Call for volunteers to run WormRadar nodes

From: Roger Thompson (rog2002_at_BELLSOUTH.NET)
Date: 04/20/04

  • Next message: Jonathan Payne: "McAfee VirusScan installer uses insecure ActiveX controls"
    Date:         Tue, 20 Apr 2004 17:28:00 -0400

    Hi Russ,

    I am looking for some more folks who would be interested in running
    WormRadar. ( The web site is still rudimentary, but
    the graph is generated every 30 minutes, and is interesting to watch, and
    WormRadar.exe is available for download from there.

    It is essentially a distributed Windows honeypot that listens on known
    wormy ports (or ports that are likely to become wormy), and crcs, or scans,
    anything that comes along. Its purpose is to both measure the frequency of
    known, current worms and to alert us all when something new becomes active.
    It is free provided you allow it to report to the central site.

    If you allow it, WormRadar will synchronize your pc to network time, and
    all events are recorded to the millisecond utc. Events are reported by both
    email and udp... email because it makes it convenient to attach a capture
    if it is something new, and udp because while unreliable, it is fast.

    A summarized graph of activity is refreshed every 30 minutes to the
    website, and is refreshed every 15 minutes on the WorldView tab within
    WorldRadar itself. The WorldView tab also has notification options which
    allow you to be alerted by a variety of means if something new appears,
    such as email to a pager or by playing a wav file. In the fullness of time,
    I'll add more views and graphs. The summary graph is interpreted like this...

    (1) Green bars are recognized things
    (2) Red bars are new (and should be watched)
    (3) If I didn't get any data, I generate a name based on whether it was tcp
    or udp, plus the port number, plus '0 bytes'.E.g. "t17300 0 bytes" means it
    was TCP port 17300 and was 0 bytes long.
    (4) If I got some data, but couldn't recognize it, I generate a similar
    filename, but the suffix is 'unk', for unknown.
    (5) I call it a 'summary', because if a single sourceip hits a single
    targetip 200 times on the same port (such as a sql dictionary attack on
    1433), it is really only one incident, and that is how I summarize it.

    It emulates some common servers, such as web and ftp, and some common
    backdoors, such as sub7 and kuang, and there are a bunch of tcp and udp
    ports that can be set to whatever you like.

    To install it, simply make a directory, copy it in, run it, configure it a
    bit if you want, and tell it to listen. You can set it to cc yourself, and
    you will receive a copy of the email sent to The UDP
    messages are content-identical to the email, although without email-y
    things like headers, and I don't UDP the attachment if there is one.

    It runs on about any Windows platform but runs best on Win ME, W2k or
    WinXP. Win ME is a good platform, because there are fewer services to turn
    off to allow WormRadar to listen on those ports. It runs nicely behind
    firewalls like ZoneAlarm, and runs nicely in Virtual PC or VMWare. It
    doesn't need much hardware... 200 or 300 mhz is fine. In the unlikely event
    that you want to install it on more than one computer, please don't install
    them on side by side IP addresses... this just skews the data. What we
    really want is a nice, random, widespread distribution.



    Earn up to 10 credit course hours toward the TruSecure ICSA Practitioner (TICSA) Credential and receive a TICSA exam coupon by attending the Infosecurity Canada 2004 conference. Featured speaker, Marcus J. Ranum, TruSecure inventor of the proxy firewall will present on June 3 at 11:30 AM. Visit <> for certification details and <> for conference information. Become TICSA certified and see what happens!

  • Next message: Jonathan Payne: "McAfee VirusScan installer uses insecure ActiveX controls"