I have been seeing an increase in attempts during the past month of the Sagevo Worm. It attempts to exploit Symantec Client Security and Symantec AntiVirus Elevation of Privilege issues by connecting to TCP port 2967 and pushing out about 4628 bytes to create a buffer overrun condition. Fortunately, I have this port blocked by Firestarter on my Linux firewall, but nonetheless, it is interesting to watch the activity.

Read on to see a chart of the number of attacks per day.

Note: Due to a policy setting change, data is missing from 1/4/07 through 1/9/07 (and a few hours on 1/10/07).

This entry was posted on Thursday, January 4th, 2007 at 11:37 am and is filed under WILT. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.