BOT That Scans for Vulnerable Cisco Routers

A short write-up at the ISC
featured a bot worm that is reported to have the capability to scan
for vulnerable Cisco routers.


This bot was tagged by Symantec as
W32.Spybot.ZIF
last November 1, 2005 and the malware was
reported to “scan a specified network range for Cisco routers
that may have vulnerable Telnet or HTTP servers running and report
results back to IRC.



A cursory glance at the binary dump shows:


0003E600 0043E600 0 cisco23

0003E60A 0043E60A 0 Cisco Telnet

0003E640 0043E640 0 cisco80

0003E64A 0043E64A 0 Cisco HTTP

0003E7DA 0043E7DA 0 YZqbgff

0003E840 0043E840 0 [SCAN]: Exploit Statistics:

0003E85C 0043E85C 0 %s: %d,

0003E868 0043E868 0 Total: %d in %s.

0003E87C 0043E87C 0 [SCAN]: Current IP: %s.

0003E894 0043E894 0 [SCAN]: Scan not active.



Hmmm…


Trend Micro discovered and detected this malware as
WORM_RBOT.CMR
as early as October 14, 2005. What’s more, we’ve
acquired new Upack-repacked samples of the same malware that will
be detected under the same name of WORM_RBOT.CMR.


Needless to say, let’s be sure that we patch those vulnerable Cisco
routers, ok?