(preliminary)
Our incident handler team observed an increase in localized scans for port 901 over the last few days ( http://isc.sans.org/port_details.html?port=901&;;tarax=1 ). Port 901 is commonly used by 'swat', a tool to administer SAMBA. However, we found that these scans can be attributed to a new 'remote administration' package called 'Net Devil'. 'Net Devil' is listening on port 901, and upon connection it is sending the prompt: 'passed' . Another version was found to use 'passwd pleaz' as a prompt. While port 901 is used for authentication, port 903 is used after the connection is established to send commands. A version of the tool was captured using THP (Tiny Honeypot). It was uploaded using the filename 'xstyles.exe'. The file itself is packed using ASPack. Kaspersky Antivirus labels the payload as TrojanDropper.Win32.Small.aj . So far, the program does not appear to be fully functional and is not running on our test systems. However, a new version of NetDevil may be imminent. NetDevil is discussed in some bulletin boards, and it is not clear who is currently developing the code. --------------------------------------------------------------------- George Bakos, ISTS Dartmouth Univ. contributed to this report. |
Handlers 76 Posts Jun 5th 2003 |
Thread locked Subscribe |
Jun 5th 2003 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!