In the past few years, a number of serious flaws in Windows have been exposed, including MS03-026 [ref 1], the flaw that Blaster [ref 2] used to spread in 2003, right up to the recent Mocbot/Wargbot worm [ref 3] which exploited MS06-040 [ref 4] from August 2006. The number of distinct pieces of malware exploiting these flaws has rapidly increased over the same time period. There are several variants of most worms and many more than that of most of the bot families, such as Agobot, Phatbot, Sdbot, and so on. As is now well-known, bots are collections of compromised "zombie" computers used together in a botnet network for nefarious purposes. In the paper, they give detection rates for newly capture malware range between 73% and 84% across four different antivirus engines. Clearly, relying on antivirus software is not going to work for everyone, all the time. In this paper we describe how a particular low-interaction honeypot, Nepenthes [ref 6], can be used to quickly alert an administrator to a network compromise. It captures malware and can assist in containing and removing the infection.

Some of the most damaging worms of recent years have been based on flaws in Windows services. For example, Blaster, Sasser, Welchia and Slammer have all caused large amounts of downtime and lost productivity to businesses around the world. Hopefully, the reader's Intrusion Detection System (IDS) vendor has signatures for known worms such as these, and also has portscan detection to help discover new worms. In the case of Blaster, each infected host would send out around 10 packets every second to port 135/tcp, which was enough to trigger a Snort [ref 7] alert that discovered the problem even before the Blaster signature was created.

The link for this article located at SecurityFocus.com is no longer available.