Discovery of Symantec Antivirus Exploit Gains Traction in Winter Rerun

Last week's announcement from security research firm eEye, claiming the discovery of an active exploit affecting Symantec's Antivirus suite, led to sweeping national headlines, some proclaiming the existence of a mutating "worm-bot" in the wild. But denials of the threat's severity from Symantec, asserting it's effectively the same problem that was discovered last May by eEye and patched by Symantec the following month, were surprisingly confirmed late yesterday.

Rather than the usual security advisory posted to its Web site, eEye last week shot off a press release, characterizing the worm as "a new class of malware," and christening it "Big Yellow" for dramatic effect. "IT urgently needs to understand that the new vector for attack will not come from Microsoft," eEye CTO Mark Maiffret was quoted as stating, "but from the myriad applications that are scattered throughout its network."

But is this worm truly a menace to society, deserving of a moniker straight out of "America's Most Wanted?" In an effort to deflect the ricochet, Symantec's press office spoke on Monday, including to InformationWeek, which responded with a headline that stopped just short of sounding the all-clear signal: "More Patched Systems, Fewer Potential Victims."

In that article, Symantec security response team senior director Vincent Weafer commented that his company believes the set of all systems vulnerable to this exploit consists entirely of those that were not patched last summer, indicating that Symantec believes whatever bot-like characteristics the worm may have, are not enough to foil a good software patch.

In an e-mail to BetaNews late Tuesday evening, eEye security researcher Andre Protas acknowledged Weafer's claim, saying Symantec's existing patch to its Client Security and Antivirus Corporate Edition packages "is in fact fully effective against this worm, as well as any variants that may come about down the road. The patch does indeed protect all customers that have installed the patch from all known variants of the worm, however many customers are going to find that they may not even have the patch installed."

So why the menacing monster metaphor? "The main problem here lies in Symantec auto-update process," wrote Protas, "where it does not release any executable updates via Live Update. Therefore, customers must actually monitor Symantec's site for information regarding patches, instead of just setting all of their hosts to auto-update like nearly every other enterprise-level software product allows. Then, once there is an update available, they must manually update all of the clients affected by pushing out the binary manually."

Protas then provided a link to Symantec's patch instructions, demonstrating the complexity of the problem.

But did that problem already exist last month, and the month before that, retroactive to last May? "Because of this faulty update process," wrote Protas, "attackers saw the potential for a widespread worm attack even though it was six months after the patch was released, and within 24 hours, our honeypot logged more than 70,000 Big Yellow exploit attempts." Symantec's InformationWeek interview on Monday acknowledged that scanning activity did appear to be increasing, although among fewer IP addresses.

"Another thing to remember here is how rapid another worm can hit the wild," Protas continued. "If the exploit group decided to make a minor change to the exploit to avoid signature detection, get some new dynamic DNS hosts to ftp serve the file and command server, we could see the exact same impact within 36 hours of that release. The lesson learned here is that customers need to roll out this patch as soon as possible to stop all Symantec worm attacks."

Maiffret and eEye were responsible for the discovery and subsequent public christening of the infamous 2001 Code Red worm, which infected hundreds of thousands of Microsoft Internet Information Server. After the worm's eventual demise, eEye came under fire from some sources for allegedly having given too much publicity to the IIS security hole, and for perhaps having over-dramatized it with statements that colored it even more vividly than the moniker alone.

As Phar Lap founder and veteran programmer Richard M. Smith wrote in August 2001, "Wouldn't it have been much better for eEye to give the details of the buffer overflow only to Microsoft? They could have still issued a security advisory saying that they found a problem in IIS and where to get the Microsoft patch. I realize that a partial disclosure policy isn't as sexy as a full disclosure policy, but I believe that [a] less revealing eEye advisory would have saved a lot companies a lot of money and grief."

BetaNews asked eEye yesterday, why was the "Big Yellow" moniker warranted in this case? "eEye Research will name worms that it is able to detect in the wild," responded Andre Protas. "So, although a name existed from an auto-naming generator on a few anti-virus sites, these sites did not offer the level of technical analysis that eEye Research put forward, and so we appropriately dubbed the worm we were analyzing 'Big Yellow."'

Last week's press release also made significant mention of the firm's new endpoint security package, called Blink Professional, though sources in the press were evidently more compelled by the colorful new menace than by the shiny new package.