Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Reports Spate of Attacks Via Recent Windows Flaw

Posted by timothy on from the sir-it-seems-to-be-the-windows-again dept.

Surprised Giraffe writes "Symantec is warning of a sharp jump in online attacks that appear to be targeting a recently patched bug in Microsoft's Windows operating system, an analysis that some other security companies disputed. Symantec raised its Threat Con security alert level from one to two because of the attacks, with two denoting 'increased alertness.' The attacks spotted by Symantec target a flaw in the Windows Server Service that Microsoft says could be exploited to create a self-copying worm attack."

56 comments

  1. first by Anonymous Coward · · Score: 1, Funny

    First infection!

    1. Re:first by htnprm · · Score: 1

      I think that is the first time I've seen an "FP!" post get modded up.

    2. Re:first by Anonymous Coward · · Score: 0
      You've been around long enough... so you either gotta push the "Read More" button some more... or pay attention!

      -- The FP Virus will infect you!

  2. From TFA... by TheNecromancer · · Score: 5, Interesting

    Arbor Networks disputed Symantec's interpretation, saying, "we're not seeing this rise, not on TCP port 445 and not on TCP port 139. Looking over the last month we don't see this rise in MS08-067 attacks that would raise any alarms for us," in a Friday blog posting.

    Both McAfee and Microsoft echoed those sentiments.

    Seems like a shameless plug for Symantec to "look better" than their competitors. Crying wolf here won't get them the additional sales they think they will get.

    --
    Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
    1. Re:From TFA... by root777 · · Score: 2, Informative

      Port 445 has already been used by so many other attacks, including the Sasser and Nimda worms, that even if a new worm were to be created, it would probably not change things. The people that have 445 exposed and therefore would be vulnerable to attack by last week's exploit, will likely already have been compromised by anything that's been going around for the last three years. People are desperate for something to happen in the security space because it has been so long (since a major attack)

    2. Re:From TFA... by rysar · · Score: 1

      Actually, if you think about it, Symantec has significantly more systems to look at, as there are over 40,000 sensors in over 200 countries, whcih are generating over 2 billion events a day, so yea, I think they can tell if there's an increase in port traffic. All the consumer products report back anonymous data on things the products are protecting against as well, so add those alerts too.

    3. Re:From TFA... by yuna49 · · Score: 3, Interesting

      The data from SANS Internet Storm Center shows significant recent increases in traffic on port 445. From this graph of traffic since January, we see an decline in traffic until September with the exception of a very large bump in late spring (some early testing of the exploit?).

      Suddenly there was a big surge in port 445 traffic around September 1st. (The correlation between this event and the start of the school year is intriguing.) This surge looks suspiciously orchestrated to me. We also see a substantial, but short-lived decline in target traffic after Microsoft released its November 1st patch kit.

      What's much more disturbing is the trend in sources which has spiked to incredibly high levels in the past week. This could represent a concerted attack on unpatched machines by those already infected. It also shows how many machines could really be infected but slumbering until needed.

  3. *GASP* Threat Con Level at TWO! by GogglesPisano · · Score: 4, Informative

    What's the maximum? Maybe eleven, or perhaps over 9000?

    1. Re:*GASP* Threat Con Level at TWO! by hummassa · · Score: 2, Informative

      One. The maximum is one.

      --
      It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
    2. Re:*GASP* Threat Con Level at TWO! by oddaddresstrap · · Score: 1

      What are they teaching in schools these days? Everybody knows that the maximum Threat Con Level is equal to the theoretical maximum warp drive speed which is to say it is 10. Duh.

    3. Re:*GASP* Threat Con Level at TWO! by Koiu+Lpoi · · Score: 3, Informative

      WHAT? NINE THOUSAND? There's no WAY that could be right!

    4. Re:*GASP* Threat Con Level at TWO! by Mister+Whirly · · Score: 2, Funny

      Symantec's goes to eleven.

      --
      "But this one goes to 11!"
    5. Re:*GASP* Threat Con Level at TWO! by Anonymous Coward · · Score: 0

      In their defense they use a binary scale so when the threat level reaches 2 you know shit has really hit the fan!

  4. Missing analysis: by Penguinisto · · Score: 2, Interesting

    Have any of these corps, in their pissing contest, ever think that maybe the problems could be compund (e.g. exploit one flaw after using another to deliver the exploit)?

    Cripes - I'd be more worried about someone using a 0-day or undisclosed flaw to deliver that nasty little Vista Kernel exploit that MSFT has said it won't have patched for at least six months...

    ...bitching over something that was patched seems rather too academic by now, but then, London's hospital system was IIRC recently shut down completely due to a variant of the old Mytob worm - and how long has that one been out?

    /P

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
    1. Re:Missing analysis: by Anonymous Coward · · Score: 1, Informative

      You mean the nasty little Vista Kernel exploit that requires that you be an administrator to exploit?

      If I'm already an administrator, there are a lot more ways to gain root access than exploiting a kernel hole. Especially since I'm already running as root.

      If an exploit requires that you run as root to exploit it, it's a reliability bug, not a security bug.

      Yes, it's bad that someone running as root can crash a box. But there are LOTS of ways that someone running as root can cause a machine to crash.

    2. Re:Missing analysis: by zappepcs · · Score: 3, Interesting

      Now you've gone and done it. If Symantec et al were to try to cover such exploitable possibilities, they'd have to have sales and marketing information that explains them. Sounds reasonable until you think about it. Their business model is built on selling crap^H^H^H^Hsoftware to people who don't want to think and explaining it to them would only expose them to ridicule when people start asking why they need to pay for something that has better free alternatives? If it was not bundled in the system when purchased Symantec would be out of business by now.

      There are hundreds of ways to compromise a computer system and then it's peers. Antivirus software can only hope to attempt to protect a machine from the most probable threats, not all threats, not even all types of threats.

      You can play in a sandbox, in a park, away from the highway... or ... your can move your sandbox to the median of an eight lane highway. Your choice. No matter what you choose you will still find a dog turd in it sooner or later. Point being that anytime an anti-virus company blathers on about new attacks, it's likely to be FUD or worse, it's marketing.

      --
      Support NYCountryLawyer RIAA vs People
    3. Re:Missing analysis: by hesaigo999ca · · Score: 0, Offtopic

      You would not find dog turd in it, if you closed the lid, and never opened it again....meaning...throw away M$ and get linux

    4. Re:Missing analysis: by Penguinisto · · Score: 1

      How many folks have UAC turned off already, and have admin privs at the same time?

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    5. Re:Missing analysis: by arth1 · · Score: 1

      Cripes - I'd be more worried about someone using a 0-day or undisclosed flaw to deliver that nasty little Vista Kernel exploit that MSFT has said it won't have patched for at least six months...

      Niggle: You repeat yourself. A zero day exploit is an undisclosed exploit. Once it's disclosed, it becomes a first-day exploit. I know media has fallen in love with the term "zero day" and use it indiscriminately and most often wrong, but this is slashdot, where we are allowed to be pedantic about these things :-)

    6. Re:Missing analysis: by Pope · · Score: 1

      Niggle: You repeat yourself

      Fo' shiggle.

      --
      It doesn't mean much now, it's built for the future.
  5. Symantec warning, no Symantec link? by Anonymous Coward · · Score: 0

    Give us the real link, not some random .au page.

    1. Re:Symantec warning, no Symantec link? by lysergic.acid · · Score: 2, Informative

      RTFA. it provides more useful information than Symantec's alert page. if you just want Symantec's Threatcon alerts then install their anti-virus or use their "DeepSight Threat Management System."

      the article's not just "some random .au page" (as if a random .com domain would be any better) the article reports on not just Symantec's announcements, but also McAfee and Microsoft's responses that contradict Symantec's assessment. it also gives a link to a REN-ISAC report that supports Symantec's claims. it's good to have a little context when reading security alerts from AV software vendors.

  6. According to a leaked internal Symantec memo by neonux · · Score: 5, Funny

    The 'levels' are :

    1 - Normal alertness
    2 - Increased alertness
    3 - ???
    4 - PROFIT !!!

    --
    @neonux
  7. Re:Sales are low! by Anonymous Coward · · Score: 0

    you're not only an ass, but you're also boring.

  8. All Garbage by Cynic9 · · Score: 2, Interesting

    Both anti-virus vendors are a joke. I mean I am glad that they are out there but I've seen so many different Trojans and spyware bust right through McAfee and Symantec that I've completely lost faith in both products.

    I just wish the virus/spyware crafters would fill their crap with some better advertisements. Throw some gaming spam my way and I won't see too many differences between Anti-virus 2009 and Madden 2009.

    1. Re:All Garbage by mewshi_nya · · Score: 1

      Plus, one will be more entertaining!

      I fucking hate football...

  9. Slashdot Homepage by ObsessiveMathsFreak · · Score: 0, Offtopic

    I can also report a spate of recent frustration via the recent Slashdot homepage changes. I can't find anything, links and blockquotes are impossible to read in some section colour schemes and there's no way to turn it off!!

    --
    May the Maths Be with you!
    1. Re:Slashdot Homepage by halcyon1234 · · Score: 2, Interesting

      It's the result of either a virus, or some wiseass CSS "programmer" who thinks that I want to see Firehose by default-- and we're all out of viruses today.

      --
      UTF-8: There and Back Again
  10. Re:Ours go to...... by value_added · · Score: 1

    Virus warnings go to 0xF

    I think the threat level indicated is "Elevated", which would suggest FFFF00. Windows warnings, on the other hand, are invariably 0000FF.

    Seriously, though, how is a threat level from anyone supposed to be interepreted in any meaningful fashion when the levels themselves need to be interpreted as well? I'd suggest everyone adopt three levels only:

    No Worries, Mate.
    Mostly Harmless.
    Run For Your Life.

    Easy to understand and easy to remember. And more importantly, no ambiguous ordering or cross-referencing to colours.

  11. -m --state NEW DROP by ReedYoung · · Score: 2, Informative

    Does any commercial add-on security software for Windows allow state-based checks yet?

    Windows server services are fine inside your LAN, if you have a Linux, BSD or commercial Unix-based gateway. Otherwise, any online transaction is like running through a pickpocket convention with your money hanging out of your pockets.

    --
    "I can't imagine how things could get any worse!" (some guy) "That could just be failure of imaginatioÂn on your p
  12. Huh? by mortonda · · Score: 0

    create a self-copying worm attack.

    *Jack Nicholson voice*

    Is there any other kind????

  13. Start up by Wiarumas · · Score: 2, Funny

    Anybody want to join my AntiVirus start up? We are at Threat Con Three currently and the sales are pouring in.

    --
    I will bend like a reed in the wind.
  14. OMG! by ZarathustraDK · · Score: 0, Offtopic

    Windows isn't safe?!

    --
    If you quote this signature there'll be 72 copies of Windows ME waiting for you in Heaven.
    1. Re:OMG! by Mister+Whirly · · Score: 0, Redundant

      Slashdot posts aren't original?!

      --
      "But this one goes to 11!"
  15. Kernel Herpes by Windows_NT · · Score: 1

    I haven't had a problem with viruses. I run XP pro at work, with AVG, and although i have had a few viruses, from d/ling stuff, AVG finds them, and no problems. now i might ask, Where can i find thses viruses? I know that warez sites from russia care them, but how can i contract them from legit sites? I seems to me, if you doing what your suppsoed to do with a computer (pr0n browsing) you shouldnt have these problems

    --
    Go go Gadget Nailgun!
    1. Re:Kernel Herpes by gad_zuki! · · Score: 1

      You want viruses? Visit mininova and start downloading some cracked commercial software. Pick anything. You'll get infected. This is how people I know get infected. Its not a windows exploit, its not a firewall setting, its not activex, its not a lack of warnings, its not ignorance, its not the fabled zero-day exploits, its not bad security engineering, its malware predators taking advantage of greedy people who dont want to pay for commercial software.

      Cant afford it? There's probably an OSS or freeware clone somewhere. No? Then buy it used or suck it up and pay. Its incredible how many people download photoshop when paint.net or thegimp are free. Or how many people whine about MS Office activation when Open Office and Abiword are free.

    2. Re:Kernel Herpes by Windows_NT · · Score: 1

      mayb thats why i dont get viruses .. either my employer pays for it, or I run Linux :)
      And i always though my system stayed clean because i put a condom over my mouse ... maybe i should also stop injecting AstroGlide into my HardDrive

      --
      Go go Gadget Nailgun!
    3. Re:Kernel Herpes by hairyfeet · · Score: 1

      As someone who has spent his days working PC repair for more years than I care to count, I can say that you are wrong. Unless you have some really shitty server somewhere that my customers don't know about, because I haven't actually seen a warez bug cross my desk in years. That is usually FUD put out by software writers. You don't happen to write software for a living, do you?

      The vast majority of infections can be traced back nearly every time to the same two sources. Those sources are the pr0ncodec.exe and the hidden file extension music.mp3.wma crap. The guys will run right past every AV warning and flag you put in their way to see the titties, and the girls click on what they think is an .mp3 that is actually an mp3.wma that bites them in the ass. But I don't think I've actually seen a warez bug since the days of repacking games, like taking a razor1911 rip and repacking it with a bug. There are just too many easier avenues of attack. The problem of course comes down to the dancing bunny which no matter how many roadblocks you try to put between them and the bunny they will happily shove you aside and keep right on clicking until they see the bunny. And I don't see ANY way to fix that little problem.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    4. Re:Kernel Herpes by halcyon1234 · · Score: 1
      1. Fire up IE
      2. Visit any site with ads that seep through from doubleclick or burstnet or any of those others
      3. You now have a non-zero chance of one of those ads containing something that will exploit something in IE and autodownload&run some malware
      4. Repeat from steps 2, and it's just a matter of time until the law of averages catches up to you

      Alternatively, take that XP machine of yours and plug it directly into your DSL/Cable modem (not via a router). Go get a sandwich. Millions of random port-scanners will do the rest for you

      --
      UTF-8: There and Back Again
    5. Re:Kernel Herpes by Windows_NT · · Score: 1

      This is true. I forget how much a firewall protects you. I would not dare plugging a unpatched windows box (or even patch!) up to the internet. I have ran Linux as a firewall/router (iptables) and its unbelivable all of the port scans that happen. I would get over 1000 tries on SSH getting in with users such as 'root' 'sally' 'mike' coming from hundreds of different IPs. Also there will be attempts on any port that they can see (normally 80, and ftp, and ssh) are all i have open, and thank god i drop any traffic trying to come in on anything else (i dont deny, i drop!). yes Parent, you are right, plug XP into the unsecure intenet and it will come home looking like fresh meat on happy hour at the local whore house.

      --
      Go go Gadget Nailgun!
    6. Re:Kernel Herpes by gad_zuki! · · Score: 1

      >t, because I haven't actually seen a warez bug cross my desk in years.

      Psst. Download the torrent for Quicktime Full Version at mininova. Install it. Welcome to trojan land.

    7. Re:Kernel Herpes by hairyfeet · · Score: 1

      Uuuuh, why would you actually WANT Quicktime, especially enough to bother getting it from mininova? Working with home users all day I can honestly tell you that Joe and Jane average don't even know what the hell Quicktime is, much less are going to bother snatching it off P2P. More likely they are going to snatch the latest media crap like whatever movie they are advertising this week. But like I said, Joe and Jane ain't going after Quicktime.

      Joe is getting bit by "See the hot lesbians! Just install this codec to see lots of hot lesbians for FREE!" and Jane is getting bit by "latest dance hit.mp3.wma". While I don't doubt that if you look hard enough you can find a bug on P2P,especially if you are crazy enough to download ANYTHING under 10Mb, Joe and Jane ain't messing with the small stuff anymore and therefor ain't getting bit. Besides, don't they slip junk like Safari on you as a "security update" even if you don't have it in the first place? I repeat: WHY would anyone who wasn't using an Apple Mac(and therefor most likely immune) even WANT Quicktime? Hell I don't think I've actually even SEEN a Quicktime file in ages. Nowadays everything is flash.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    8. Re:Kernel Herpes by nanoflower · · Score: 1

      You can also pick up some stuff by visiting various web sites. Places that carry.. umm. less than proper material (warez, porn) I don't know how many carry them but some do and visiting them with an unprotected web browser is an invitation to getting infected. With an up to date browser and tools like Noscript and anti-virus, anti-spyware programs it's hard to get infected unless you go out of your way to do something you shouldn't do like run some executable software without checking it out first.

  16. Shark jump in online attacks? by Shinmizu · · Score: 1

    Anyone else misread that as a "shark jump in online attacks?" I was beginning to wonder if the Simpsons writers had turned to malware writing.

  17. ISC SANS by Anonymous Coward · · Score: 2, Interesting

    Definitely showing up here: http://isc.sans.org/port.html?port=445

  18. Re:Sales are low! by ubrgeek · · Score: 1

    And he did stay at a Holiday Inn Express last night, so he has that going for him ;)

    --
    Bark less. Wag more.
  19. Re:Sales are low! by iago-vL · · Score: 1, Troll

    Having worked at Symantec, I can tell you that it's nothing like that. There isn't even yelling or clamoring, it's just business as usual. There aren't even any blinking lights!

    Oh, and John Thompson (the current CEO) isn't involved in the decision, nor is he in the same country as the people who are.

    --
    http://www.skullsecurity.org/blog/
  20. Sign me up... by Dareth · · Score: 1

    ... just run this executable to verify my identity and we are all set!

    --

    I only look human.
    My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
  21. Save slashdot space.... by The+Real+Tachyon · · Score: 4, Funny

    Why don't we just have a running headline banner that says something like...

    {someone} discovered a serious security flaw in Microsoft's {product} and {offered to sell a solution|berated Microsoft}. They say the flaw should be {ignored|taken seriously} and that if it wasn't that there was a strong possibility of {not much|major|catastrophic|universe collapsing} repercussions.

    {Mac|Linux} users were reported to gloat and tell everyone they were idiots for not switching to {Mac|Linux}. BSD users were running around naked, covered in crayon scribbling, and jabbering "definitely time for BSD, definitely....or Wopner"

    Microsoft responded today by {downplaying|ignoring|finally patching after months but breaking something else with the patch} the threat.

    1. Re:Save slashdot space.... by Anonymous Coward · · Score: 0

      Well, you could go even further than that and condense ALL Slashdot stories to the following:

      {something} happened.

      But that wouldn't be fun, now would it?

  22. Boring Slashvertisement by Nick+Ives · · Score: 1

    So you post a story about how Symantec are more on the ball then their competition and follow it up with comments about how their sensing capability is much more advanced than their competition without referencing any sources. This has to be the lamest astroturf I've ever seen.

    --
    Nick
    1. Re:Boring Slashvertisement by rysar · · Score: 1

      Actually, the story I submitted was around their detection of spam levels coming back up to the pre-McColo shutdown. I commented on this one since it seemed that someone thought that Symantec was trying to "look better" than their competitors.

      Statistics has taught me one thing: Having a larger sample set gives you better results.

      My source for numbers in my comment: http://www.symantec.com/about/profile/technology.jsp

      "The Symantec Global Intelligence Network encompasses worldwide security intelligence data gathered from a wide range of sources, including more than 40,000 sensors monitoring networks in more than 180 countries through Symantec products and services such as Symantec DeepSightâ Threat Management System and Symantec Managed Security Services, and from other third-party sources."

      Further down in that link, lets see...
      Malicious Code Reports from over 120 million clients, 25,000 vulnerabilities from over 20 years affecting 55,000 different technologies, from 8,000 vendors. Oh yea, they also operate BugTraq.

      How does this compare to Arbor?

      Oh that's right, they didn't state their capabilities in the article or on their website that I could see.