Tuesday, November 28, 2006

IRC Bot Attacks Symantec Overflow from May 2006

Very good write-up. Thanks to Fergie for pointing this out to me. This is a clear cut case study on why good corporate patch management is important.

Via Arbor Networks -

Back in May of this year, Symantec released an avisory entitled SYM06-010: Symantec Client Security and Symantec AntiVirus Elevation of Privilege. Those that took the time to read it beyond the title noticed that this isn’t just a local privilege elevation exploit. It’s an out and out remote stack overflow using a specific service (TCP port 2967). We started tracking possible exploit activity for this vulnerability in early June using an ATF policy to detect scans and exploit, with our thinking that someone would surely take an interest. Activity for this policy quickly dropped off our radar, buried underneath some juicy Windows and VNC holes that people focused on. We didn’t see many scanners for this service, and only a burst of a scan early last week.

That is, until now, in late November, when we see a bot using an exploit for this (and lots of people are curious). We had a look at the bot, and found that it’s a new exploit plugin for a garden variety SDBot. This thing’s a beast! It’s huge, not unlike a bloated bot that someone’s thrown everything into. A partial list of the capabilities this puppy appears to have:

  • SYMC06-010 exploit (TCP port 2967)
  • NetAPI (MS06-040), TCP port 445
  • DDoS and packet flooding (SYN, ACK, ICMP, UDP floods, for example)
  • Password theft and packet sniffing
  • It can enumerate other installed malware
  • The usual bunch of access capabilities
  • The usual bunch of brute force attacks, downloads, upload, proxy checks, etc

No comments:

Post a Comment