[Snort-sigs] Symantec vulnerability

Matt Kettler mkettler at ...189...
Wed Feb 23 09:48:10 EST 2005


At 06:21 PM 2/22/2005, Rowland, Krisa W ERDC-ITL-MS Contractor wrote:
>Are there any sigs out for the new Symantec vulnerability?

I assume you mean the UPX compression exploit:
http://www.securityfocus.com/archive/1/390214

In this problem, a .exe file which has been crafted to look like it was 
compressed with UPX is built in such a way to exploit bugs in older 
versions symantec's virus scanning engine itself. UPX is a tool much like 
pklite from the dos days. UPX compresses .exe files and adds a self 
extracting stub loader to the beginning of the file that decompresses it 
upon execution. In order to virus scan the UPX'ed file, older versions of 
symantec will try to decompress the original executable out, then scan 
that. It's a bug in the decompressor that's being exploited here, so it's 
triggered by virus scanning a file.

Given that the exploit is a file, not a network attack, what would you want 
to try to detect here? Email messages with UPX compressed EXE files that 
exploit it? Web downloads? ftp downloads? What about other transfer 
mechanisms? What about existing files on your network?

This is a pretty broad thing to try to pick up at the network layer, it's 
like trying to do virus scanning in snort.







More information about the Snort-sigs mailing list