RealTime IT News

Old Exploit Targets Symantec Antivirus

You faithfully download all of the monthly patches that Microsoft issues on Patch Tuesday, plus you're running Symantec Antivirus and update it regularly. Think you're safe?

If you're a corporate user, think again.

Security firm eEye Digital Security has posted a warning about the spread of a new virus affecting the Symantec Antivirus application. The kicker is that the virus is spreading through a known issue that Symantec  fixed six months ago.

The virus, called "Big Yellow," exploits an issue in the remote management interfaces of Symantec AntiVirus Corporate Edition and Symantec Client Security. The affected program is the Rtvscan.exe application, which is not used in the consumer product.

Symantec posted a list of affected applications in May, but the fix was not pushed out via the Live Update service.

"We don't do product updates through Live Update because corporate enterprise administrators want complete control over what's being deployed in their environments," said Vincent Weafer, senior director of Symantec's Security Response group.

Changes to the executable are done in the consumer product, but not the corporate products, for the above reason. Product updates, changes to the executables, have to be manually downloaded and deployed, as internetnews.com was able to verify.

Marc Maiffret, founder and CTO of eEye, said too many companies don't think to patch their non-Microsoft products. eEye found the virus has infected more than 70,000 systems, which is incredible given the fix was issued in May.

"It's an older vulnerability, but nobody seems to have patched it. Most IT organizations are focused on Microsoft and Patch Tuesday and are not paying attention to non-Microsoft products," he told internetnews.com. "It really is an example of the lack of awareness of IT organizations to patch their third-party software as fast as they patch Microsoft software."

Weafer agreed with him. "The one thing we're all saying out there is the attackers are moving out of the core OS and into the application layer. That's the trend we're seeing over the last two years. Anything that's prolific on the desktop is something we're seeing increasingly focused on," he said.

Big Yellow is a combination of a worm  and a botnet . As soon as it enters a computer, it looks for others on the network to infect, and installs a back door to connect to an IRC  chat server, at which point people on the IRC server can run commands and do what they want with your machine.

So for now, corporate customers are encouraged to manually download the fixes, especially small businesses that don't have internal update systems, said Weafer.