Despite efforts to cut off the distribution points (http://www.honeynet.org.cn/honeyneten/index.htm) new versions of Dasher continue to pop up.  Symantec identified Dasher.C yesterday that added an anti-security-software payload (your typical disable anti-virus and firewall type of gig.)  New versions with new distribution points, and signature-evasion changes continue to come out.  Before you ask: "which ones don't detect it?"  Right now, it's most of them.  In a few hours, I hope that list to be much shorter.

It would be simply swell if the AV developers would write sigs for the samples that we're sending them.  I know it's a weekend... but I'm working.

So, why is Dasher "finding-legs?" or why is it successful? 

To answer that, we have to ask Microsoft: why are services listening on ephemeral ports?  Or, why are some filtering/firewall strategies blocking only 1024 and below?

Overall, the response procedure appears to be working.  The 1025/TCP scans were detected, packets were gathered, the vector was identified, examples of the code were captured, and command-and-control points were neutralized.  Everything went according to plan-- just not quickly as I hoped.

Now, I'm waiting for Prancer.