WormRadar Node Volunteers Help Graph Attacks
zoombat writes "NTBugtraq has a post looking for volunteers to run WormRadar nodes. The nodes are essentially honeypots that watch for suspicious activity. Its purpose is to both measure the frequency of known, current worms and to alert us all when something new becomes active. A graph (updated every 30 minutes) shows what was detected. Currently it looks like only a Windows client is available, though."
Currently it looks like only a Windows client is available, though."
Might it make more sense to have the client available on platforms which are not necessarily vulnerable to most of these infections? After all, many of the systems which are connected to the Internet full time (servers/workstations etc...) are not Windows machines.
Visit Jonesblog and say hello.
Let me be the first to get the obvious joke out of the way.
:)
Why is there only a windows client? Because all the worms only effect windows machines, what would be the point of a client on anything else?
Although of course, the more serious answer is "A client on something other than windows would be sensible, because if a new worm comes out and hits a 0-day windows hole then your machine could be infected and dead before it gets the chance to report that it is being attacked. (Just why is it that all these worms people write nowadays just seem so.. nice? I remember the days when 90% of viruses would at the very least format your hard disc.. now they just sit there. It's almost a shame, because one good formating worm might finally make people take them more seriously.. it's only a matter of time)
Combination - fun iPhone puzzling
Is this thing open source? It doesn't seem like it. For all we know we could be downloading the world's next biggest trojan horse/worm. Considering the only people who would download this would be techies with big pipes, this could get interesting. Just a theory and a reminder to the author that people usually feel safer downloading something they can examine.
EvilCON - Made Famous by
Is the number of SQL-Slammer-infected systems still out there:
Date: 04/23 01:24:30 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 216.18.121.12:n/a -> x.x.x.x:n/a
References: none found SID: 483
Date: 04/23 02:10:26 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 152.66.211.244:3280 -> x.x.x.x:1434
References: none found SID: 2003
Date: 04/23 02:10:59 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 210.13.22.79:1171 -> x.x.x.x:1434
References: none found SID: 2003
Date: 04/23 02:32:46 Name: SCAN Squid Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4380 -> x.x.x.x:3128
References: none found SID: 618
Date: 04/23 02:32:49 Name: SCAN Squid Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4380 -> x.x.x.x:3128
References: none found SID: 618
Date: 04/23 02:32:54 Name: SCAN SOCKS Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4514 -> x.x.x.x:1080
References: none found SID: 615
Date: 04/23 02:32:57 Name: SCAN SOCKS Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4514 -> x.x.x.x:1080
References: none found SID: 615
Date: 04/23 02:59:50 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 216.18.121.12:n/a -> x.x.x.x:n/a
References: none found SID: 483
Date: 04/23 03:22:04 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 67.163.239.113:1209 -> x.x.x.x:1434
References: none found SID: 2003
If you don't want to repeat the past, stop living in it.
Um whoever modded that as interesting is a fucking moron.
A honeypot is just a pseudo-server meant to trap, delay and/or observe a client. Useful for wasting spammers time/bandwidth, looking for spiders or in this case looking for active worm traffic.
You have to connect to the honeypot for it to be active so in absolutely no way can this be "illegal".
Tom
Someday, I'll have a real sig.
And oh, "they" use JPEG for the graph! Look at it -- it's horrible!
Okay, you DON'T download and run executables from people who can't even pick the right image format for an image like that one (hint: it's PNG). What's the odds of these people knowing anything about researching worms if they can't even get a fscking image right? Close to zero.
I honestly don't understand how come so many have a problem with this. Just look at that "JPEG patents"-story. Scary. I thought this was a place for nerds?
Here's a heuristics for those of you still confused: "If it's lines, blocks, text (that you want readable) and areas of repetitive pattern(s), then use PNG. Else try JPEG (photographs, noisy images)."
Belief is the currency of delusion.
As explained by Roger, the author of WR, WormRadar calls home using SMTP and UDP for real-time, so that the data-sharing between all the nodes can exist.
This data-sharing/graphing of Internet attacks graphs.. etc.. comes as a second to the actual use for the program - a good and decent honey pot.
The program doesn't hide the fact that it "calls home" and it is all explained in another comment.
I thought the idea of open source was to work together and help out? Not double and compet when there is no real need to?
Email the author and offer your help, he is a great guy and I am sure he will take any help he can get.
I trust him, the question is if he can trust everyone who offers to help with a project such as this? Ask him and you'll find out.
Constructive vs....