Tuesday, January 16th 2007

Persistant 'zombie' attacks target systems protected by corporate editions of Symantec antivirus

Once again, it really pays to keep your virus protection updated. A new worm, which seems to be a spybot variant, works on a flaw found in older versions of Symantec antivirus for corporations. While personal editions of the software are not affected, any corporation running an older version of Symantec Norton will be vulnerable to the worm. The worm turns whatever it infects into a "zombie" PC, which only serves to copy and send the virus. Symantec had a fix for the problem on May 25th, but not all users downloaded it. Symantec is re-evaluating it's patch/virus definition distribution method.Source: CNET
Add your own comment

6 Comments on Persistant 'zombie' attacks target systems protected by corporate editions of Symantec antivirus

#2
Steevo
Trying to see if you haxored your stuff and are running a webserver, or FTP.



It happens.
Posted on Reply
#3
WarEagleAU
Bird of Prey
Symantec is a great product, but they cant force everyone to update and download new patches (though, I think all Antivirus companies should automatically force a download of a patch, just to make sure folks are protected).
Posted on Reply
#4
DanTheBanjoman
Señor Moderator
by: WarEagleAU
Symantec is a great product, but they cant force everyone to update and download new patches (though, I think all Antivirus companies should automatically force a download of a patch, just to make sure folks are protected).
Symantec is the company. As for their products, they're mostly bloated memory hogs.
Posted on Reply
#5
overcast
by: russianboy
my good System Suite 7 protects me excellently


(SS7 told me that my ISP was doing portscans wtf? :wtf: :shadedshu )
Those software "firewall" , "security" suite whatever things, constantly show false positives about everything. However, it's not out of the question that an ISP would do portscans to check for users hosting services such as www and ftp.
Posted on Reply
#6
Alec§taar
HOW TO SECURE VULNERABLE SERVICES vs. BUFFEROVERFLOW ESCALATION OF PRIVELEGE ATTACKS

HOW TO SECURE VULNERABLE SERVICES vs. BUFFEROVERFLOW ESCALATION OF PRIVELEGE ATTACKS

Per a discussion I had w/ Russ Cooper from NtBugTraq here on our forums in this NEWS section:

A "working-work around" I discovered earlier in 2005-2006 & posted here on these forums (now a STICKY thread in the GENERAL SOFTWARE SECTION of the forums) & prior to that on SETI@Home & Folding@Home forums, that should help in the meantime, is listed below...

http://forums.techpowerup.com/showthread.php?p=232495#post232495

=============================================
PERTINENT MATERIAL EXCERPT:
=============================================

by: NTBugtraq
2. "Shatter" attacks. Shatter attacks are where a process is launched which, as you've been referring to regarding messages between processes, feeds events/messages to other processes that have higher privilege. For example, in the past many AV programs had a core that ran as SYSTEM, and then UI processes that ran in the context of the running user. These components had methods to talk to each other. If I could gain control of the user component, I might be able to exploit the SYSTEM component...thereby gaining elevated privilege.
A safe & easy to implement technique vs. THIS VERY THING you note in exploitable services running as SYSTEM when they don't HAVE TO BE as their logon entity.

SECURING VULNERABLE SERVICES AGAINST ATTACK FORUM POST:

http://forums.techpowerup.com/showthread.php?t=16097

& later here, when the folks here "wikipediafied it":

SECURING VULNERABLE SERVICES AGAINST ATTACK TPU WIKI:

reference.techpowerup.com/Securing_Windows_Services

The technique noted by myself counters for services buffer overflow escalation of privelege attacks (the very thing you noted as an example, & it works against it, by lowering services logon privelege entities - very safe & simple) IF the service in question is securable thus (not ALL are unfortunately due to WHAT they may have to be able to do, priveleges wise).

Many antivirus makers' ware can have their services/daemons can be limited to NETWORK PROCESS entity levels, & lower, like LOCAL PROCESS levels.

Also, NORTON ANTIVIRUS (corporate edition @ least, post v.10.1 iirc) has "ANTITAMPER PROTECTION" as well, keeping its services list running no matter what - works well, I can't even MANUALLY SHUTDOWN 10.2 IF I TRY AS ADMIN!)...

----------------------------------------------------------

SYMANTEC CORP. EDITION CLIENT SERVICES TO SET AS LOCAL SERVICE (& they will still work fully & fine):

Symantec AntiVirus
Symantec AntiVirus Definitions Watcher Service

SYMANTEC CORP. EDITION CLIENT SERVICES TO SET AS NETWORK SERVICE (& they will still work fully & fine):

SAV Roam
Symantec LiveUpdate

=============================================

:)

* Microsoft now also has a subset of this material (covering only their default OS services though, ONLY (my list has FAR MORE that apply & can do this) on their technet/knowledgebase websites, which appeared 6 months or more after I wrote mine up!

(So, that said? Well, you KNOW this works well enough, as a substantiation of it, because MS has it also, albeit far after the article I authored here & elsewhere on it, & far less services this security technique applies to!)

APK

P.S.=> This technique also works in the patched model, 10.2 (& above), of the Norton/Symantec Corporate Edition AntiVirus client program, some "FYI" & a good general measure of protection against exploitable services (not just NORTON/SYMANTEC ONES, mind you)!

The URL above detailing HOW this defense mechanism is done (easy, via services.msc) also notes many other services this can apply to, to protect you vs. this type of attack... apk
Posted on Reply