Botnets exploit patched Symantec stack overflow flaw
Security researchers today warned of a significant worm attack exploiting an old target - a privilege-escalation flaw in Symantec's Client Security and AntiVirus Corporate Edition solution that was patched in May.
According to Symantec's Security Response Weblog, the worm variant, named W32.Spybot.ACYR, takes advantage of a patched stack overflow flaw that could allow an attacker to execute malicious code. It also seeks to exploit six other Microsoft vulnerabilities, all patched and some as old as a couple of years, said Vincent Weafer, senior director of Symantec security response.
The Cupertino, Calif.-based Symantec reported heightened traffic on Port 2967, used for communication when running the solution, although only in the .edu domain, typically more prone to attacks than more security-minded enterprises. Weafer said Symantec has received reports from 10 colleges that are seeing an increased amount of port scans.
"It's not a major event," Weafer told SCMagazine.com today. "It really looks like it's localized."
But researcher Joel Esler of the SANS Internet Storm Center said his organization has received reports of a "massive new outbreak of bots" exploiting the Symantec vulnerability. Weafer downplayed that claim, saying that because attackers are scanning a well-defined port, sensors are more prominently picking up the threat.
The Symantec Security Response blog suggested that customers apply the patch, available since May 25, to plug the hole. Users also are encouraged to employ the latest security updates for their products.
"We know somebody is out there," Weafer said. "This is a good reminder that people to patch their systems, particularly small businesses."
Should organizations be unable to apply the fixes, they should block Port 2967 at their firewall, according to Symantec's blog. The company said it will continue to investigate.
Click here to email Dan Kaplan.