Solved

Blaster Honeypot

Posted on 2004-08-25
9
333 Views
Last Modified: 2013-12-04
Hi Guys

Does anyone know of a program similar to NetBususter but for Blaster?

I want a program to listen on the port that blaster communicates with and alert me when an infected machine tries to connect, along with the IP address of the machine?

Many thanks
0
Comment
Question by:stewatts
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11894077
This can be done with a cisco firewall, IDS system, or even McAfee Anti-Virus... what type of notification do you want? Email, NetSend message, text page to your phone...
-rich
0
 

Author Comment

by:stewatts
ID: 11894129
Hi Rich

I don't have access to any of these products. Do you know of anything that I can download similar to netbuster for netbus?

Thanks for your help
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 11895674
download zonealarm from zonelabs.. They have a free version and that should alert you when that port has activity (if you set the firewall rule up correctly)...
0
Increase Agility with Enabled Toolchains

Connect your existing build, deployment, management, monitoring, and collaboration platforms. From Puppet to Chef, HipChat to Slack, ServiceNow to JIRA, Splunk to New Relic and beyond, hand off data between systems to engage the right people.

Connect with xMatters.

 

Author Comment

by:stewatts
ID: 11900141
I may have to resort to this but I am on a corporate network so this isn't ideal.

Ideally what I need is a standalone program that I can just have sat listening to traffic and alerting me to Blaster traffic.

Thanks guys
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 125 total points
ID: 11902273
Snort IDS, free, works on m$ and linux, listens for anything that you define in the rules... but requires effort to setup- so it's not as easy as netbuster... but 10000 times more robust, and can listen for any number of viri... I'm sorry, I can't get enough of this product- and it's also loved the whole world over
www.snort.org
-rich
0
 
LVL 8

Expert Comment

by:RevelationCS
ID: 11902789
do you have a firewall on your corporate network itself? if so, just block the ports that blaster uses to communicate.... This should prevent the virus from getting into your network anyhow. Also, your IT department needs to make sure they have the latest security patches by MS... if you do these, you shouldn't have to worry about the existing versions of Blaster (or variants) out there...
0
 

Author Comment

by:stewatts
ID: 11902919
That's the problem. I AM the IT support.

I have just started and it's a bit of a mess. No central AV, multiple sites with various perm none perm network connections etc.

I know we have blaster on some machines but they are hard to find as they get switched on and off so I am looking for something that will sit and tell me when it detects an attempted infection.

I thought of SNORT/other firewalls but it's a hammer to walnut solution really. I will just have to go with this if nobody knows of another tool

Thanks guys
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 11903182
I know of scanners... but they are HD scanners... what you may be able to do is use a logon script to scan peoples HD's for blaster, or others... it's easy to script McAfee's Stinger tool, and it finds about the 50 of the latest viri and thier variants... and cleans them. I'd make a netlogon script (.bat file) that says the following...


@echo off
Rem don't show output
copy Stinger.exe %userprofile%/desktop
sleep 3
Rem wait 3 seconds, then scan local HD's
%userprofile%/desktop/Stinger.exe /ADL /GO /LOG /SILENT
end

All you have to do is get stinger: http://vil.nai.com/vil/stinger/
Place it in the Netlogon directory on your domain controllers... when a user signs in, if they have the netlogon check mark on their account, the file should copy to their desktop, then run and log anything it finds (locally:( - then the next week, remove the script- and write one that will tell you who had the virus from the log file.
-rich
0
 
LVL 1

Expert Comment

by:Alien3
ID: 11926401
the old machine with default install of windows 2000/XP  but put files watch, registry watcher and packet sniffer that logs.
etheral sniffer is best packet sniffer.  





0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question