Focus on Virus
POXDAR Revisited Apr 27 2006 02:57PM
Mark Ryan del Moral Talabis (talabis gmail com)
We noticed some peculiar connections in one of our honeypots just the
other day. We noted some DOS attempts directed to a number of
different sites. Based on the sites it tried to connect to, our
initial conclusion was it was the POXDAR worm. What was intresting
though is that in further examination of our logs, we saw that in
addition to connecting to "predefined" sites which was the normal
POXDAR behaviour, it also tries to look for russian domains by random
"brute force" guessing. It is doubtful that this is an effective way
to look for sites to perform DOS but this behaviour floods the network
with muliple DNS requests that might possibly lead to congestion given
critical mass.

Full Analysis:

Ryan Talabis
Philippine Honeynet Project

The Philippine Honeynet Project

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus