[nsp-sec] dlink router worm or dlink compromise leads to infectedPCs?

[Rob Thomas]

Hi, team.

We've more insight to share.

The bot has a name - Hydra.

The author has been giving live demonstrations from his botnet to  
potential buyers.  It was hosted on 212.233.39.46 TCP 1337, but  
appears to have migrated.  Time to check those flows!

Thanks,
Rob.
-- 
Rob Thomas
Team Cymru
http://www.cymru.com/
ASSERT(coffee != empty);