Wednesday, December 07, 2005

GHH - Tracking Web Based Worm

Just right after I blog about honeyd, I read about Mambo bot, myspace worm was a shock and now more and more Web Based Worm merging, this could indicate that next generation worm not only targetting users anymore but vulnerable server, this is not a good sign because there are many users out there deploying cms such as phpbb, mambo and etc without maintaining it and tracking the latest version which fixing vulnerabilities.

There are ways to track the Mambo bot, since it search for other vulnerable servers through google search engine. GHH- Google Hack Honeypot is one of the possible way to track Mambo Bot. Maybe I should spend sometimes on Google Hack Honeypot Deployment when I have enough time. Check it out if you feel interested.


spoonfork said...

not servers specifically, but vulnerable web applications. this is nothing new as there have been quite a number of worms that exploit vulnerable web application. the interesting thing is - this kind of worm is short-lived and cause (imho) less damage in terms of ringgit as compared to windows-related worms.

geek00L said...

By server I mean server that running the web applications :]. This kind of worm most likely has short life cycle as the web master or administrator at least know what to do or how to deal with it, However since windows-related worms more likely targetting those end user which by fault may trigger the worm spreading without knowing it, it is considered more severe, plus the social engineering tricks that been embedded in malwares, it is deadly. We can see that worms like mytob still quiet succesful in tricking end users that happenned lately as an example.
It's nice to read your post here, and hopefully meet you in HITB next year.