Bait Server for Trojan

Giganews Newsgroups
Subject: Bait Server for Trojan
Posted by:  Brock Hensley (brock.hensl…@serverintellect.com)
Date: Thu, 28 May 2009

Hello,

I'm looking for any recommendations on how to track down the cause of a
Trojan infection.

We have a number of reports of the following infection on various servers.
The only common link we can find between all the infected servers is that
they do not have Windows Firewall enabled, which is how I assume they are
compromising the system in the first place and installing the FTP server
which is then detectable.

================
Troj/ServU-Gen (Sophos)
    Aliases:
not-a-virus:Server-FTP.Win32.Serv-U.5000 (Kaspersky Lab)
not-a-virus:RiskWare.FTP.Serv-U.5000 (Kaspersky Lab)
Hacktool (Symantec)
BackDoor.Servu.5000 (Doctor Web)
Troj/ServU-Gen (Sophos)
BDS/ServU.ba.1 (H+BEDV)
Win32:Trojano-356 (ALWIL)
Trojan.ServU.G (SOFTWIN)
Trojan.Servu.1 (ClamAV)
Bck/ServU.BB (Panda)
Server-FTP.Win32.Serv-U
================

I'm trying to think of the best way to set up a "Bait" server with security
auditing & no Firewall to sniff the infection process.

WireShark?

Once the server is infected, it creates "DependOnService" registry entries
on a few services which causes File & Printer Sharing to not work as well as
a few other detectable things.

Any help would be appreciated!
-B

Replies