On Tue, 10 Feb 2004, Riad S. Wahby wrote: > > As for the code, have you tried catching the bug with a honeypot? I > > heard of people using netcat listening on port 3127 to catch the bug... > > To be honest, I didn't expect this to work, but before I left my > office last night I decided I may as well try it. To my great > surprise, I came in this morning and found that I had "caught one" > within minutes of opening the port. Quite im(de?)pressive.
I've done that and after 12 hours I had about 27 files. 8 of them were unique both in size and content. I've identified the one that drops the .tbz with source code but that leaves me with another 7 different files. Question is, how many things are out there piggybacking on mydoom's backdoor? And now the source code is public many more will emerge in the next few days... _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
