analysis (more worms wanted :) )

[Stephanie Wehner <_ () r4k net>]

Hi,

First of all, thanks to everyone who provided me with worms as a
response to my last email.

So far I have analyzed the executables (or scripts) of worms, where
my aim was to determine the familiy of an unknown worm. (different 
versions of the same worm form a family) This worked quite well, for
example for Sasser D as input, it was easy to tell that it belongs to
the Sasser family. 

You can view some pictures at http://www.cwi.nl/~wehner/worms, where
you can also find more information about the approach I used.
Note that this is *work in progress*. I'm looking for more worms
to analyze. Unfortunately I don't have any lab setup/multiple machines/ips
to collect them easily. (This is a fun project, my main area of research
lies elsewhere.)

I have also looked at network traffic, which works quite well for general
traffic. I will post more about this on my webpage in the near future. 
However, I am now especially looking for traffic generated by worms. :)

Thanks,
Stephanie

--<> _ () r4k net <>------------------<> FreeBSD <>-------------------
#3 - Anime Law of Sonic Amplification, First Law of Anime Acoustics
In space, loud sounds, like explosions, are even louder because
there is no air to get in the way.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html