Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: port 901 surge - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
port 901 surge
(preliminary)

Our incident handler team observed an increase in localized scans for port 901 over the last few days ( http://isc.sans.org/port_details.html?port=901&;;tarax=1 ).
Port 901 is commonly used by 'swat', a tool to administer SAMBA. However,
we found that these scans can be attributed to a new 'remote administration'
package called 'Net Devil'.

'Net Devil' is listening on port 901, and upon connection it is sending the
prompt: 'passed' . Another version was found to use 'passwd pleaz' as a prompt.
While port 901 is used for authentication, port 903 is used after the connection
is established to send commands.

A version of the tool was captured using THP (Tiny Honeypot). It was uploaded using the filename 'xstyles.exe'. The file itself is packed using ASPack. Kaspersky Antivirus labels the payload as TrojanDropper.Win32.Small.aj .
So far, the program does not appear to be fully functional and is not running on our test systems. However, a new version of NetDevil may be imminent.

NetDevil is discussed in some bulletin boards, and it is not clear who is
currently developing the code.
---------------------------------------------------------------------

George Bakos, ISTS Dartmouth Univ. contributed to this report.
Handlers

76 Posts

Sign Up for Free or Log In to start participating in the conversation!