It seems to be true.. I haven't seen any
code yet but--
http://lists.netsys.com/pipermail/full-disclosure/2003-August/007717.html
Some people have mistakenly assumed I was talking about the
exploit and berated me for being "a week out of date.."
To clarify -- I'm talking about a worm based around the
exploit.
To clarify -- I'm talking about a worm based around the
exploit.
For the last few days (maybe its a full week now), we
do see SDBot variants that include the RPC DCOM exploit.
This has so far explained the increase in rpc scan
activity. At this point, I don't think they qualify
as a 'worm'. But its close.
http://www.dshield.org/port_report.php?port=135&recax=1&tarax=1
On the other hand, SQL Slammer is still a lot more
active at this point:
http://www.dshield.org/port_report.php?port=1434&recax=1&tarax=1