[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Re: Re: DoomJuice.A, Mydoom.A source code
- To: full-disclosure@lists.netsys.com
- Subject: Re: [Full-Disclosure] Re: Re: DoomJuice.A, Mydoom.A source code
- From: "Filipe A." <incognito@patria.ath.cx>
- Date: Wed, 11 Feb 2004 04:40:11 +0000 (WET)
On Tue, 10 Feb 2004, Riad S. Wahby wrote:
> > As for the code, have you tried catching the bug with a honeypot? I
> > heard of people using netcat listening on port 3127 to catch the bug...
>
> To be honest, I didn't expect this to work, but before I left my
> office last night I decided I may as well try it. To my great
> surprise, I came in this morning and found that I had "caught one"
> within minutes of opening the port. Quite im(de?)pressive.
I've done that and after 12 hours I had about 27 files. 8 of them
were unique both in size and content. I've identified the one that drops
the .tbz with source code but that leaves me with another 7 different
files. Question is, how many things are out there piggybacking on
mydoom's backdoor? And now the source code is public many more
will emerge in the next few days...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html