On 2/18/06, Gadi Evron <ge@xxxxxxxxxxxx> wrote: > A quick digest of some updates from the last few hours on this issue: > > 1. The worm is based on 'kaiten', which has been going around in > different variants for a long time now. > > 2. This worm is new. > > 3. The first part exploits PHP applications, like these variants > normally do. > > 4. The second part spreads to other systems. > > 5. The worm connects to a botnet C&C based on two Fast-flux DNS RR's > which are not there anymore, and as they change, are taken down. > > As always, more updates if necessary on: http://blog.securiteam.com > > Looking at items on blog.securiteam.com, the ip address the worm was being downloaded from in the beginning showed up around Feb 14, 2005 in all the logs I have. I am not sure if this was a precursor to the newer worm though. -- Stephen J Smoogen. CSIRT/Linux System Administrator
