Persistant 'zombie' attacks target systems protected by corporate editions of Symantec antivirus

zekrahminator · Jan 17, 2007, 12:38 AM

Once again, it really pays to keep your virus protection updated. A new worm, which seems to be a spybot variant, works on a flaw found in older versions of Symantec antivirus for corporations. While personal editions of the software are not affected, any corporation running an older version of Symantec Norton will be vulnerable to the worm. The worm turns whatever it infects into a "zombie" PC, which only serves to copy and send the virus. Symantec had a fix for the problem on May 25th, but not all users downloaded it. Symantec is re-evaluating it's patch/virus definition distribution method.

Source: CNET

PVTCaboose1337 · Jan 17, 2007, 01:23 AM

Noobs got pwnt.

Steevo · Jan 17, 2007, 04:14 AM

Trying to see if you haxored your stuff and are running a webserver, or FTP.

It happens.

WarEagleAU · Jan 17, 2007, 12:33 PM

Symantec is a great product, but they cant force everyone to update and download new patches (though, I think all Antivirus companies should automatically force a download of a patch, just to make sure folks are protected).

DanTheBanjoman · Jan 17, 2007, 12:47 PM

Quote:

Originally Posted by WarEagleAU

Symantec is a great product, but they cant force everyone to update and download new patches (though, I think all Antivirus companies should automatically force a download of a patch, just to make sure folks are protected).

Symantec is the company. As for their products, they're mostly bloated memory hogs.

overcast · Jan 17, 2007, 02:13 PM

Quote:

Originally Posted by russianboy

my good System Suite 7 protects me excellently

(SS7 told me that my ISP was doing portscans wtf?

)

Those software "firewall" , "security" suite whatever things, constantly show false positives about everything. However, it's not out of the question that an ISP would do portscans to check for users hosting services such as www and ftp.

Alec§taar · Jan 17, 2007, 02:40 PM

HOW TO SECURE VULNERABLE SERVICES vs. BUFFEROVERFLOW ESCALATION OF PRIVELEGE ATTACKS

Per a discussion I had w/ Russ Cooper from NtBugTraq here on our forums in this NEWS section:

A "working-work around" I discovered earlier in 2005-2006 & posted here on these forums (now a STICKY thread in the GENERAL SOFTWARE SECTION of the forums) & prior to that on SETI@Home & Folding@Home forums, that should help in the meantime, is listed below...

http://forums.techpowerup.com/showth...495#post232495

=============================================
PERTINENT MATERIAL EXCERPT:
=============================================

Quote:

Originally Posted by NTBugtraq

2. "Shatter" attacks. Shatter attacks are where a process is launched which, as you've been referring to regarding messages between processes, feeds events/messages to other processes that have higher privilege. For example, in the past many AV programs had a core that ran as SYSTEM, and then UI processes that ran in the context of the running user. These components had methods to talk to each other. If I could gain control of the user component, I might be able to exploit the SYSTEM component...thereby gaining elevated privilege.

A safe & easy to implement technique vs. THIS VERY THING you note in exploitable services running as SYSTEM when they don't HAVE TO BE as their logon entity.

SECURING VULNERABLE SERVICES AGAINST ATTACK FORUM POST:

http://forums.techpowerup.com/showthread.php?t=16097

& later here, when the folks here "wikipediafied it":

SECURING VULNERABLE SERVICES AGAINST ATTACK TPU WIKI:

http://reference.techpowerup.com/Sec...ndows_Services

The technique noted by myself counters for services buffer overflow escalation of privelege attacks (the very thing you noted as an example, & it works against it, by lowering services logon privelege entities - very safe & simple) IF the service in question is securable thus (not ALL are unfortunately due to WHAT they may have to be able to do, priveleges wise).

Many antivirus makers' ware can have their services/daemons can be limited to NETWORK PROCESS entity levels, & lower, like LOCAL PROCESS levels.

Also, NORTON ANTIVIRUS (corporate edition @ least, post v.10.1 iirc) has "ANTITAMPER PROTECTION" as well, keeping its services list running no matter what - works well, I can't even MANUALLY SHUTDOWN 10.2 IF I TRY AS ADMIN!)...

----------------------------------------------------------

SYMANTEC CORP. EDITION CLIENT SERVICES TO SET AS LOCAL SERVICE (& they will still work fully & fine):

Symantec AntiVirus
Symantec AntiVirus Definitions Watcher Service

SYMANTEC CORP. EDITION CLIENT SERVICES TO SET AS NETWORK SERVICE (& they will still work fully & fine):

SAV Roam
Symantec LiveUpdate

=============================================

* Microsoft now also has a subset of this material (covering only their default OS services though, ONLY (my list has FAR MORE that apply & can do this) on their technet/knowledgebase websites, which appeared 6 months or more after I wrote mine up!

(So, that said? Well, you KNOW this works well enough, as a substantiation of it, because MS has it also, albeit far after the article I authored here & elsewhere on it, & far less services this security technique applies to!)

APK

P.S.=> This technique also works in the patched model, 10.2 (& above), of the Norton/Symantec Corporate Edition AntiVirus client program, some "FYI" & a good general measure of protection against exploitable services (not just NORTON/SYMANTEC ONES, mind you)!

The URL above detailing HOW this defense mechanism is done (easy, via services.msc) also notes many other services this can apply to, to protect you vs. this type of attack... apk

Jan 17, 2007, 12:38 AM	#1
zekrahminator McLovin Join Date: Jan 2006 Location: My house. Posts: 6,280 (2.35/day) Thanks: 105 Thanked 340 Times in 246 Posts System Specs	Persistant 'zombie' attacks target systems protected by corporate editions of Symantec antivirus Once again, it really pays to keep your virus protection updated. A new worm, which seems to be a spybot variant, works on a flaw found in older versions of Symantec antivirus for corporations. While personal editions of the software are not affected, any corporation running an older version of Symantec Norton will be vulnerable to the worm. The worm turns whatever it infects into a "zombie" PC, which only serves to copy and send the virus. Symantec had a fix for the problem on May 25th, but not all users downloaded it. Symantec is re-evaluating it's patch/virus definition distribution method. Source: CNET

Processor:	AMD Athlon 64 X2 4800+ Brisbane @ 2.8GHz (224x12.5, 1.425V)
Motherboard:	Gigabyte sumthin-or-another, it's got an nForce 430
Cooling:	Dual 120mm case fans front/rear, Arctic Cooling Freezer 64 Pro, Zalman VF-900 on GPU
Memory:	2GB G.Skill DDR2 800
Video Card:	Sapphire X850XT @ 580/600
Hard Disk:	WD 160 GB SATA hard drive.
Optical Drive:	Lite-On DVD-RW.
CRT/LCD Model:	Hanns G 19" widescreen, 5ms response time, 1440x900
Case:	Thermaltake Soprano (black with side window).
Sound Card:	Soundblaster Live! 24 bit (paired with X-530 speakers).
PSU:	ThermalTake 430W TR2
Software:	XP Home SP2, can't wait for Vista SP1.

Jan 17, 2007, 01:23 AM	#2
PVTCaboose1337 Graphical Hacker Join Date: Feb 2006 Location: San Antonio, Texas Posts: 7,478 (2.81/day) Thanks: 798 Thanked 1,174 Times in 834 Posts System Specs	Noobs got pwnt. __________________ CPU-Z validation sig pics temporarily blocked

System Name:	Whim
Processor:	Intel Core i5 2500k @ 4.4ghz
Motherboard:	Gigabyte P67A-D3-B3
Cooling:	Cooler Master Hyper 212+
Memory:	2 x 4GB G.Skill Ripjaws @ 1600mhz
Video Card:	Gigabyte GTX 670 2gb
Hard Disk:	WD 640gb Black (Main), WD 2tb Black (Secondary)
Optical Drive:	LG DVD-RW Drive
CRT/LCD Model:	Asus VE228 and Samsung 2053BW
Case:	Cooler Master 430 Elite
Sound Card:	Onboard > PA2V2 Amp > Senn 595's
PSU:	Seasonic 650w
Software:	Windows 7 Ultimate (Tweaked)

Jan 17, 2007, 04:14 AM	#3
Steevo Eligible for custom title Join Date: Nov 2005 Posts: 5,567 (2.02/day) Thanks: 238 Thanked 979 Times in 729 Posts System Specs	Trying to see if you haxored your stuff and are running a webserver, or FTP. It happens. __________________ “it would have been perfect....its got trains and the line"tech your kids not to do what iv done"(or similar) because i had obviously done something to warrent 2 e-thugs to come 4000miles out of their way and kill me.” -Solaris17 “yeah i failed. i noticed the "coming soon" part after i posted.” -Mussels “people are just stupid.” -W1zzard Yes I am evil, yes you can have some.

System Name:	MoFo
Processor:	AMD PhenomII 1100T @ 3.7Ghz/4.1Ghz Turbo
Motherboard:	Asus M3A32-MVP Deluxe 2202 BIOS
Cooling:	Swiftec 655 pump, Apogee GT, MCW60-R GPU, MCR360mm Rad, 1/2 loop.
Memory:	G-Skill 1200Mhz 5.5.5.15 2T
Video Card:	HD5870 1Gb HIS custom BIOS watercooled & VRM-R4
Hard Disk:	2 Agility 3 SSD RAID 0 on highpoint 640, 2 3TB RAID 0, 1 2TB and one failing 750Gb
Optical Drive:	Lite-On DL DVD
CRT/LCD Model:	Asus 1920X1200 60Hz 25.5" LCD, 46" 1080P Toshiba LCD
Case:	Rosewill R6A34-BK modded (thanks to MKmods)
Sound Card:	On Board
PSU:	750W PC Power & Cooling modded (thanks to MKmods)
Software:	Vista X64 Ultimate/Win 7 Ultimate
Benchmarks:	780 MBps read on HDD's 1052 core on 5870.

Jan 17, 2007, 12:33 PM	#4
WarEagleAU Bird of Prey Join Date: Jul 2006 Location: Gurley, AL Posts: 9,994 (3.99/day) Thanks: 3,810 Thanked 557 Times in 521 Posts System Specs	Symantec is a great product, but they cant force everyone to update and download new patches (though, I think all Antivirus companies should automatically force a download of a patch, just to make sure folks are protected). __________________ =-TheEagle-= http://www.heatware.com/eval.php?id=62454 “You crazy? Surfing any website without an antivirus is like freaking with a dirty woman without protection” -OzzmanFloyd120 - Edited for content and clarity

System Name:	Boddha Getta
Processor:	AMD FX 6100 @ 4.432Ghz @1.401V
Motherboard:	ASUS M5A99X EVO AMD 990X AMD SB950
Cooling:	Custom Water. EK 240MM Kit, Supreme HSF - Runs 35C
Memory:	2 x 4GB Corsair Vengeance White LP @ 1.35V
Video Card:	XFX Radeon HD 6870 900/1050 (no OC yet)
Hard Disk:	WD Caviar Black 1.0TB, WD Caviar Green 1.0TB, WD 160GB
Optical Drive:	Samung SH22SL 22X Lightscribe DVD+/-R/RW LG BDRE Reader/Burner Lite ON Max Burner for burning Xbox
CRT/LCD Model:	Asus VH222/S 22: (21.5" Viewable) 1920x1080p HDMI LCD Monitor
Case:	NZXT White Phantom
Sound Card:	Onboard Realtek 5.1
PSU:	NZXT Hale 90 Gold Cert 750W Modular PSU
Software:	Windows 7 Pro 64 bit.
Benchmarks:	5.9 Windows Index rating 3D06 - 17472

Processor:	Dual Xeon 5506
Motherboard:	Asus Z8NA-D6
Cooling:	2x Thermalright HR-01 X/passive
Memory:	6GB Corsair something
Video Card:	EVGA GTX 260 Core 216
Hard Disk:	None
Optical Drive:	None
CRT/LCD Model:	24" Asus
Case:	Thermaltake Swing
Sound Card:	Onboard
PSU:	620W CM
Software:	Win2k8

Processor:	AMD Opteron 165 @ 2.7ghz Stock Voltage
Motherboard:	ASUS A8N-SLI Premium
Cooling:	Stock Opteron
Memory:	OCZ PC4000 EB Platinum 2GB
Video Card:	ATI X1900XTX
Hard Disk:	2 x Western Digital 74gb Raptors
Optical Drive:	Plextor 708A
CRT/LCD Model:	NEC 990B 19"
Case:	Antec P150
Sound Card:	Onboard
PSU:	Seasonic S12-500
Software:	XP 32bit

Processor:	DualCore AMD Athlon 64x2 4800+ (o/c 2801mhz STABLE (Ketxxx, POGE, Tatty One, ME))
Motherboard:	ASUS A8N-SLI Premium (PCIe x16, x4, x1)
Cooling:	PhaseChange Coolermaster CM754/939 (fan/heatsink), Thermalright heatspreaders + fan built on (RAM)
Memory:	512mb PC-3200 DDR400 (set DDR-33 for o/c) by Corsair (matched pair, 2x256mb) 200.1/200mhz
Video Card:	BFG GeForce 7900 GTX OC 512mb GDDR3 ram (o/c manually to 686 core/865 memory) - PhaseChange cooled
Hard Disk:	Dual "Raptor X" 16mb 10krpm/RAID 0 Promise EX8350 x4 PCIe 128mb & Intel IO chip/CENATEK RocketDrive
Optical Drive:	SONY DRU-810a Double-Sided DvD burner
CRT/LCD Model:	SONY 19" Trinitron MultiScan 400ps 1600x1200 75hz refresh 32-bit color
Case:	Antec Super-LanBoy (aluminum baby-tower w/ lower front & upper rear cooling exhaust fans)
Sound Card:	RealTek AC97 onboard mobo stereo sound (Altec Lansing ACS-45 speakers - 10 yrs. still running!)
PSU:	Antec 500w ATX 2.0 "SmartPower" powersupply
Software:	Windows Server 2003 SP #1 fully patched, & massively tuned/tweaked to-the-max (plus latest drivers)

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)