• We've upgraded our forums. Please post any issues/requests in this thread.

Persistant 'zombie' attacks target systems protected by corporate editions of Symantec antivirus

Joined
Jan 29, 2006
Messages
9,066 (2.09/day)
Likes
287
Location
My house.
Processor AMD Athlon 64 X2 4800+ Brisbane @ 2.8GHz (224x12.5, 1.425V)
Motherboard Gigabyte sumthin-or-another, it's got an nForce 430
Cooling Dual 120mm case fans front/rear, Arctic Cooling Freezer 64 Pro, Zalman VF-900 on GPU
Memory 2GB G.Skill DDR2 800
Video Card(s) Sapphire X850XT @ 580/600
Storage WD 160 GB SATA hard drive.
Display(s) Hanns G 19" widescreen, 5ms response time, 1440x900
Case Thermaltake Soprano (black with side window).
Audio Device(s) Soundblaster Live! 24 bit (paired with X-530 speakers).
Power Supply ThermalTake 430W TR2
Software XP Home SP2, can't wait for Vista SP1.
#1
Once again, it really pays to keep your virus protection updated. A new worm, which seems to be a spybot variant, works on a flaw found in older versions of Symantec antivirus for corporations. While personal editions of the software are not affected, any corporation running an older version of Symantec Norton will be vulnerable to the worm. The worm turns whatever it infects into a "zombie" PC, which only serves to copy and send the virus. Symantec had a fix for the problem on May 25th, but not all users downloaded it. Symantec is re-evaluating it's patch/virus definition distribution method.

Show full news post
 

PVTCaboose1337

Graphical Hacker
Joined
Feb 1, 2006
Messages
9,501 (2.19/day)
Likes
1,097
Location
Dallas, Texas
System Name Whim
Processor Intel Core i5 2500k @ 4.4ghz
Motherboard Asus P8Z77-V LX
Cooling Cooler Master Hyper 212+
Memory 2 x 4GB G.Skill Ripjaws @ 1600mhz
Video Card(s) Gigabyte GTX 670 2gb
Storage Samsung 840 Pro 256gb, WD 2TB Black
Display(s) Shimian QH270 (1440p), Asus VE228 (1080p)
Case Cooler Master 430 Elite
Audio Device(s) Onboard > PA2V2 Amp > Senn 595's
Power Supply Corsair 750w
Software Windows 8.1 (Tweaked)
#2
Noobs got pwnt.
 
Joined
Nov 4, 2005
Messages
9,950 (2.25/day)
Likes
2,309
System Name MoFo 2
Processor AMD PhenomII 1100T @ 4.2Ghz
Motherboard Asus Crosshair IV
Cooling Swiftec 655 pump, Apogee GT,, MCR360mm Rad, 1/2 loop.
Memory 8GB DDR3-2133 @ 1900 8.9.9.24 1T
Video Card(s) HD7970 1250/1750
Storage Agility 3 SSD 6TB RAID 0 on RAID Card
Display(s) 46" 1080P Toshiba LCD
Case Rosewill R6A34-BK modded (thanks to MKmods)
Audio Device(s) ATI HDMI
Power Supply 750W PC Power & Cooling modded (thanks to MKmods)
Software A lot.
Benchmark Scores Its fast. Enough.
#3
Trying to see if you haxored your stuff and are running a webserver, or FTP.



It happens.
 

WarEagleAU

Bird of Prey
Joined
Jul 9, 2006
Messages
10,809 (2.59/day)
Likes
529
Location
Gurley, AL
System Name Boddha Getta Boddha Getta Bah!
Processor AMD FX 6100 @ 4.432Ghz @1.382
Motherboard ASUS M5A99X EVO AMD 990X AMD SB950
Cooling Custom Water. EK 240MM Kit, Supreme HSF - Runs 35C
Memory 2 x 4GB Corsair Vengeance White LP @ 1.35V
Video Card(s) XFX Radeon HD 6870 980/1100
Storage WD Caviar Black 1.0TB, WD Caviar Green 1.0TB, WD 160GB
Display(s) Asus VH222/S 22: (21.5" Viewable) 1920x1080p HDMI LCD Monitor
Case NZXT White Switch 810
Audio Device(s) Onboard Realtek 5.1
Power Supply NZXT Hale 90 Gold Cert 750W Modular PSU
Software Windows 8.1 Profession 64 Bit
#4
Symantec is a great product, but they cant force everyone to update and download new patches (though, I think all Antivirus companies should automatically force a download of a patch, just to make sure folks are protected).
 

DanTheBanjoman

Señor Moderator
Joined
May 20, 2004
Messages
10,488 (2.12/day)
Likes
1,331
#5
Symantec is a great product, but they cant force everyone to update and download new patches (though, I think all Antivirus companies should automatically force a download of a patch, just to make sure folks are protected).
Symantec is the company. As for their products, they're mostly bloated memory hogs.
 

overcast

New Member
Joined
Jan 11, 2006
Messages
733 (0.17/day)
Likes
2
Processor AMD Opteron 165 @ 2.7ghz Stock Voltage
Motherboard ASUS A8N-SLI Premium
Cooling Stock Opteron
Memory OCZ PC4000 EB Platinum 2GB
Video Card(s) ATI X1900XTX
Storage 2 x Western Digital 74gb Raptors
Display(s) NEC 990B 19"
Case Antec P150
Audio Device(s) Onboard
Power Supply Seasonic S12-500
Software XP 32bit
#6
my good System Suite 7 protects me excellently


(SS7 told me that my ISP was doing portscans wtf? :wtf: :shadedshu )
Those software "firewall" , "security" suite whatever things, constantly show false positives about everything. However, it's not out of the question that an ISP would do portscans to check for users hosting services such as www and ftp.
 
Joined
May 15, 2006
Messages
4,677 (1.10/day)
Likes
86
Location
Someone who's going to find NewTekie1 and teach hi
Processor DualCore AMD Athlon 64x2 4800+ (o/c 2801mhz STABLE (Ketxxx, POGE, Tatty One, ME))
Motherboard ASUS A8N-SLI Premium (PCIe x16, x4, x1)
Cooling PhaseChange Coolermaster CM754/939 (fan/heatsink), Thermalright heatspreaders + fan built on (RAM)
Memory 512mb PC-3200 DDR400 (set DDR-33 for o/c) by Corsair (matched pair, 2x256mb) 200.1/200mhz
Video Card(s) BFG GeForce 7900 GTX OC 512mb GDDR3 ram (o/c manually to 686 core/865 memory) - PhaseChange cooled
Storage Dual "Raptor X" 16mb 10krpm/RAID 0 Promise EX8350 x4 PCIe 128mb & Intel IO chip/CENATEK RocketDrive
Display(s) SONY 19" Trinitron MultiScan 400ps 1600x1200 75hz refresh 32-bit color
Case Antec Super-LanBoy (aluminum baby-tower w/ lower front & upper rear cooling exhaust fans)
Audio Device(s) RealTek AC97 onboard mobo stereo sound (Altec Lansing ACS-45 speakers - 10 yrs. still running!)
Power Supply Antec 500w ATX 2.0 "SmartPower" powersupply
Software Windows Server 2003 SP #1 fully patched, & massively tuned/tweaked to-the-max (plus latest drivers)
#7
HOW TO SECURE VULNERABLE SERVICES vs. BUFFEROVERFLOW ESCALATION OF PRIVELEGE ATTACKS

HOW TO SECURE VULNERABLE SERVICES vs. BUFFEROVERFLOW ESCALATION OF PRIVELEGE ATTACKS

Per a discussion I had w/ Russ Cooper from NtBugTraq here on our forums in this NEWS section:

A "working-work around" I discovered earlier in 2005-2006 & posted here on these forums (now a STICKY thread in the GENERAL SOFTWARE SECTION of the forums) & prior to that on SETI@Home & Folding@Home forums, that should help in the meantime, is listed below...

http://forums.techpowerup.com/showthread.php?p=232495#post232495

=============================================
PERTINENT MATERIAL EXCERPT:
=============================================

2. "Shatter" attacks. Shatter attacks are where a process is launched which, as you've been referring to regarding messages between processes, feeds events/messages to other processes that have higher privilege. For example, in the past many AV programs had a core that ran as SYSTEM, and then UI processes that ran in the context of the running user. These components had methods to talk to each other. If I could gain control of the user component, I might be able to exploit the SYSTEM component...thereby gaining elevated privilege.
A safe & easy to implement technique vs. THIS VERY THING you note in exploitable services running as SYSTEM when they don't HAVE TO BE as their logon entity.

SECURING VULNERABLE SERVICES AGAINST ATTACK FORUM POST:

http://forums.techpowerup.com/showthread.php?t=16097

& later here, when the folks here "wikipediafied it":

SECURING VULNERABLE SERVICES AGAINST ATTACK TPU WIKI:

reference.techpowerup.com/Securing_Windows_Services

The technique noted by myself counters for services buffer overflow escalation of privelege attacks (the very thing you noted as an example, & it works against it, by lowering services logon privelege entities - very safe & simple) IF the service in question is securable thus (not ALL are unfortunately due to WHAT they may have to be able to do, priveleges wise).

Many antivirus makers' ware can have their services/daemons can be limited to NETWORK PROCESS entity levels, & lower, like LOCAL PROCESS levels.

Also, NORTON ANTIVIRUS (corporate edition @ least, post v.10.1 iirc) has "ANTITAMPER PROTECTION" as well, keeping its services list running no matter what - works well, I can't even MANUALLY SHUTDOWN 10.2 IF I TRY AS ADMIN!)...

----------------------------------------------------------

SYMANTEC CORP. EDITION CLIENT SERVICES TO SET AS LOCAL SERVICE (& they will still work fully & fine):

Symantec AntiVirus
Symantec AntiVirus Definitions Watcher Service

SYMANTEC CORP. EDITION CLIENT SERVICES TO SET AS NETWORK SERVICE (& they will still work fully & fine):

SAV Roam
Symantec LiveUpdate

=============================================

:)

* Microsoft now also has a subset of this material (covering only their default OS services though, ONLY (my list has FAR MORE that apply & can do this) on their technet/knowledgebase websites, which appeared 6 months or more after I wrote mine up!

(So, that said? Well, you KNOW this works well enough, as a substantiation of it, because MS has it also, albeit far after the article I authored here & elsewhere on it, & far less services this security technique applies to!)

APK

P.S.=> This technique also works in the patched model, 10.2 (& above), of the Norton/Symantec Corporate Edition AntiVirus client program, some "FYI" & a good general measure of protection against exploitable services (not just NORTON/SYMANTEC ONES, mind you)!

The URL above detailing HOW this defense mechanism is done (easy, via services.msc) also notes many other services this can apply to, to protect you vs. this type of attack... apk