Bait Server for Trojan

Hello,

I'm looking for any recommendations on how to track down the cause of a
Trojan infection.

We have a number of reports of the following infection on various servers.
The only common link we can find between all the infected servers is that
they do not have Windows Firewall enabled, which is how I assume they are
compromising the system in the first place and installing the FTP server
which is then detectable.

================
Troj/ServU-Gen (Sophos)
Aliases:
not-a-virus:Server-FTP.Win32.Serv-U.5000 (Kaspersky Lab)
not-a-virus:RiskWare.FTP.Serv-U.5000 (Kaspersky Lab)
Hacktool (Symantec)
BackDoor.Servu.5000 (Doctor Web)
Troj/ServU-Gen (Sophos)
BDS/ServU.ba.1 (H+BEDV)
Win32:Trojano-356 (ALWIL)
Trojan.ServU.G (SOFTWIN)
Trojan.Servu.1 (ClamAV)
Bck/ServU.BB (Panda)
Server-FTP.Win32.Serv-U
================

I'm trying to think of the best way to set up a "Bait" server with security
auditing & no Firewall to sniff the infection process.

WireShark?

Once the server is infected, it creates "DependOnService" registry entries
on a few services which causes File & Printer Sharing to not work as well as
a few other detectable things.

Any help would be appreciated!
-B

the cause is: you are not secure enough

the fix is: get more secure!

leave the analysis to the pros, get your security fixed so you aren't a
vector for transmitting future infections.

"Brock Hensley" <> wrote in message
news:7CA31DC4-2C35-428E-8509-...
> Hello,
>
> I'm looking for any recommendations on how to track down the cause of a
> Trojan infection.
>
> We have a number of reports of the following infection on various servers.
> The only common link we can find between all the infected servers is that
> they do not have Windows Firewall enabled, which is how I assume they are
> compromising the system in the first place and installing the FTP server
> which is then detectable.
>
> ================
> Troj/ServU-Gen (Sophos)
> Aliases:
> not-a-virus:Server-FTP.Win32.Serv-U.5000 (Kaspersky Lab)
> not-a-virus:RiskWare.FTP.Serv-U.5000 (Kaspersky Lab)
> Hacktool (Symantec)
> BackDoor.Servu.5000 (Doctor Web)
> Troj/ServU-Gen (Sophos)
> BDS/ServU.ba.1 (H+BEDV)
> Win32:Trojano-356 (ALWIL)
> Trojan.ServU.G (SOFTWIN)
> Trojan.Servu.1 (ClamAV)
> Bck/ServU.BB (Panda)
> Server-FTP.Win32.Serv-U
> ================
>
> I'm trying to think of the best way to set up a "Bait" server with
> security auditing & no Firewall to sniff the infection process.
>
> WireShark?
>
> Once the server is infected, it creates "DependOnService" registry entries
> on a few services which causes File & Printer Sharing to not work as well
> as a few other detectable things.
>
> Any help would be appreciated!
> -B
>

HI Broc.

First of all you need a sandbox system ( infect possible due to
vulnerability machine in your test segment )... then you need to monitor
ports ( all open ) and forward file samples to such area and it should
simulate the actual attack then and only then you can understand the threat
vector.

you can reach me here... for a much detail explanation.

"Brock Hensley" <> wrote in message
news:7CA31DC4-2C35-428E-8509-...
> Hello,
>
> I'm looking for any recommendations on how to track down the cause of a
> Trojan infection.
>
> We have a number of reports of the following infection on various servers.
> The only common link we can find between all the infected servers is that
> they do not have Windows Firewall enabled, which is how I assume they are
> compromising the system in the first place and installing the FTP server
> which is then detectable.
>
> ================
> Troj/ServU-Gen (Sophos)
> Aliases:
> not-a-virus:Server-FTP.Win32.Serv-U.5000 (Kaspersky Lab)
> not-a-virus:RiskWare.FTP.Serv-U.5000 (Kaspersky Lab)
> Hacktool (Symantec)
> BackDoor.Servu.5000 (Doctor Web)
> Troj/ServU-Gen (Sophos)
> BDS/ServU.ba.1 (H+BEDV)
> Win32:Trojano-356 (ALWIL)
> Trojan.ServU.G (SOFTWIN)
> Trojan.Servu.1 (ClamAV)
> Bck/ServU.BB (Panda)
> Server-FTP.Win32.Serv-U
> ================
>
> I'm trying to think of the best way to set up a "Bait" server with
> security auditing & no Firewall to sniff the infection process.
>
> WireShark?
>
> Once the server is infected, it creates "DependOnService" registry entries
> on a few services which causes File & Printer Sharing to not work as well
> as a few other detectable things.
>
> Any help would be appreciated!
> -B
>

The best thing you could do other than setting up a sandbox or a honeypot is
to setup snort and configure its rules. If you dont know how to do this, I
would most definately do research on it or hire one or more sec consultants
to do it for you.

"Brock Hensley" <> wrote in message
news:7CA31DC4-2C35-428E-8509-...
> Hello,
>
> I'm looking for any recommendations on how to track down the cause of a
> Trojan infection.
>
> We have a number of reports of the following infection on various servers.
> The only common link we can find between all the infected servers is that
> they do not have Windows Firewall enabled, which is how I assume they are
> compromising the system in the first place and installing the FTP server
> which is then detectable.
>
> ================
> Troj/ServU-Gen (Sophos)
> Aliases:
> not-a-virus:Server-FTP.Win32.Serv-U.5000 (Kaspersky Lab)
> not-a-virus:RiskWare.FTP.Serv-U.5000 (Kaspersky Lab)
> Hacktool (Symantec)
> BackDoor.Servu.5000 (Doctor Web)
> Troj/ServU-Gen (Sophos)
> BDS/ServU.ba.1 (H+BEDV)
> Win32:Trojano-356 (ALWIL)
> Trojan.ServU.G (SOFTWIN)
> Trojan.Servu.1 (ClamAV)
> Bck/ServU.BB (Panda)
> Server-FTP.Win32.Serv-U
> ================
>
> I'm trying to think of the best way to set up a "Bait" server with
> security auditing & no Firewall to sniff the infection process.
>
> WireShark?
>
> Once the server is infected, it creates "DependOnService" registry entries
> on a few services which causes File & Printer Sharing to not work as well
> as a few other detectable things.
>
> Any help would be appreciated!
> -B
>