[Snort-sigs] Bobax/Kibuv Windows XP UPnP SCAN

Joe Stewart jstewart at ...5...
Tue May 18 10:41:03 EDT 2004

On Tuesday 18 May 2004 11:23 am, Paul Schmehl wrote:
> First of all, it's not a scan.  It's a buffer overflow exploit. 
> Secondly, it's unlikely that it's Bobax/Kibuv, because you would be
> seeing more ports involved in the activity (Kibuv attacks about eight
> different weaknesses on several different ports.  These 5000 probes
> appear to be "standalone".

It's entirely unlikely that it's Kibuv, but it IS entirely likely that 
it is Bobax, since they are two very different trojans and Bobax fits 
the traffic description that most people are seeing (lots of 
connections, no data sent even if port is open).


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the Snort-sigs mailing list