't turned up much yet. Googling terms > such as "port scanning trojans" has uncovered lists of such > beasts without telling me anything specific about their > characteristics. Last night I even tried googling for warez > sites, but that kind of makes my skin crawl, especially since > many of the sites don't seem to have much useful info. > > Let me word it this way, suppose I wanted to scan the above > ports, and exploit any vulnerabilities found, and I didn't > want to do it from my own machine, but rather by infecting > someone else's, and I didn't know how to do it myself, where > would I look to find a premade programme that would do this for me ? > > Any thoughts ? > > gerry > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > >
