[unisog] Worm exploiting Symantec client defect?????

Russell Fulton r.fulton at auckland.ac.nz
Mon Nov 27 22:51:11 GMT 2006


There has been discussion on the ren-isac IRC channel this morning with
a couple of sites reporting finding machines scanning on 2967.   It
isn't clear if these are newly compromised using this vulnerability or
whether they were part of an existing bot net but by the time they were
found scanning they were definitely controlled by an IRC based bot net.

>From looking at the graph on the ISC site I'd guess that this isn't a
worm, rather it is existing bots being commanded to scan for 2967.

BTW I would urge any university security folk who have not yet done so
to join REN-ISAC.  They are producing great intelligence in a timely
manner.  http://www.ren-isac.net/

Cheers, Russell.

Gary Flynn wrote:
> Anyone know anything more about what SANS
> is reporting on this?
> http://isc.sans.org//index.php

More information about the unisog mailing list