Slashdot Mirror

← Back to Stories (view on slashdot.org)

WormRadar Node Volunteers Help Graph Attacks

Posted by simoniker on from the wiggly-wiggly dept.

zoombat writes "NTBugtraq has a post looking for volunteers to run WormRadar nodes. The nodes are essentially honeypots that watch for suspicious activity. Its purpose is to both measure the frequency of known, current worms and to alert us all when something new becomes active. A graph (updated every 30 minutes) shows what was detected. Currently it looks like only a Windows client is available, though."

14 of 159 comments (clear)

  1. so go by jacquesm · · Score: 4, Interesting

    and sign up ! these people are doing good things.

    distributed attacks against hackers doing distributed attacks :)

    --
    MP3 Search Engine
  2. IINAL by z0ink · · Score: 3, Interesting

    I thought honeypotting is being considerd as not-so-legal. Hopefully this could be something positive in the case for using hoeypots affectively.

    --
    Steal This Sig
    1. Re:IINAL by Anonymous Coward · · Score: 5, Interesting

      I thought honeypotting is being considerd as not-so-legal.

      Why would you say that? It certainly isn't entrapment. If you leave your house windows open, it doesn't give thieves permission to steal.

      And a burglar can't complain that you have video cameras all over the house recording them while you call the cops.

      In Texas & many other states, you could blow them away with a shotgun and get cheers in the local paper.

    2. Re:IINAL by chadjg · · Score: 4, Interesting

      Think unlawful interception of communications, not entrapment. I know, it's stupid, but that's the legal theory. IANAL and all that...

      --
      Why do I have this? I don't smoke.
  3. Graph shows u137unk exploit by Dark+Lord+Seth · · Score: 5, Interesting

    And, as it says in the article, u137unk is aimed at port 137 using UDP. NetBIOS request en masse. Over the internet? Why does this not make sense? Maybe all those exploits are Messenger spams? However, iirc, Messenger spam uses a different port and TCP. So if this is not Messenger spam... Then what?

    --
    Hate me!
  4. So I need to run it without a firewall? by Anonymous Coward · · Score: 1, Interesting

    Oh, joy. That sounds like a swell idea. I'd rather have something that works with my firewall to report the hits.

  5. Re:Infect, Effect and Affect by value_added · · Score: 3, Interesting

    "worms only effect windows machines"

    "Infect" refers to passing along a nasty.
    "Effect" means "make happen" or "bring about" as in "Make it so."
    "Affect" can be understood in terms of a combination the above.

    I think you meant to say "worms only affect windows machines".

    Affectionately speaking, of course.

  6. Re:Other platforms by dicepackage · · Score: 2, Interesting

    If the site gets Slashdotted then there are in fact a lot of people on Slashdot using Windows. Of course the Linux people could allways try running the program in WINE.

  7. What WR connects out to.. SMTP and UDP, explained by Gadi+Evron · · Score: 4, Interesting

    As Roger wrote on NTBUGTRAQ:

    If you allow it, WormRadar will synchronize your pc to network time, and
    all events are recorded to the millisecond utc. Events are reported by both
    email and udp... email because it makes it convenient to attach a capture
    if it is something new, and udp because while unreliable, it is fast.

    A summarized graph of activity is refreshed every 30 minutes to the
    website, and is refreshed every 15 minutes on the WorldView tab within
    WorldRadar itself. The WorldView tab also has notification options which
    allow you to be alerted by a variety of means if something new appears,
    such as email to a pager or by playing a wav file. In the fullness of time,
    I'll add more views and graphs. The summary graph is interpreted like this...

  8. Recruit these guys for a good data sample by G4from128k · · Score: 4, Interesting

    Back when we discussed the Witty worm the article & discussion noted that UCSD Network Telescope mentioned here has 1/256 of the entire IPv4 address space. They seem well suited to track anomolous behavior.

    --
    Two wrongs don't make a right, but three lefts do.
  9. Re:Other platforms by bruthasj · · Score: 3, Interesting

    It didn't work in WINE (CodeWeavers Wine):

    0x65f00000-65fc0800 (PE) C:\WINDOWS\SYSTEM\OLE32.DLL
    0x70bd0000-70c34600 (PE) C:\WINDOWS\SYSTEM\SHLWAPI.DLL
    0x78000000-78040000 (PE) C:\WINDOWS\SYSTEM\MSVCRT.DLL
    Threads:
    process tid prio
    0000000a (D) Y:\updates\WormRadar.exe
    0000000b 0 <==
    WineDbg terminated on pid a

  10. Re:Other platforms by schwaang · · Score: 2, Interesting
    How are you going to monitor worms that propigate using windows with a linux box?
    The perl script I used to monitor incoming Code Red attacks on port 80 runs just as well on linux as windows. A scanner evaluating the idiosyncracies of the TCP/IP stack would not have been fooled, but the real worm certainly was.
  11. Re:Other platforms by minas-beede · · Score: 3, Interesting

    "You can't get a linux box to respond in the same way as a windows box without seriously getting into the kernel though."

    It's a blasted worm. Only if very sophisticated would a worm look for an authentic Windows environment. Why would they bother?

    I'm far more familiar with honey pot definition 2 - and I know how incredibly stupid spammers have long been when it comes to open relay honeypots. They are doing bulk abuse, not pinpoint abuse. Whatever the details they are looking for a vulnerability - and then exploit that vulnerability when they find it. They look for hundreds or thousands of vulnerable systems. They do that "quick and dirty" - that's all they've had to do (almost no complex countermeasures are employed against them.) That has worked for them. Why should they make it more complicated?

    It's not guaranteed that the woms are so primitive that they don't verify that a system is a Windows system - but it's not guaranteed the worms do. Wouldn't it be better to set up the Linux systems and see if they succeed or are discovered as fakes? That has some chance of success. Arm's-length philosophical discussions won't stop any abuse.

    My experience with open relay honeypots suggests that all the spammers do to check for those is attempt to relay. I can see reason for the abusers to be more careful and more clever - but rather than assume they are the better idea is to force them into being more careful and more clever. Burn up more of their time, confuse them about the rest of the internet (the part they abuse, as opposed to their own part.) There are many goals in fighting abuse - don't fixate on just one. If the abusers can be made thoroughly confused about the rest of the internet (i.e., can't tell what is and what isn't vulnerable to abuse) then they pretty much have to give up. That will never happen if all that is done is engage in discussions.

    OK, do fixate - it's you time - who am I to tell you what to do? But give some thought to how much better it is to make a broader attack, if you will, please.

    P.S. Open relay honeypots still work today, April 23, 2004. Open proxy honeypots may be even more powerful.

  12. Port 2000 by toupsie · · Score: 2, Interesting

    I have my Linksys cable/dsl router pointing the DMZ to an old notebook running redhat 8 and portsentry. One thing I have noticed is that a majority of the hits I record are for port 2000. These are coming from all over the world and I have no clue what is hitting it. Does anyone know what would be probing port 2000? I was disappointed that it didn't show up on the graph at the WormRadar site. I figured if I was being probed for the port it would be universal.

    --
    Strange women lying in ponds distributing swords is no basis for a system of government.