[Dshield] sdbot variant and winsize 55808 activity

Willi Web Willi.Web at mail4web.de
Fri Jun 20 12:25:45 GMT 2003


The IRC bot I found that synfloods with winsize 55808 has now been classified
by AV vendors as "randex.c". Once again, this is definately not the source
of the "odd" traffic; just be aware that TCP window size 55808 is apparently
in use by more than one piece of malicious code.

-Joe

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------




More information about the list mailing list