W32.Spybot.ACYR Testing the Waters

A new bot is appearing on University networks, here and there and in small numbers, which is surprising since many of the computers are vulnerable and only a few are being infected. Someone could be testing setting up their new botnet by sampling small groups of computers spread around the nation. The programs have been spreading by exploiting a 6 month old flaw in Symantec corporate edition antivirus and Client Security products and five patched vulnerabilities in Microsoft software. Most home users should not be affected.

The bot program, identified as W32.Spybot.ACYR by Symantec, has compromised a small number of systems at various universities, including about 30 systems at the University of Arkansas and another 150 systems at the University of New South Wales in Australia. The spread of the bot software became noticed because of an inordinate amount of traffic to the network port number used by Symantec’s software–both the Internet Storm Center and the Research and Education Networking Information Sharing and Analysis Center (REN-ISAC) reported spikes in traffic to port 2967. Source: Bot spreads through antivirus, Windows flaws

Symantec has only had four reports submitted, all from educational institutions, and their network analysis system has detected a couple spikes in traffic on port 2967. The bots connect to an IRC channel, Internet Relay Chat, and await commands, it tries to detect if it’s in a honey pot by looking for signs of debugger or virtual machine software, and it uses ftp, file transfer protocol, programs to copy itself to other machines.

As always, keep your antivirus, spyware and windows software updated, and you will almost always be fine. Through in some good computer practices and you should be good to go.