[Snort-sigs] Symantec vulnerability
mkettler at ...189...
Wed Feb 23 09:48:10 EST 2005
At 06:21 PM 2/22/2005, Rowland, Krisa W ERDC-ITL-MS Contractor wrote:
>Are there any sigs out for the new Symantec vulnerability?
I assume you mean the UPX compression exploit:
In this problem, a .exe file which has been crafted to look like it was
compressed with UPX is built in such a way to exploit bugs in older
versions symantec's virus scanning engine itself. UPX is a tool much like
pklite from the dos days. UPX compresses .exe files and adds a self
extracting stub loader to the beginning of the file that decompresses it
upon execution. In order to virus scan the UPX'ed file, older versions of
symantec will try to decompress the original executable out, then scan
that. It's a bug in the decompressor that's being exploited here, so it's
triggered by virus scanning a file.
Given that the exploit is a file, not a network attack, what would you want
to try to detect here? Email messages with UPX compressed EXE files that
exploit it? Web downloads? ftp downloads? What about other transfer
mechanisms? What about existing files on your network?
This is a pretty broad thing to try to pick up at the network layer, it's
like trying to do virus scanning in snort.
More information about the Snort-sigs