[unisog] More: Bot outbreak exploiting SYM06-010

Gary Flynn flynngn at jmu.edu
Tue Nov 28 16:19:43 GMT 2006


Robin Stubbs wrote:

> Thanks so much for posting this, all of you who have shared info on this.

I second those thanks.

> Someone here told me that this defect only affects managed installations. 
> Can someone verify that? I am concerned that Symantec does not state that so
> am wondering if that is true.

I don't have a definite answer but from my experience in installing
an unmanaged configuration which didn't open the port and from raw
results of campus port scans, I'm going on that assumption unless
evidence to the contrary surfaces.

> Secondly is it the case there are no patches for this?

There is an upgrade that fixes the defect.

  So if someone has a vulnerable
> version they have to uninstall it and install a new version?

That is my understanding although I think you can install the
new version over the old. I did with an unmanaged configuration.

> I would really not want to 
> rely on an antivirus product getting the upperhand when the virus is already getting 
> onto the system.

Agreed.

Although they've evidently provided a signature so the AV engine can
detect the start of the BOT process, I doubt it could detect the
exploit process itself nor the payload which is injected into memory,
not loaded from the file system. And theoretically, the payload's
first action could be to disable the AV engine before it starts
messing with the file system.


-- 
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security


More information about the unisog mailing list