1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Persistant 'zombie' attacks target systems protected by corporate editions of Symantec antivirus

Discussion in 'News' started by zekrahminator, Jan 17, 2007.

  1. zekrahminator

    zekrahminator McLovin

    Joined:
    Jan 29, 2006
    Messages:
    9,113 (2.81/day)
    Thanks Received:
    321
    Location:
    My house.
    Once again, it really pays to keep your virus protection updated. A new worm, which seems to be a spybot variant, works on a flaw found in older versions of Symantec antivirus for corporations. While personal editions of the software are not affected, any corporation running an older version of Symantec Norton will be vulnerable to the worm. The worm turns whatever it infects into a "zombie" PC, which only serves to copy and send the virus. Symantec had a fix for the problem on May 25th, but not all users downloaded it. Symantec is re-evaluating it's patch/virus definition distribution method.

    Source: CNET
     
  2. PVTCaboose1337

    PVTCaboose1337 Graphical Hacker

    Joined:
    Feb 1, 2006
    Messages:
    9,512 (2.93/day)
    Thanks Received:
    1,143
    Location:
    San Antonio, Texas
    Noobs got pwnt.
     
  3. Steevo

    Steevo

    Joined:
    Nov 4, 2005
    Messages:
    8,520 (2.56/day)
    Thanks Received:
    1,300
    Trying to see if you haxored your stuff and are running a webserver, or FTP.



    It happens.
     
    10 Million points folded for TPU
  4. WarEagleAU

    WarEagleAU Bird of Prey

    Joined:
    Jul 9, 2006
    Messages:
    10,807 (3.50/day)
    Thanks Received:
    547
    Location:
    Gurley, AL
    Symantec is a great product, but they cant force everyone to update and download new patches (though, I think all Antivirus companies should automatically force a download of a patch, just to make sure folks are protected).
     
  5. DanTheBanjoman Señor Moderator

    Joined:
    May 20, 2004
    Messages:
    10,553 (2.73/day)
    Thanks Received:
    1,383
    Symantec is the company. As for their products, they're mostly bloated memory hogs.
     
  6. overcast New Member

    Joined:
    Jan 11, 2006
    Messages:
    737 (0.23/day)
    Thanks Received:
    2
    Those software "firewall" , "security" suite whatever things, constantly show false positives about everything. However, it's not out of the question that an ISP would do portscans to check for users hosting services such as www and ftp.
     
  7. Alec§taar New Member

    Joined:
    May 15, 2006
    Messages:
    4,677 (1.49/day)
    Thanks Received:
    94
    Location:
    Someone who's going to find NewTekie1 and teach hi
    HOW TO SECURE VULNERABLE SERVICES vs. BUFFEROVERFLOW ESCALATION OF PRIVELEGE ATTACKS

    HOW TO SECURE VULNERABLE SERVICES vs. BUFFEROVERFLOW ESCALATION OF PRIVELEGE ATTACKS

    Per a discussion I had w/ Russ Cooper from NtBugTraq here on our forums in this NEWS section:

    A "working-work around" I discovered earlier in 2005-2006 & posted here on these forums (now a STICKY thread in the GENERAL SOFTWARE SECTION of the forums) & prior to that on SETI@Home & Folding@Home forums, that should help in the meantime, is listed below...

    http://forums.techpowerup.com/showthread.php?p=232495#post232495

    =============================================
    PERTINENT MATERIAL EXCERPT:
    =============================================

    A safe & easy to implement technique vs. THIS VERY THING you note in exploitable services running as SYSTEM when they don't HAVE TO BE as their logon entity.

    SECURING VULNERABLE SERVICES AGAINST ATTACK FORUM POST:

    http://forums.techpowerup.com/showthread.php?t=16097

    & later here, when the folks here "wikipediafied it":

    SECURING VULNERABLE SERVICES AGAINST ATTACK TPU WIKI:

    reference.techpowerup.com/Securing_Windows_Services

    The technique noted by myself counters for services buffer overflow escalation of privelege attacks (the very thing you noted as an example, & it works against it, by lowering services logon privelege entities - very safe & simple) IF the service in question is securable thus (not ALL are unfortunately due to WHAT they may have to be able to do, priveleges wise).

    Many antivirus makers' ware can have their services/daemons can be limited to NETWORK PROCESS entity levels, & lower, like LOCAL PROCESS levels.

    Also, NORTON ANTIVIRUS (corporate edition @ least, post v.10.1 iirc) has "ANTITAMPER PROTECTION" as well, keeping its services list running no matter what - works well, I can't even MANUALLY SHUTDOWN 10.2 IF I TRY AS ADMIN!)...

    ----------------------------------------------------------

    SYMANTEC CORP. EDITION CLIENT SERVICES TO SET AS LOCAL SERVICE (& they will still work fully & fine):

    Symantec AntiVirus
    Symantec AntiVirus Definitions Watcher Service

    SYMANTEC CORP. EDITION CLIENT SERVICES TO SET AS NETWORK SERVICE (& they will still work fully & fine):

    SAV Roam
    Symantec LiveUpdate

    =============================================

    :)

    * Microsoft now also has a subset of this material (covering only their default OS services though, ONLY (my list has FAR MORE that apply & can do this) on their technet/knowledgebase websites, which appeared 6 months or more after I wrote mine up!

    (So, that said? Well, you KNOW this works well enough, as a substantiation of it, because MS has it also, albeit far after the article I authored here & elsewhere on it, & far less services this security technique applies to!)

    APK

    P.S.=> This technique also works in the patched model, 10.2 (& above), of the Norton/Symantec Corporate Edition AntiVirus client program, some "FYI" & a good general measure of protection against exploitable services (not just NORTON/SYMANTEC ONES, mind you)!

    The URL above detailing HOW this defense mechanism is done (easy, via services.msc) also notes many other services this can apply to, to protect you vs. this type of attack... apk
     

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page