[Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN
jstewart at ...5...
Tue May 18 10:41:03 EDT 2004
On Tuesday 18 May 2004 11:23 am, Paul Schmehl wrote:
> First of all, it's not a scan. It's a buffer overflow exploit.
> Secondly, it's unlikely that it's Bobax/Kibuv, because you would be
> seeing more ports involved in the activity (Kibuv attacks about eight
> different weaknesses on several different ports. These 5000 probes
> appear to be "standalone".
It's entirely unlikely that it's Kibuv, but it IS entirely likely that
it is Bobax, since they are two very different trojans and Bobax fits
the traffic description that most people are seeing (lots of
connections, no data sent even if port is open).
Joe Stewart, GCIH
Senior Security Researcher
More information about the Snort-sigs