Telnet virus?

[Geoff McDonald]

A few days before Christmas (Dec 23, 2011) you guys pushed out a critical remote-code-execution patch affecting Telnet (FreeBSD-SA-11:08.telnetd, CVE-2011-4862), and the Colin Percival noted the unusual patch timing to being forced by exploitation of the vulnerability in the wild.

Starting December, we have seen the number of firewall hits on Port 23 TCP increase over double to around the same number of events as the pretty large Morto RDP bruteforcing worm on 3389. This level of activity could be associated with a worm. By any chance do you have more information about the exploitation of the patched Telnet vulnerability in the wild?  Does anyone happen to have a sample of the worm if there is one?

I understand this issue is not specific to FreeBSD, it is just that you guys seemed to be the first people to patch the issue and were the ones to report it being actively exploited in the wild.

References:
http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006117.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862
http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc


---
Geoff McDonald
Threat Analyst
Symantec Corporation