Monday, January 15, 2007

Symantec vulnerability is really problematic!

Something I saw during the past weeks ... Symantec has widely reported vulnerabilities in clients 10.0.2.2000 and below. It is a remotely exploitable vulnerability that does not require user intervention. 10.0.2.2002 remediates the problem. Over the last several days, we've experienced a significant number of systems (missing the Symantec patch) that have been exploited by a worm. The worm spreads by a number of mechanisms, but namely the Symantec vulnerability over port TCP 2967. I was able to capture traffic from an infected host. The worm tries to phone home to 89.163.145.15:6667. By blocking this on the outbound firewall or router, the worm will stop attempting to spread. We have captured as well a fair number of attacks against ports 2968 and 2967 over the last week and they appear to be identical in payload. The shellcode opens a bindshell on port 8555, which is then connected to and either ftp.exe or tftp.exe are used to download what appears to be the botnet client. I also found samples of new Spybots using this vulnerability at several sites in Belgium. Long story short, be sure to patch your systems! The problem is harder than most of us think.