Threat Level: green Handler on Duty: Richard Porter

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 2968 update - Same as 2967 ever was

Published: 2007-01-11
Last Updated: 2007-01-12 21:51:43 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
Update: The Novell Clients will have Symantec AV listening on port 2968 as well. Not just the server!
This may explain the rise as it exposes a much larger population of systems.

We have captured a fair number of attacks against ports 2968 and 2967 over the past 24 hours and they appear to be identical in payload. The attack is effective against Symantec Antivirus version 10.0.2.2000 and below. The shellcode opens a bindshell on port 8555, which is then connected to and either ftp.exe or tftp.exe are used to download what appears to be a botnet client.

One submitter tells us:
Symantec has widely reported vulnerabilities in clients 10.0.2.2000 and below.  It is a remotely exploitable vulnerability that does not require user intervention.  10.0.2.2002 remediates the problem.

Over the last several days, we've experienced a significant number of systems (missing the Symantec patch) that have been exploited by a worm.  The worm spreads by a number of mechanisms, but namely the Symantec vulnerbility over port TCP 2967.   I was able to capture traffic from an infected host, see attached file.  The worm tries to phone home to 89.163.145.15:6667.  By blocking this on the outbound firewall or router, the worm will stop attempting to spread.  Long story short, be sure to patch your systems!
The question remains, why the port 2968 variant? Since the attack is using Windows shellcode, and running Windows commands for backchannel propagation, why go after the port used on Novell Netware versions of Symantec Live Update?

Your thoughts are welcome, as always.
Keywords:
0 comment(s)
Diary Archives