Update: The Novell Clients will have Symantec AV listening on port 2968 as well. Not just the server!
This may explain the rise as it exposes a much larger population of systems.
We have captured a fair number of attacks against ports 2968 and 2967 over the past 24 hours and they appear to be identical in payload. The attack is effective against Symantec Antivirus version 10.0.2.2000 and below. The shellcode opens a bindshell on port 8555, which is then connected to and either ftp.exe or tftp.exe are used to download what appears to be a botnet client.
One submitter tells us:
Symantec has widely reported vulnerabilities in clients 10.0.2.2000 and below. It is a remotely exploitable vulnerability that does not require user intervention. 10.0.2.2002 remediates the problem.The question remains, why the port 2968 variant? Since the attack is using Windows shellcode, and running Windows commands for backchannel propagation, why go after the port used on Novell Netware versions of Symantec Live Update?
Your thoughts are welcome, as always.
Adrien de Beaupre
Jan 12th 2007
1 decade ago