'Re: [Full-Disclosure] Wanted: Sasser executable and derivatives'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-Disclosure] Wanted: Sasser executable and derivatives
From:       Steve Kudlak <chromazine () sbcglobal ! net>
Date:       2004-06-29 1:38:25
Message-ID: 40E0C811.1090102 () sbcglobal ! net
[Download RAW message or body]

I look at what my antivirus things catch and what sentinare catches on
my formal account. Sentinare is pretty good with all this stuff. I have
not seen Sasser. I have seen Swen and BAGLE and IRCBOT.
The IRCBots stopped when I turnd off sharing on pretty much everything.
I was sharing files between my main Win2k machine and the virtua;
Red Hat Linux I have been working with.

Have Fun,
Sends Steve


James Riden wrote:

>Syke <syke@mantissecurity.net> writes:
>
>
>  
>
>>  Wouldn't it be easier to use honeyd(www.honeyd.org) with an LSASS or
>>mydoom script? That way you can just check the logs for the binaries
>>that were uploaded?
>>    
>>
>
>Yes, because you'll get an awful lot more than Sasser if you put an
>unpatched Win32 machine on the 'net. Even if you just leave off the
>MS04-011 patch, you could get other things, such as Korgo and Agobot
>variants IIRC.
>
>cheers,
> Jamie
>  
>

[Attachment #3 (text/html)]

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
  <title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
<br>
I look at what my antivirus things catch and what sentinare catches on<br>
my formal account. Sentinare is pretty good with all this stuff. I have<br>
not seen Sasser. I have seen Swen and BAGLE and IRCBOT.<br>
The IRCBots stopped when I turnd off sharing on pretty much everything.<br>
I was sharing files between my main Win2k machine and the virtua;<br>
Red Hat Linux I have been working with.<br>
<br>
Have Fun,<br>
Sends Steve<br>
<br>
<br>
James Riden wrote:<br>
<blockquote type="cite" cite="mid87zn6o8auw.fsf@it029205.massey.ac.nz">
  <pre wrap="">Syke <a class="moz-txt-link-rfc2396E" \
href="mailto:syke@mantissecurity.net">&lt;syke@mantissecurity.net&gt;</a> writes:


  </pre>
  <blockquote type="cite">
    <pre wrap="">  Wouldn't it be easier to use honeyd(<a class="moz-txt-link-abbreviated" \
href="http://www.honeyd.org">www.honeyd.org</a>) with an LSASS or mydoom script? That way you \
can just check the logs for the binaries that were uploaded?
    </pre>
  </blockquote>
  <pre wrap=""><!---->
Yes, because you'll get an awful lot more than Sasser if you put an
unpatched Win32 machine on the 'net. Even if you just leave off the
MS04-011 patch, you could get other things, such as Korgo and Agobot
variants IIRC.

cheers,
 Jamie
  </pre>
</blockquote>
</body>
</html>


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic