PB389319
Summary
A new worm, code-named "Big Yellow", was discovered on December 15, 2006. Big Yellow is actively exploiting a remote Symantec buffer overflow vulnerability originally discovered on May 24, 2006. [1] This vulnerability was first publicly exploited by another similar worm on November 30, 2006.
This vulnerability can be found in the Microsoft Windows versions of Symantec Client Security versions 3.0 and 3.1 and Symantec AntiVirus Corporate Edition versions 10.0 to 10.1 products. In a May 2006 advisory, Symantec confirmed that Symantec Client Security and Symantec AntiVirus Corporate Edition are susceptible to a buffer overflow and issued a patch for vulnerable versions.
This vulnerability has already been exploited in several attacks. Cisco® has obtained exploit files, and has confirmed that the Cisco Security Agent is effective in stopping these exploits, using the default security policy configuration. Current supported versions of Cisco Security Agent 4.5.x, 5.0.x, and 5.1.x are all effective in stopping the exploits seen to date.
Details of the Vulnerability
The Big Yellow worm exploits the Symantec buffer overflow vulnerability and turns vulnerable computers into remote-controlled zombies. The new "botworm" scans for computers running the vulnerable Symantec software and then attempts to break in. [2] An attacker who successfully exploits this vulnerability could remotely take complete control of an affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
A similar worm, a variant of Spybot, spread in November 2006. When installed on a PC, both Spybot and Big Yellow were observed to open a back door in the system and connect to an Internet Relay Chat server to let the remote attacker control the compromised computer. Such remote control software is the most prevalent threat to Windows PCs, according to Microsoft. [2]
The Symantec buffer overflow vulnerability being exploited by the Big Yellow "botworm" is due to a boundary error in the remote management interface when processing "COM_FORWARD_LOG" commands. This can be exploited to cause a stack-based buffer overflow via a specially crafted "COM_FORWARD_LOG" command sent to port 2967/tcp. [3]
How Cisco Security Agent Stops the Exploit
Cisco Security Agent default policies contain multiple rules that stop the exploit from doing any damage. No changes to the Cisco Security Agent binaries or default configuration are required to get this protection.
The following actions have been observed being blocked by Cisco Security Agent running the default security policies:
• Modification of system files by a suspicious remote application
• Execution of a system function from a buffer, through a buffer overflow
• Execution of a suspicious application
This testing is shown in Figure 1.
Figure 1. Cisco Security Agent Default Configuration Stops the Symantec Big Yellow Botworm Exploit (Tested on Cisco Security Agent 5.1)
Note: The exploit was tested at Cisco, with the agent in Test mode, which will cause the agent to alert (but not block) malicious behavior. This was done to observe all possible ways that the Cisco Security Agent default policies would stop the exploit. When the agent is in Protect mode (the typical operational configuration), the first rule would kill the exploit: no subsequent events would be seen, since the exploit would be terminated before it could perform any malicious actions.
Testing was performed against the Cisco Security Agent default policies. No binary or policy update was needed for Cisco Security Agents to be effective. In short, this was a true test of "day-zero" protection. This is similar to what Cisco has seen with earlier exploits and worms-the default Cisco Security Agent configuration stopped the exploit, with no binary or policy updates required. The following is a partial list of prior worms and exploits that Cisco Security Agent has stopped via the default security policy settings:
This exploit is only the latest example of new and mutating attacks that can seriously affect an organization's computing and network environments. The key to stopping these new attacks is two-fold: the ability to stop the attack without requiring any changes to the default configuration, and multiple rules in the default policies that provide defense in depth.
References:
[1] eEYE Digital Security: http://research.eeye.com/html/alerts/AL20061215.html
[3] Secunia Advisory: http://secunia.com/advisories/20318