Big Yellow

Two of my former employers have made the news again. “Big Yellow” is a new worm/bot-net discovered by eEye Digital Security which affects users of anti-virus from software maker Symantec. I’ve heard very recently one analyst say that “anti virus is dead” but I don’t think this is what he had in mind. The fact is that Symantec products dominate the IT landscape and most of the home market as well. Anti Virus is still an integrated part of the Operating System. So much so that even Microsoft has dragged themselves into the marketplace. However we see in Big Yellow one of the most effective styles of attack out there. Like the ASN.1 vulnerability this only affects users who are “secured”.

Users who run anti virus pay a “tax” in the form of lost resources. processor, memory, disk access are all used by the anti virus programs to compute file signatures and match them against an ever growing signature database. End users consider this tax worthwhile since they can remain safe. This new threat however will only infect the users of Symantec’s anti virus thus putting them in greater danger then someone who isn’t using any anti virus at all or free alternatives like ClamAV and AntiVir. Seems ironic really.

What makes this worse is that Symantec doesn’t seem to have a good handle on what is really going on. Vincent Weafer, senior director with Symantec Security Response states, “We have had three submissions locally from our customers.” eEye “has counted about 70,000 compromised systems”. Counting infections is really easy to do if one is sitting on the botnet itself. And with 70,000 zombies all idling in the channel it is pretty easy to hide out and watch new infected computers roll in. I did this myself for Elf.Kaiten.Q and the numbers I counted were significantly higher then any AV vendor reported. Even the Internet Storm Center shows significant numbers for this threat.

This compounds the danger since Symantec will diminish their response if they don’t belive a real threat exists. A threat which eEye has sufficiently pointed out. 70,000 nodes in a botnet can accomplish a lot of bad things including but not limited to spamming operations, distributed denial of service, or even identity theft.

Post a Comment

You must be logged in to post a comment.