The eEye Research honeypot network has recently detected a new worm
that is attacking systems running versions of Symantec AntiVirus and
Symantec Client Security. The “Big Yellow” worm leverages a remote,
system-level access vulnerability to take control of machines running
vulnerable (un-patched) Symantec software. Once infected, machines then
download a package from an FTP server and start to seek out other
vulnerable systems to attack. At the time of analysis, eEye Research
was able to conclude that the FTP server had been accessed 71,513 times
within 24 hours, indicating widespread worm infections.
vulnerability was originally discovered by eEye on May 24, 2006 and
patched by Symantec on June 12, 2006. This vulnerability has been
publicly exploited as early as November 30, but this is the first
widespread worm leveraging this vulnerability for self-propagation.
Generally, processes for keeping current on software patches are not in
place for non-Microsoft applications such as Symantec AntiVirus/Client
Security; therefore, many Symantec users may be at risk for this