(preliminary)

Our incident handler team observed an increase in localized scans for port 901 over the last few days ( http://isc.sans.org/port_details.html?port=901&;;tarax=1 ).
Port 901 is commonly used by 'swat', a tool to administer SAMBA. However,
we found that these scans can be attributed to a new 'remote administration'
package called 'Net Devil'.

'Net Devil' is listening on port 901, and upon connection it is sending the
prompt: 'passed' . Another version was found to use 'passwd pleaz' as a prompt.
While port 901 is used for authentication, port 903 is used after the connection
is established to send commands.

A version of the tool was captured using THP (Tiny Honeypot). It was uploaded using the filename 'xstyles.exe'. The file itself is packed using ASPack. Kaspersky Antivirus labels the payload as TrojanDropper.Win32.Small.aj .
So far, the program does not appear to be fully functional and is not running on our test systems. However, a new version of NetDevil may be imminent.

NetDevil is discussed in some bulletin boards, and it is not clear who is
currently developing the code.
---------------------------------------------------------------------

George Bakos, ISTS Dartmouth Univ. contributed to this report.