funsec mailing list archives
Arbor: IRC Bot attacking Symantec Overflow
From: "Fergie" <fergdawg () netzero net>
Date: Tue, 28 Nov 2006 19:12:10 GMT
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jose Nazario has a great write-up: [snip] Back in May of this year, Symantec released an avisory entitled SYM06-010: Symantec Client Security and Symantec AntiVirus Elevation of Privilege. Those that took the time to read it beyond the title noticed that this isnt just a local privilege elevation exploit. Its an out and out remote stack overflow using a specific service (TCP port 2967). We started tracking possible exploit activity for this vulnerability in early June using an ATF policy to detect scans and exploit, with our thinking that someone would surely take an interest. Activity for this policy quickly dropped off our radar, buried underneath some juicy Windows and VNC holes that people focused on. We didnt see many scanners for this service, and only a burst of a scan early last week. That is, until now, in late November, when we see a bot using an exploit for this (and lots of people are curious). We had a look at the bot, and found that its a new exploit plugin for a garden variety SDBot. This things a beast! Its huge, not unlike a bloated bot that someones thrown everything into. [snip] More: http://asert.arbornetworks.com/2006/11/that-new-bot-irc-bot-attacking-syman tec-overflow/ - - ferg -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.1 (Build 1557) wj8DBQFFbIoBq1pz9mNUZTMRAkyQAKDhN8/NdbJs3eu2mbQ+fhQNbcbdSACgy2Tg hgXpAbch6rOQBKPFdeOE9yM= =5gfD -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Arbor: IRC Bot attacking Symantec Overflow Fergie (Nov 28)