Full Disclosure mailing list archives

Re: Wanted: Sasser executable and derivatives

From: James Riden <j.riden () massey ac nz>
Date: Mon, 28 Jun 2004 18:17:43 +1200

Syke <syke () mantissecurity net> writes:

  Wouldn't it be easier to use honeyd(www.honeyd.org) with an LSASS or
mydoom script? That way you can just check the logs for the binaries
that were uploaded?


Yes, because you'll get an awful lot more than Sasser if you put an
unpatched Win32 machine on the 'net. Even if you just leave off the
MS04-011 patch, you could get other things, such as Korgo and Agobot
variants IIRC.

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

Wanted: Sasser executable and derivatives The Central Scroutinizer (Jun 26)
- <Possible follow-ups>
- Wanted: Sasser executable and derivatives The Central Scroutinizer (Jun 26)
  - Re: Wanted: Sasser executable and derivatives Bob Perriero (Jun 27)
    - Re: Wanted: Sasser executable and derivatives Syke (Jun 27)
    - Re: Wanted: Sasser executable and derivatives James Riden (Jun 28)
    - Re: Wanted: Sasser executable and derivatives Steve Kudlak (Jun 28)