Security Incidents mailing list archives
Re: Which worm is it?
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Mon, 25 Sep 2000 01:26:22 -0700
On Fri, 22 Sep 2000, Joe McAlerney wrote:
Has anyone nailed this one down? Fortunately we are not infected by the worm, but unfortunately that makes it harder to analyze.
You always have the option of letting in a copy if you want to play honeypot. Of course, this makes me think of how I might go about making such a honeypot without actually getting a machine nailed... I think you could throw up a *nix box running Samba in a chroot jail with a copy of a Windows C drive on it. That way, the worm comes along, and sees what it thinks is a world-wirtable C drive, and does it's business. However, the file wouldn't get out of the jail (and the *nix box isn't going to interpret the VBScript or run a Windows .exe anyway.) Ryan
Current thread:
- Which worm is it? Joe McAlerney (Sep 24)
- Re: Which worm is it? Ryan Russell (Sep 25)