Virus Blog

I am currently working on my own low-interaction Honeypot implementation written in Python. The project is called Amun and is making great progress. The software runs in a virtual linux machine with a little more than 500 IP addresses assigned. The average load is somewhat around 0.6 - 0.7 depending on the number of simultanous connections. This is pretty good for a single threaded scripting language.

Basically Amun follows the same approach as Nepenthes does, it simulates known vulnerabilities and tries to download any automatically distributed binaries by recognizing and decoding the transmitted shellcode.

We are observing a new version of the trojan SquatBot infecting several hosts on our university network recently.

The malware installs a tool named remotewatch which frequently asks WHOIS servers on port 43 for all kinds of domain names. Expired or mistyped domains seem then to be registered for further propagation. The domain www.googlke.com is an example of such a mistyped domain. However, SquatBot seems to consider local circumstances as well, because the mistyped domain name of a public transport company here in aachen was also used for propagation. The process to look for on an infected host is named cchost.exe.

When we got our hands on the first binary yesterday and submitted it to virus total, there were no more than two virus scanners detecting SquatBot, namely Kaspersky and F-Prot. So keep an eye on your WHOIS traffic...