On Mon, May 17, 2004 at 01:39:39PM +0200, Jens Simmoleit wrote: > > > > > Hi, > > > > Anybody know where I can get some detailed info on the > > characteristics of trojans/viruses that scan for vulnerabilities ? > > Specifically, I'm trying to determine if a pattern of scanned ports I have > > noticed on my machine is characteristic of any particular > > trojan/virus/malicious programme that a user might not be aware > > of on their > > machine (ie, not something they are not consciously running, but which has > > been installed without their knowledge). > > > > My googling so far hasn't turned up that kind of detail. For > > instance, I found a long list of trojans whose purpose in life is to scan > > for windows vulnerabilities. One name I can remember (I did the > > research on > > a different machine than the one from which I write) for example was AGEG > > (AGressive Exploit Groper?Grabber), but I don't know if it was written to > > scan a specific set of vulnerable ports, or if it is configurable. I've > > done a little surfing at the SANS website without coming up with much. > > > > I'm not really too sure where to look for this kind of info, or even > > how likely it is to exist. Like is there any kind of trend for > > these kinds > > of programmes to be configurable or to be preset. I thought maybe there > > would be people with more security experience on this list that > > could share > > some ideas or resources. > > > > http://securityresponse.symantec.com/ - here are the TOP10 and the LATEST 10 > Virus(s?)es > > http://www.symantec.com/search/ - use different search words like ports and > make sure to check the boxes for Virus & Exploit > > http://security.symantec.com/ssc/home.asp?j=1&langid=ie&venid=sym&plfid=22&p > kj=WZMHDTKJBTVISBYWWYP - online virus scan :-) if you might need this > > > I think the best one is this here - > http://securityresponse.symantec.com/avcenter/vinfodb.html > > But those will list more or less ALL virus(s?)es regardless if it's a > trojan, worm or else..... >
Thanks for the response. I realize, though, that I probably wasn't clear enough in my request. I've been to sites like symantec, but they don't have the kind of detail I am looking for. I realize this is off-topic, but I am going to try to clear it up, just in case there is someone on this list who can point me to some other resources, or even suggest the likelihood of discovering what I am after. Scans have been noticed coming from a certain machines on an network segment. These scans have been of ports which are known to be potential vulnerabilities. These aren't general look around scans, but have been targetting very specific ports, eg. 3127, 445, 2745 and 6129, amongst others. I know that scanning programmes such as nmap can be configured to probe certain ports, as above. I suspect that many, if not all the trojans/virii/etc in the wild can be configured in like manner. But I want to leave no stone unturned and am trying to discover if there are any trojans/virii/etc with a scanning pattern that matches what has been noticed in logs. My own research hasn't turned up much yet. Googling terms such as "port scanning trojans" has uncovered lists of such beasts without telling me anything specific about their characteristics. Last night I even tried googling for warez sites, but that kind of makes my skin crawl, especially since many of the sites don't seem to have much useful info. Let me word it this way, suppose I wanted to scan the above ports, and exploit any vulnerabilities found, and I didn't want to do it from my own machine, but rather by infecting someone else's, and I didn't know how to do it myself, where would I look to find a premade programme that would do this for me ? Any thoughts ? gerry -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
