I have several Windows honeypots running at any one time. One emulates the role of a fully patched IIS 5.0 web server, another emulates an e-commerce SQL Server server, and another mimics an unprotected Windows XP workstation. My honeypots have the ports open as listed in the tables presented in this chapter. During the Blaster worm (http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.html) attack, my honeypots were put to the test. I collected a Blaster variant two days before the large release on August 11, 2003. My best guess is that hackers were testing Blaster before the big release.
All my honeypots were receiving multiple probes to TCP port 135. Checking my log files, I found the exploit code contained the buffer overflow mentioned in Microsoft Security Bulletin MS03-026. My packet-capturing of the port probe revealed the worm attempting to get commandline (cmd.exe) access to TCP port 4444. I opened that port and created a generic service script, feeding the worm what it expected. I then learned that it wanted to use TFTP on UDP port 69 to download a file. I opened that port and created a TFTP service. On the next worm attempt, I was able to get the remote machine to send me the worm’s main body, msblast.exe. Using my newly modified honeypot, I was able to capture the worm, plus see who was connecting to me and which computers the worm was now trying to infect. My worm variant also copied itself to two more hidden files in the Windows system directory and contained stealth commands. The worm version that was released a few days later did not contain the two hidden files or stealth commands that my version did.
I traced the originating machines to an innocent cable modem user who had not applied any Windows XP patches since the time he had bought his computer. Using the information I learned, I contacted all my clients and made sure they had the MS03-026 patches installed. When the worm hit, my clients were protected. That was a victory for the good guys.
I know of one honeypot administrator who used a similar setup the day after the Blaster worm went worldwide to reverse “attack” originating machines. When his honeypot received a connection attempt from an infected computer, he executed a script that erased the worm and patched the computer’s vulnerability. This is not a practice condoned by me or the security community.