Persistent zombie attacks target Symantec corporate software

Symantec first dismissed the threat, but worm attacks that exploit a known security hole in the company's corporate antivirus tool are proving to be persistent.

The attacks target computers running older versions of Symantec Client Security and Symantec AntiVirus Corporate Edition. Compromised systems are turned into remotely controlled zombies by the attacker and used to relay spam and other nefarious activities. Symantec's Norton consumer software is not affected.

"What we have been seeing in December and in the last week and a half is related to new variants of Spybot," Vincent Weafer, senior director of Symantec Security Response, said Tuesday. "We had a couple of versions of Spybot that went nowhere, but these ones found a way to propagate more effectively."

The Spybot variants break into computers through a known security hole in the widely used Symantec antivirus tools. When installed on a PC, Spybot opens a back door in the system and connects to an Internet Relay Chat server to let the remote attacker control the compromised computer. Spybot first surfaced in 2003 and has spawned many offshoots.

The first version of Spybot to exploit the Symantec security hole surfaced in November. This was followed in December by another pest dubbed Sagevo, or Big Yellow. Symantec initially dismissed both threats, stating that their impact was minimal. While Sagevo fizzled, Spybot is causing harm, Weafer said.

"We're definitely seeing Spybot out there and seeing that it is being trapped in customer environments," he said. The attacks have been escalating since December 20, when Symantec and its customers first saw increased activity on TCP port 2967, the network port used by the vulnerable software.

A fix for the flaw has been available since May 25, but it appears not all users have applied the fix. Unlike Symantec's consumer products, the corporate antivirus software doesn't include automatic product updates.

"Customers have to go to the support site and download the update," Weafer said. The security fix is different from the regular definition updates, which are automatically delivered to both consumer and corporate virus shields, he said.

Symantec is re-evaluating the update mechanism for its corporate tools, Weafer said. Additionally, the company on Wednesday plans to push out an update to its antivirus scanning engine that is designed to better detect Spybot, he said. The engine update will go out automatically to all users, he added.