Slashdot Mirror

← Back to Stories (view on slashdot.org)

Symantec Reports Spate of Attacks Via Recent Windows Flaw

Posted by timothy on from the sir-it-seems-to-be-the-windows-again dept.

Surprised Giraffe writes "Symantec is warning of a sharp jump in online attacks that appear to be targeting a recently patched bug in Microsoft's Windows operating system, an analysis that some other security companies disputed. Symantec raised its Threat Con security alert level from one to two because of the attacks, with two denoting 'increased alertness.' The attacks spotted by Symantec target a flaw in the Windows Server Service that Microsoft says could be exploited to create a self-copying worm attack."

17 of 56 comments (clear)

  1. From TFA... by TheNecromancer · · Score: 5, Interesting

    Arbor Networks disputed Symantec's interpretation, saying, "we're not seeing this rise, not on TCP port 445 and not on TCP port 139. Looking over the last month we don't see this rise in MS08-067 attacks that would raise any alarms for us," in a Friday blog posting.

    Both McAfee and Microsoft echoed those sentiments.

    Seems like a shameless plug for Symantec to "look better" than their competitors. Crying wolf here won't get them the additional sales they think they will get.

    --
    Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
    1. Re:From TFA... by root777 · · Score: 2, Informative

      Port 445 has already been used by so many other attacks, including the Sasser and Nimda worms, that even if a new worm were to be created, it would probably not change things. The people that have 445 exposed and therefore would be vulnerable to attack by last week's exploit, will likely already have been compromised by anything that's been going around for the last three years. People are desperate for something to happen in the security space because it has been so long (since a major attack)

    2. Re:From TFA... by yuna49 · · Score: 3, Interesting

      The data from SANS Internet Storm Center shows significant recent increases in traffic on port 445. From this graph of traffic since January, we see an decline in traffic until September with the exception of a very large bump in late spring (some early testing of the exploit?).

      Suddenly there was a big surge in port 445 traffic around September 1st. (The correlation between this event and the start of the school year is intriguing.) This surge looks suspiciously orchestrated to me. We also see a substantial, but short-lived decline in target traffic after Microsoft released its November 1st patch kit.

      What's much more disturbing is the trend in sources which has spiked to incredibly high levels in the past week. This could represent a concerted attack on unpatched machines by those already infected. It also shows how many machines could really be infected but slumbering until needed.

  2. *GASP* Threat Con Level at TWO! by GogglesPisano · · Score: 4, Informative

    What's the maximum? Maybe eleven, or perhaps over 9000?

    1. Re:*GASP* Threat Con Level at TWO! by hummassa · · Score: 2, Informative

      One. The maximum is one.

      --
      It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
    2. Re:*GASP* Threat Con Level at TWO! by Koiu+Lpoi · · Score: 3, Informative

      WHAT? NINE THOUSAND? There's no WAY that could be right!

    3. Re:*GASP* Threat Con Level at TWO! by Mister+Whirly · · Score: 2, Funny

      Symantec's goes to eleven.

      --
      "But this one goes to 11!"
  3. Missing analysis: by Penguinisto · · Score: 2, Interesting

    Have any of these corps, in their pissing contest, ever think that maybe the problems could be compund (e.g. exploit one flaw after using another to deliver the exploit)?

    Cripes - I'd be more worried about someone using a 0-day or undisclosed flaw to deliver that nasty little Vista Kernel exploit that MSFT has said it won't have patched for at least six months...

    ...bitching over something that was patched seems rather too academic by now, but then, London's hospital system was IIRC recently shut down completely due to a variant of the old Mytob worm - and how long has that one been out?

    /P

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
    1. Re:Missing analysis: by zappepcs · · Score: 3, Interesting

      Now you've gone and done it. If Symantec et al were to try to cover such exploitable possibilities, they'd have to have sales and marketing information that explains them. Sounds reasonable until you think about it. Their business model is built on selling crap^H^H^H^Hsoftware to people who don't want to think and explaining it to them would only expose them to ridicule when people start asking why they need to pay for something that has better free alternatives? If it was not bundled in the system when purchased Symantec would be out of business by now.

      There are hundreds of ways to compromise a computer system and then it's peers. Antivirus software can only hope to attempt to protect a machine from the most probable threats, not all threats, not even all types of threats.

      You can play in a sandbox, in a park, away from the highway... or ... your can move your sandbox to the median of an eight lane highway. Your choice. No matter what you choose you will still find a dog turd in it sooner or later. Point being that anytime an anti-virus company blathers on about new attacks, it's likely to be FUD or worse, it's marketing.

      --
      Support NYCountryLawyer RIAA vs People
  4. According to a leaked internal Symantec memo by neonux · · Score: 5, Funny

    The 'levels' are :

    1 - Normal alertness
    2 - Increased alertness
    3 - ???
    4 - PROFIT !!!

    --
    @neonux
  5. All Garbage by Cynic9 · · Score: 2, Interesting

    Both anti-virus vendors are a joke. I mean I am glad that they are out there but I've seen so many different Trojans and spyware bust right through McAfee and Symantec that I've completely lost faith in both products.

    I just wish the virus/spyware crafters would fill their crap with some better advertisements. Throw some gaming spam my way and I won't see too many differences between Anti-virus 2009 and Madden 2009.

  6. -m --state NEW DROP by ReedYoung · · Score: 2, Informative

    Does any commercial add-on security software for Windows allow state-based checks yet?

    Windows server services are fine inside your LAN, if you have a Linux, BSD or commercial Unix-based gateway. Otherwise, any online transaction is like running through a pickpocket convention with your money hanging out of your pockets.

    --
    "I can't imagine how things could get any worse!" (some guy) "That could just be failure of imaginatioÂn on your p
  7. Start up by Wiarumas · · Score: 2, Funny

    Anybody want to join my AntiVirus start up? We are at Threat Con Three currently and the sales are pouring in.

    --
    I will bend like a reed in the wind.
  8. ISC SANS by Anonymous Coward · · Score: 2, Interesting

    Definitely showing up here: http://isc.sans.org/port.html?port=445

  9. Re:Slashdot Homepage by halcyon1234 · · Score: 2, Interesting

    It's the result of either a virus, or some wiseass CSS "programmer" who thinks that I want to see Firehose by default-- and we're all out of viruses today.

    --
    UTF-8: There and Back Again
  10. Save slashdot space.... by The+Real+Tachyon · · Score: 4, Funny

    Why don't we just have a running headline banner that says something like...

    {someone} discovered a serious security flaw in Microsoft's {product} and {offered to sell a solution|berated Microsoft}. They say the flaw should be {ignored|taken seriously} and that if it wasn't that there was a strong possibility of {not much|major|catastrophic|universe collapsing} repercussions.

    {Mac|Linux} users were reported to gloat and tell everyone they were idiots for not switching to {Mac|Linux}. BSD users were running around naked, covered in crayon scribbling, and jabbering "definitely time for BSD, definitely....or Wopner"

    Microsoft responded today by {downplaying|ignoring|finally patching after months but breaking something else with the patch} the threat.

  11. Re:Symantec warning, no Symantec link? by lysergic.acid · · Score: 2, Informative

    RTFA. it provides more useful information than Symantec's alert page. if you just want Symantec's Threatcon alerts then install their anti-virus or use their "DeepSight Threat Management System."

    the article's not just "some random .au page" (as if a random .com domain would be any better) the article reports on not just Symantec's announcements, but also McAfee and Microsoft's responses that contradict Symantec's assessment. it also gives a link to a REN-ISAC report that supports Symantec's claims. it's good to have a little context when reading security alerts from AV software vendors.