WormRadar Node Volunteers Help Graph Attacks

zoombat writes "NTBugtraq has a post looking for volunteers to run WormRadar nodes. The nodes are essentially honeypots that watch for suspicious activity. Its purpose is to both measure the frequency of known, current worms and to alert us all when something new becomes active. A graph (updated every 30 minutes) shows what was detected. Currently it looks like only a Windows client is available, though."

Other platforms

[BWJones]

Currently it looks like only a Windows client is available, though."

Might it make more sense to have the client available on platforms which are not necessarily vulnerable to most of these infections? After all, many of the systems which are connected to the Internet full time (servers/workstations etc...) are not Windows machines.

Re:Other platforms

[Raunch]

From The Jargon File

honey pot: n.
1. A box designed to attract crackers so that they can be observed in action. It is usually well isolated from the rest of the network, but has extensive logging (usually network layer, on a different machine). Different from an iron box in that its purpose is to attract, not merely observe. Sometimes, it is also a defensive network security tactic -- you set up an easy-to-crack box so that your real servers don't get messed with. The concept was presented in Cheswick & Bellovin's book Firewalls and Internet Security.
2. A mail server that acts as an open relay when a single message is attempted to send through it, but discards or diverts for examination messages that are detected to be part of a spam run.

With emphasis on the attract part. How are you going to monitor worms that propigate using windows with a linux box? You may be able to say, for instance, how many times a certain port was probed. You can't get a linux box to respond in the same way as a windows box without seriously getting into the kernel though.

Re:Other platforms

[0racle]

Better tell the people at honeyd. They seem to think you can emulate the TCP/IP stack of other OS's, and use scripts to fool the app or person on the other end to run an entire honeynet of composed of several different "OS's" on one system.On top of that, you do not need a vulnerable system, nor allow your box to become compromised in order to attract a worm that will attempt to propagate. If you wanna see how it tries to locally, you analyze the actual code, if you want to see how it affects the network, or detect that something odd is occurring, thats what the honeypot is for.

so go

[jacquesm]

and sign up ! these people are doing good things.

distributed attacks against hackers doing distributed attacks :)

Obvious joke

[Chris_Jefferson]

Let me be the first to get the obvious joke out of the way.

Why is there only a windows client? Because all the worms only effect windows machines, what would be the point of a client on anything else? :)

Although of course, the more serious answer is "A client on something other than windows would be sensible, because if a new worm comes out and hits a 0-day windows hole then your machine could be infected and dead before it gets the chance to report that it is being attacked. (Just why is it that all these worms people write nowadays just seem so.. nice? I remember the days when 90% of viruses would at the very least format your hard disc.. now they just sit there. It's almost a shame, because one good formating worm might finally make people take them more seriously.. it's only a matter of time)

Open Source or Trojan Horse?

[Comatose51]

Is this thing open source? It doesn't seem like it. For all we know we could be downloading the world's next biggest trojan horse/worm. Considering the only people who would download this would be techies with big pipes, this could get interesting. Just a theory and a reminder to the author that people usually feel safer downloading something they can examine.

Re:Open Source or Trojan Horse?

[jacquesm]

Looks genuine enough though, unless this is false information:

Roger Thompson
Roger Thompson
1650 Emerald Ridge
Marietta, GA 30062
US
Phone: 6785608027
Fax..: 6785609109
Email: rogert@mindspring.com

If not that would be the first time that a trojan writer puts his real world address out for all to see.

In the windows world people don't even expect to be able to see the source code.

Lol. Understatement.

[SatanicPuppy]

Why would you need a worm activity detecting program on a Windows box? If there's a lot of worm activity that is close enough that the windows box could monitor it, you'll know.

It's like the canary in the mineshaft...Works fine for detecting hazards, but a little rough on the bird.

Re:Lol. Understatement.

[laugau]

The REASON there is only a windows client is because the windows client does this:

while (not_infected) {
send ("Woo Hoo! I'm alive still") ;
}

And the server does this:

listen (client_port) {
while (get_alive_messages) {
writeGraph (noWorm);
}
ohShit(clientMachineGotWorm);
}

Not a very good solution if the clients never die now, is it?

"Download WormRadar.exe now"

[eddy]

Yeah, that's going to happen.

Someone run it through IDA? :-P

Seems like a good idea implemented poorly

The website is scarce on details, but from the looks of it, it would appear to not be very sophisticated. It detects very few actual worms and exploits, and would seem to be just like http://isc.incidents.org/ (Internet Storm Centre), except without nearly so much data.

Leusent _AT_ Link-net.org

Worm Watching Clients for Windows Only?

[PetoskeyGuy]

Pass, Too Easy.

Graph shows u137unk exploit

[Dark+Lord+Seth]

And, as it says in the article, u137unk is aimed at port 137 using UDP. NetBIOS request en masse. Over the internet? Why does this not make sense? Maybe all those exploits are Messenger spams? However, iirc, Messenger spam uses a different port and TCP. So if this is not Messenger spam... Then what?

A little creepy ... calling home?

[digitalgimpus]

Each time I launched the app, norton fires up because an email is being sent.

no mention of what anywhere.

Sorry, perhaps I'm paranoid... but that's not very cool with me.

Re:A little creepy ... calling home?

[Ancient+Devices+King]

They say explicitly that it communicates with them via email and UDP.

"Events are reported by both email and udp... email because it makes it convenient to attach a capture if it is something new, and udp because while unreliable, it is fast."

Exactly how do you expect it to function if it doesn't talk to the people who are using it to track things?

What a headline

[alefbet]

Wow, I think this is a serious contender for hardest headline ever to parse.

WormRadar Node Volunteers Help Graph Attacks

Did a node spontaneously provide some "help graph" attacks? Did node volunteers assist in attacking a graph or several graphs? Did the help given by volunteers end up graphing an attack? Or did it perform a little known "graph attack" on something?

You can always use VMware or Virtual Machine

Works great, and the author promised to try and port the software to Linux, although he said it may take some time as he is very busy with his real job, as well as working on developing WR and solving all the small bugs.

The program is under constant development, surprising us with new features. The author is also very quick on responding to bug reports.

WR allows for emulation of IIS, sub7 and other useful applications/Trojan horses, as well as specifying your own ports to listen on.

It's a great program and a project worth supporting.

Important note: the .CAP (capture) files are encrypted using a simple XOR, the .UNX files are the actual captures.

There is some way yet to go until this program hits 'legacy', but as I said it is under constant development, really useful .. and it *is* free.

What's Truly Sad...

[ashitaka]

Is the number of SQL-Slammer-infected systems still out there:

Date: 04/23 01:24:30 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 216.18.121.12:n/a -> x.x.x.x:n/a
References: none found SID: 483

Date: 04/23 02:10:26 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 152.66.211.244:3280 -> x.x.x.x:1434
References: none found SID: 2003

Date: 04/23 02:10:59 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 210.13.22.79:1171 -> x.x.x.x:1434
References: none found SID: 2003

Date: 04/23 02:32:46 Name: SCAN Squid Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4380 -> x.x.x.x:3128
References: none found SID: 618

Date: 04/23 02:32:49 Name: SCAN Squid Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4380 -> x.x.x.x:3128
References: none found SID: 618

Date: 04/23 02:32:54 Name: SCAN SOCKS Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4514 -> x.x.x.x:1080
References: none found SID: 615

Date: 04/23 02:32:57 Name: SCAN SOCKS Proxy attempt
Priority: 2 Type: Attempted Information Leak
IP info: 69.158.81.79:4514 -> x.x.x.x:1080
References: none found SID: 615

Date: 04/23 02:59:50 Name: ICMP PING CyberKit 2.2 Windows
Priority: 3 Type: Misc activity
IP info: 216.18.121.12:n/a -> x.x.x.x:n/a
References: none found SID: 483

Date: 04/23 03:22:04 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 67.163.239.113:1209 -> x.x.x.x:1434
References: none found SID: 2003

Re:IINAL

I thought honeypotting is being considerd as not-so-legal.

Why would you say that? It certainly isn't entrapment. If you leave your house windows open, it doesn't give thieves permission to steal.

And a burglar can't complain that you have video cameras all over the house recording them while you call the cops.

In Texas & many other states, you could blow them away with a shotgun and get cheers in the local paper.

Excellent!

[dj245]

"NTBugtraq has a post looking for volunteers to run WormRadar nodes.

I volunteer enthusiastically. Wormradar will complement nicely my Gaydar, Chickdar, and of course, flamedar.

For Those of you worried WR might be a Trojan

[Gadi+Evron]

The author of WR is Roger Thompson, a well respected AV professional since the very first days in the late 80's/early 90's.

He is also a CARO member, which is a very respectable organization for old-timer AV researchers.

I know him personally and vouch for him, much like pretty much any other AV researcher in the world. Everybody knows Roger.

Re:IINAL

[chadjg]

Think unlawful interception of communications, not entrapment. I know, it's stupid, but that's the legal theory. IANAL and all that...

everything is explained in the NTBUGTRAQ post,

[Gadi+Evron]

Hi Russ,

I am looking for some more folks who would be interested in running
WormRadar. ( http://wormradar.com). The web site is still rudimentary, but
the graph is generated every 30 minutes, and is interesting to watch, and
WormRadar.exe is available for download from there.

It is essentially a distributed Windows honeypot that listens on known
wormy ports (or ports that are likely to become wormy), and crcs, or scans,
anything that comes along. Its purpose is to both measure the frequency of
known, current worms and to alert us all when something new becomes active.
It is free provided you allow it to report to the central site.

If you allow it, WormRadar will synchronize your pc to network time, and
all events are recorded to the millisecond utc. Events are reported by both
email and udp... email because it makes it convenient to attach a capture
if it is something new, and udp because while unreliable, it is fast.

A summarized graph of activity is refreshed every 30 minutes to the
website, and is refreshed every 15 minutes on the WorldView tab within
WorldRadar itself. The WorldView tab also has notification options which
allow you to be alerted by a variety of means if something new appears,
such as email to a pager or by playing a wav file. In the fullness of time,
I'll add more views and graphs. The summary graph is interpreted like this...

(1) Green bars are recognized things
(2) Red bars are new (and should be watched)
(3) If I didn't get any data, I generate a name based on whether it was tcp
or udp, plus the port number, plus '0 bytes'.E.g. "t17300 0 bytes" means it
was TCP port 17300 and was 0 bytes long.
(4) If I got some data, but couldn't recognize it, I generate a similar
filename, but the suffix is 'unk', for unknown.
(5) I call it a 'summary', because if a single sourceip hits a single
targetip 200 times on the same port (such as a sql dictionary attack on
1433), it is really only one incident, and that is how I summarize it.

It emulates some common servers, such as web and ftp, and some common
backdoors, such as sub7 and kuang, and there are a bunch of tcp and udp
ports that can be set to whatever you like.

To install it, simply make a directory, copy it in, run it, configure it a
bit if you want, and tell it to listen. You can set it to cc yourself, and
you will receive a copy of the email sent to wormradar.com. The UDP
messages are content-identical to the email, although without email-y
things like headers, and I don't UDP the attachment if there is one.

It runs on about any Windows platform but runs best on Win ME, W2k or
WinXP. Win ME is a good platform, because there are fewer services to turn
off to allow WormRadar to listen on those ports. It runs nicely behind
firewalls like ZoneAlarm, and runs nicely in Virtual PC or VMWare. It
doesn't need much hardware... 200 or 300 mhz is fine. In the unlikely event
that you want to install it on more than one computer, please don't install
them on side by side IP addresses... this just skews the data. What we
really want is a nice, random, widespread distribution.

Thanks

Roger

What WR connects out to.. SMTP and UDP, explained

[Gadi+Evron]

As Roger wrote on NTBUGTRAQ:

If you allow it, WormRadar will synchronize your pc to network time, and
all events are recorded to the millisecond utc. Events are reported by both
email and udp... email because it makes it convenient to attach a capture
if it is something new, and udp because while unreliable, it is fast.

A summarized graph of activity is refreshed every 30 minutes to the
website, and is refreshed every 15 minutes on the WorldView tab within
WorldRadar itself. The WorldView tab also has notification options which
allow you to be alerted by a variety of means if something new appears,
such as email to a pager or by playing a wav file. In the fullness of time,
I'll add more views and graphs. The summary graph is interpreted like this...

Recruit these guys for a good data sample

[G4from128k]

Back when we discussed the Witty worm the article & discussion noted that UCSD Network Telescope mentioned here has 1/256 of the entire IPv4 address space. They seem well suited to track anomolous behavior.

Re:new open source project idea?

[Gadi+Evron]

I thought the idea of open source was to work together and help out? Not double and compet when there is no real need to?

Email the author and offer your help, he is a great guy and I am sure he will take any help he can get.

I trust him, the question is if he can trust everyone who offers to help with a project such as this? Ask him and you'll find out.

Constructive vs....