New 'botworm' exploits Symantec flaw

"Big Yellow" hits systems running Symantec's corporate antivirus tools, warns eEye Digital Security. Symantec says attacks are limited.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
A new worm that uses a known security hole in Symantec's corporate antivirus tools to spread has hit the Net, experts warned Friday.

The worm, dubbed "Big Yellow" by eEye Digital Security, turns vulnerable computers into remote-controlled zombies. It is the second such malicious code in as many months that exploits a 6-month-old security flaw in Symantec Client Security and Symantec AntiVirus Corporate Edition. A fix for the flaw has been available since May.

The new "botworm" scans for computers running the vulnerable Symantec software and then attempts to break in, said Marc Maiffret, chief technology officer at eEye, an Aliso Viejo, Calif.-based security software maker. The threat appears to be widespread, Maiffret said. eEye is tracking a server used by the worm to download part of its malicious payload; that server has pushed data out to more than 60,000 systems, he said.

Symantec is aware of the new worm, which it calls "Sagevo," said Vincent Weafer, a senior director at Symantec Security Response. However, the Cupertino, Calif., company doesn't see it as a big threat. Only three customers have seen it and there isn't anything more than "background noise" on Symantec's network of security sensors, he said.

"Technically eEye is correct, there is a new botworm out there," Weafer said. "But the impression and the worm alert is misleading because we are not seeing any activity."

A similar worm, a variant of Spybot, spread last month. When installed on a PC, both Spybot and Big Yellow open a back door in the system and connect to an Internet Relay Chat server to let the remote attacker control the compromised computer. Such remote control software is the most prevalent threat to Windows PCs, according to Microsoft.

The fact that a bug in Symantec's widely used security software is being exploited by worms underscores a security trend that experts have pointed out before: attackers are increasingly looking beyond the operating system for flaws.

"Any time you have vulnerability in a major application, the likelihood of having it used in a botworm is much higher," Weafer said. "Vulnerability research and exploits are going from operating system level into the application level. It is something we?re going to continue to see."

And while patching Microsoft applications has become second nature for many IT departments, the same does not hold true for other software programs, Maiffret said. "People should be thinking about non-Microsoft software when it comes to patching," he said.