Symantec: Another Surge In Worm Scanning For Unpatched Antivirus Software - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Enterprise Applications
News
12/22/2006
01:50 PM
50%
50%

Symantec: Another Surge In Worm Scanning For Unpatched Antivirus Software

Sensors monitored by Symantec's DeepSight threat management service have reported a significant spike in traffic related to TCP port 2967, which Symantec has traced to scans generated by the "Sagevo" worm.

Symantec said Friday that it had detected another surge in scans for a port associated with a worm that's been sniffing for vulnerable software made by the security company and warned users to patch immediately in case the malicious code morphs into something more dangerous.

Sensors monitored by Symantec's DeepSight threat management service have reported a significant spike in traffic related to TCP port 2967, which Symantec has traced to scans generated by the "Sagevo" worm, recently released malware looking for systems running some of the company's enterprise antivirus software.

Flaws in both Symantec AntiVirus and Symantec Client Security were revealed in May and patched that same month. Sagevo, however, looks for unpatched machines, then tries to gain control of them.

Symantec reported that the number of sensors detecting scans of port 2097 were up over an uptick earlier in the week. "This is the most significant spike observed to date since the discovery of malicious code targeting the associated service," Symantec said in an alert to DeepSight subscribers.

"These scans are arriving in waves," says Vincent Weafer, senior director with Symantec's security response team. "When [the worm] is on an infected machine, it creates 512 threads on the box, and scans sequentially from the bottom up. [Meanwhile] any infected machines below that [IP address] also scan at the same time."

The most recent wave of scans had already crested, Weafer says. "The number of infected machines remains small, about 70."

Symantec's written alert, however, noted that the worm's slow propagation was not only unusual, but could also change at any time.

"With minimal effort this worm could be modified so that the hardcoded IP address is replaced with the address of the attacking computer," read the warning issued Friday by the DeepSight system. "This would significantly increase the propagation capabilities of this worm.

"The potential of this simple modification should be enough to convince administrators to deploy patches if they are not already deployed."

The hard-coded IP address mentioned in the alert is the server -- which has been offline all week -- that the worm connects to after an infection. The downed server means that Sagevo cannot replicate to other machines from an infected PC. "This is a strange feature of the malicious code," read the DeepSight warning, "and could indicate a testing phase. The behavior is more indicative of bot behavior rather than traditional worms."

Fixes for the AntiVirus and Client Security vulnerabilities that Sagevo exploits have been available since late May on the Symantec support site.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Slideshows
Reflections on Tech in 2019
James M. Connolly, Editorial Director, InformationWeek and Network Computing,  12/9/2019
Slideshows
What Digital Transformation Is (And Isn't)
Cynthia Harvey, Freelance Journalist, InformationWeek,  12/4/2019
Commentary
Watch Out for New Barriers to Faster Software Development
Lisa Morgan, Freelance Writer,  12/3/2019
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
The Cloud Gets Ready for the 20's
This IT Trend Report explores how cloud computing is being shaped for the next phase in its maturation. It will help enterprise IT decision makers and business leaders understand some of the key trends reflected emerging cloud concepts and technologies, and in enterprise cloud usage patterns. Get it today!
Slideshows
Flash Poll