Arbor: IRC Bot attacking Symantec Overflow

["Fergie" <fergdawg () netzero net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jose Nazario has a great write-up:

[snip]

Back in May of this year, Symantec released an avisory entitled SYM06-010:
Symantec Client Security and Symantec AntiVirus Elevation of Privilege.
Those that took the time to read it beyond the title noticed that this
isn’t just a local privilege elevation exploit. It’s an out and out
remote stack overflow using a specific service (TCP port 2967).

We started tracking possible exploit activity for this vulnerability in
early June using an ATF policy to detect scans and exploit, with our
thinking that someone would surely take an interest. Activity for this
policy quickly dropped off our radar, buried underneath some juicy Windows
and VNC holes that people focused on. We didn’t see many scanners for
this service, and only a burst of a scan early last week.

That is, until now, in late November, when we see a bot using an exploit
for this (and lots of people are curious). We had a look at the bot, and
found that it’s a new exploit plugin for a garden variety SDBot. This
thing’s a beast! It’s huge, not unlike a bloated bot that someone’s
thrown everything into.

[snip]

More:
http://asert.arbornetworks.com/2006/11/that-new-bot-irc-bot-attacking-syman
tec-overflow/

- - ferg

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.5.1 (Build 1557)

wj8DBQFFbIoBq1pz9mNUZTMRAkyQAKDhN8/NdbJs3eu2mbQ+fhQNbcbdSACgy2Tg
hgXpAbch6rOQBKPFdeOE9yM=
=5gfD
-----END PGP SIGNATURE-----



--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.