Over the weekend of 12th - 15th May, news of a interesting exploit against VNC was announced CVE-2006-2369, enabling an attacker to bypass the VNC authentication on the server, gaining remote access to the desktop. We’ve been looking for signs of increased activity against the VNC ports (typically 5900, although, depending on the configuration, more could be in use).
ISC have had recent reports of exploits in the wild, and from the activity we have seen, we can corroborate this.
Looking at data gathered from IDS systems from various points around the net, we can see a number of hosts performing co-ordinated scanning against port 5900. This activity is increasing. Some “script-kiddie” tools are starting to become available, and the evidence seems to suggest that they are being used - we could be seeing manual scans, or automated scans. The possibility of a worm exploiting this vulnerability can not be ruled out - although we’ll get a better idea of this as time moves on.
The graph above shows a significant lift in the amount of port 5900 scanning, during the last week, when compared with the previous three weeks. What is interesting, is that there are a number of significant spikes in activity during the prior weeks (one on the 15th May after the initial disclosure), but other spikes occured on 1st, 2nd and 8th May. Further analysis is required to determine if this is evidence of the vulnerability being exploited before the public disclosure.
Update
I’ve done some further analysis on the pre-disclosure spikes, and these can be attributed to other factors than indications of activity prior to the disclosure - so the increased activity follows the availability if the patches. If you’ve applied the patches in good time (on the 12th when they became available, you should be able to relax. A bit).