Slashdot Mirror
WormRadar Node Volunteers Help Graph Attacks
zoombat writes "NTBugtraq has a post looking for volunteers to run WormRadar nodes. The nodes are essentially honeypots that watch for suspicious activity. Its purpose is to both measure the frequency of known, current worms and to alert us all when something new becomes active. A graph (updated every 30 minutes) shows what was detected. Currently it looks like only a Windows client is available, though."
The website is scarce on details, but from the looks of it, it would appear to not be very sophisticated. It detects very few actual worms and exploits, and would seem to be just like http://isc.incidents.org/ (Internet Storm Centre), except without nearly so much data.
Leusent _AT_ Link-net.org
Each time I launched the app, norton fires up because an email is being sent.
no mention of what anywhere.
Sorry, perhaps I'm paranoid... but that's not very cool with me.
Works great, and the author promised to try and port the software to Linux, although he said it may take some time as he is very busy with his real job, as well as working on developing WR and solving all the small bugs.
.CAP (capture) files are encrypted using a simple XOR, the .UNX files are the actual captures.
.. and it *is* free.
The program is under constant development, surprising us with new features. The author is also very quick on responding to bug reports.
WR allows for emulation of IIS, sub7 and other useful applications/Trojan horses, as well as specifying your own ports to listen on.
It's a great program and a project worth supporting.
Important note: the
There is some way yet to go until this program hits 'legacy', but as I said it is under constant development, really useful
Looks genuine enough though, unless this is false information:
Roger Thompson
Roger Thompson
1650 Emerald Ridge
Marietta, GA 30062
US
Phone: 6785608027
Fax..: 6785609109
Email: rogert@mindspring.com
If not that would be the first time that a trojan writer puts his real world address out for all to see.
In the windows world people don't even expect to be able to see the source code.
MP3 Search Engine
The author of WR is Roger Thompson, a well respected AV professional since the very first days in the late 80's/early 90's.
He is also a CARO member, which is a very respectable organization for old-timer AV researchers.
I know him personally and vouch for him, much like pretty much any other AV researcher in the world. Everybody knows Roger.
Hi Russ,
I am looking for some more folks who would be interested in running
WormRadar. ( http://wormradar.com). The web site is still rudimentary, but
the graph is generated every 30 minutes, and is interesting to watch, and
WormRadar.exe is available for download from there.
It is essentially a distributed Windows honeypot that listens on known
wormy ports (or ports that are likely to become wormy), and crcs, or scans,
anything that comes along. Its purpose is to both measure the frequency of
known, current worms and to alert us all when something new becomes active.
It is free provided you allow it to report to the central site.
If you allow it, WormRadar will synchronize your pc to network time, and
all events are recorded to the millisecond utc. Events are reported by both
email and udp... email because it makes it convenient to attach a capture
if it is something new, and udp because while unreliable, it is fast.
A summarized graph of activity is refreshed every 30 minutes to the
website, and is refreshed every 15 minutes on the WorldView tab within
WorldRadar itself. The WorldView tab also has notification options which
allow you to be alerted by a variety of means if something new appears,
such as email to a pager or by playing a wav file. In the fullness of time,
I'll add more views and graphs. The summary graph is interpreted like this...
(1) Green bars are recognized things
(2) Red bars are new (and should be watched)
(3) If I didn't get any data, I generate a name based on whether it was tcp
or udp, plus the port number, plus '0 bytes'.E.g. "t17300 0 bytes" means it
was TCP port 17300 and was 0 bytes long.
(4) If I got some data, but couldn't recognize it, I generate a similar
filename, but the suffix is 'unk', for unknown.
(5) I call it a 'summary', because if a single sourceip hits a single
targetip 200 times on the same port (such as a sql dictionary attack on
1433), it is really only one incident, and that is how I summarize it.
It emulates some common servers, such as web and ftp, and some common
backdoors, such as sub7 and kuang, and there are a bunch of tcp and udp
ports that can be set to whatever you like.
To install it, simply make a directory, copy it in, run it, configure it a
bit if you want, and tell it to listen. You can set it to cc yourself, and
you will receive a copy of the email sent to wormradar.com. The UDP
messages are content-identical to the email, although without email-y
things like headers, and I don't UDP the attachment if there is one.
It runs on about any Windows platform but runs best on Win ME, W2k or
WinXP. Win ME is a good platform, because there are fewer services to turn
off to allow WormRadar to listen on those ports. It runs nicely behind
firewalls like ZoneAlarm, and runs nicely in Virtual PC or VMWare. It
doesn't need much hardware... 200 or 300 mhz is fine. In the unlikely event
that you want to install it on more than one computer, please don't install
them on side by side IP addresses... this just skews the data. What we
really want is a nice, random, widespread distribution.
Thanks
Roger
Actually, the image looks okay.
They used the size variables in HTML to resize it (which of course makes it look terrible). Image size is 446x668, They resize it to 560x839. Makes no sense.
Still makes their operation look pretty bad.
Constitutional rights may be respected, repealed, or modified; but they must never be ignored.