Endpoint Protection

Is Symantec planning to release signature to detect 0-day in IE that was leveraged to hack Google's office in China? McAfee is releasing a definition today, Snort/SourceFire has a signature already. Anything in the works from Symantec?
If no def update is planned, maybe Symantec can recommend a custom IPS signature that blocks offending code, granted they have PoC on hand?
Thanks!
 

HTTP Aurora Activity
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=22377

  Definitions were updated for Adware.Aurora on 17th Jan.
http://www.symantec.com/business/security_response/writeup.jsp?docid=2005-080210-5447-99

Vikram,
Operation "Aurora" and Adware.Aurora are two separate issues, totally unrelated. Click below to read about the issue I'm talking about:
www.mcafee.com/us/threat_center/operation_aurora.html
Some abstract description:
www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/01/15/china-google-and-web-security.aspx 

 I've heard about these attacks recently on news and online..Well symantec hasn't come up with a blog on it yet..so i am guessing it will come soon..

While blog (and customer communication) would be nice to educate general public and client base, I'd actually prefer a signature or out-of-bound method to protect against this vulnerability. McAfee has one as well as a detailed description, why is Symantec sitting on its hands again?

While blog (and customer communication) would be nice to educate general public and client base, I'd actually prefer a signature or out-of-bound method to protect against this vulnerability. McAfee has one as well as a detailed description, why is Symantec sitting on its hands again?

/sorry for double-post 

I think this is what you want :-)

https://www-secure.symantec.com/connect/blogs/protect-yourself-against-exploit-targeting-new-ie-zero-day-vulnerability

Paul,
This is EXACTLY what I was looking for, thank you! Do you have a definition version that I can reference to confirm that we are protected in the enterprise?
Thanks again! 

As per the hyperlink for Hydraq, anything post January 10, 2010 revision 017  will detect the threat

For IPS, it was added to SU130 for SEP:

http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep11_32&year=2010&suid=SAV11_32-SU130-20100116.001

and SU233 for SCS

http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=scs&pvid=scs&year=2010&suid=cNDC_Enterprise-SU233-20100116.01

Relative definition dates are also in those links

also see here: https://www-secure.symantec.com/connect/blogs/hydraq-attack-mythical-proportions

and keep an eye on the ThreatExpert blog (which is also us, since we bought PCTools) http://blog.threatexpert.com/2010/01/trojanhydraq-exposed.html

http://blog.threatexpert.com/

Hello Paul,
Thank you for clarification and links, this is exactly what I needed. I was not worried about mythical proportions of its exploitation, or Google vs. China debacle per se. However any 0-day vulnerability in IE, whose PoC code is publically available with no solution or work-around from Microsoft is a worrisome sign for us, leaving anti-virus being the last resort in these kinds of situations.
Anyway, I'm glad Symantec stepped up and released the solution.

D
 

@ Paul

Because of the SEPM 2010 virus defintion issue, our PTP (zero-day) defintions are from December 31, 2009 rev. 20.
Are we still protected from this issue? I have seen some info on the net regarding this IE issue. Thanks.

Mike

hi mike..
A IPS definition has been released for this threat and IPS is part of Network Threat Protection so make sure your network threat protection is  dated jan 16 r1.

Yes sir. We are at 1-16-R1. Cool, thanks!

Paul and all,
I just tested a known 0-day site and SEP didn't detect the actual exploit via IPS signature, not did it detect the following trojan installation via A/V signature. We are up-to-date in both A/V and IPS, however, I do NOT see signature ID 23599 in our IPS policy. I got this ID number from this link:
http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23599
Is this a correct ID that I should reference for IPS detection of this threat? If not, which ID can I reference?
Some links and screenies:
VirusTotal detection result for the rootkit:
http://www.virustotal.com/analisis/b5713982e8e9e1911e0a66ca610975dd4f37ace880d9eac93315f43c3304d062-1264007509 
HitmanPro detecting rootkit on test machine:

SEP staus on machine in question:


IPS signature list and IDs from SEPM:

A quick update to the above: it looks like we're not getting the IPS signature 23599 for some reason, even though we're on the latest, greatest IPS/AV revisions. Our LiveUpdae policy is configured to not filter anything out and download and deploy all the latest definitions for both. 
Any idea what's going on?

Another update: our SEPM has the latest IPS definitions yet signature 23599 is yet to be found.

Hi Dimitri,

Thats strange, its almost as if you are stuck on a slightly older IPS version.  Attached you can see the print screen from my SEPM, where I clearly have a few more sigs than you, and the 23599 signature too.



Let me see if there is anything we can check for you...

Paul,
Thank you for replying. Indeed, it looks like we're missing 9 signatures or so.. I even tried updating the SEPM manually via jdb but still got the same date/count.
Thanks,

Dimitri
P.S. I replied to your email with link to the site, as you requested. 

Paul,
Any word on why we may be missing IPS signatures? Do I need to open a ticket to get this resolved?
Thanks! 

UPDATE: After opening a ticket, this appears to be an issue reported by others as well. Check your IPS signature list and if the total number of IPS signatures is less than 1821, you too are affected and not protected.

1812  total signatures for us, and we run LU constantly.....

23588 is the highest numbered

So, it seems to be a larger issue with more folks.......................

Yep, you're in the same boat. I have a ticket open, you might want to do the same, reference Case 411-088-745 to make your life easier. 

I have a non-managed install on my Vista machine, and I run LU to update it direct from Symantec, it doesn't go through our SEPM at all, I just ran LU, and it's current.............. but has the same numbers as our SEPM shows, 1-19-2010 rev 1.
And SEP/M has got 1812 signatures (not a typo, I'm not meaning 1821) and does not have that sig in question.

Hi Dimitri,

Thanks for logging the call - I have informed the appropriate resources and asked them to take a look asap for you.

We have checked out the blog page you sent me:

My install has all 1821 signatures, including the IE exploit.
That's pretty strange.

Mike

 If you have 1821 sigs or more, you're OK. If you have 1812 like ShadowsPapa and myself, then you're not protected and missing at least 9 signatures.

Just to add... I too only have 1812 sigs, I am running the latest IPS defs... 19th Jan 2010 R1 from SEPM.

Edit: i have logged this with support, ticket no 411-109-831

So we're going all this time unprotected with the sigs that all assume everyone has!
WOW, I sure can't tell anyone else here about this. I hope it's fixed soon as if anyone is at risk, it's us here with the way our people use computers and email and browsers and Acrobat Reader and all.............. I had to argue big time yesterday to get them to NOT re-enable Acrobat reader scripts! Yikes! I raised cane, made them upset, but I think finally got my way.
Defs dated the 19th, this is the 22nd, can we find a solution fast, please??
Is this realted to anything else, perhaps?
Is there some file that can be provided that we can simply drop into place and get protection?
Is there a manual patch or update we can download and apply?
I suspect STRONGLY that this is a huge issue, just that no one really compares defs date to a certain number of signatures! I mean, it if were not for this very thread, how would anyone in the world know how many and what should be in that list?
There's no check that says anywhere "1-19-2010 defs should contain this...." is there?
Just that someone looked and found - there's not the protection there's supposed to be.
Could there be thousands not protected who don't realizse it?
Has a KB document been posted for folks to see yet?
I think it would be prudent to post a doc that states - this is the risk, this is the version/date that should protect you, but make sure you have 1821 defs and not 1812.................
Bottom line - my fear is that thousands of folks out there don't have the protection they think they have, because they have the latest defs, and don't know to look any farther............so think 1-19-2010 is just fine.
Can we at least get the info out?

We have 1-19-2010 R1 also.  For both the SEPM and LUA downloads...  Only 1812 IPS signatures.  13,000+ clients are now not protected if I am reading this thread right. If we can't get this resolved asap, any body plan to write a custom signature?

Thanks,
MK_SEP_Admin

I got the Microsoft update and we're still at 1812 IPS sigs too.  Our ticket is still open with Symantec support.  No response yet.

Double or nothing? 
Let's see how many enterprises can get the Microsoft patch deployed to everyone before we all get our IPS sigs updated.

How embarrassing this must be for Symantec.

Just when I thought the updates were working properly again......................

To support the severity of the issue, I've opened a case.  I referenced the one above when opening it.  Ours is 411-113-307 but after 98 minutes on hold after opening, I gave up waiting for technician. I have the Symantec case opened as critical due to the MS severity of the issue.

You are 100% correct, there could be thousands that think they are protected, but they're not. Symantec is playing "hush-hush" for obvious reasons, since the fix was reported to have been released on January 16th, almost a week ago. I agree that there should be a customer communication notice informing customers of the fact. I understand that not everyone is affected and the level of exploitation of the vulnerability is far from catastrophic, but a little full disclosure from the vendor would be very nice and fitting, IMHO.

Dimitri

Here is my initial take on the problem. We are researching to confirm. So, don't treat this as gospel true yet. :-)

It seems like this is a problem here with the exclusions not displaying the newer signatures, but that protection is still in place. We believe this is a display problem only. Symantec is confirming this information and will provide an update soon.

Jim,
I have tested 0-day exploit against SEP in current "confused" state, and it didn't detect the buffer overflow in IE via IPS signature, nor did it detect the rootkit that followed via AV signature. I have submitted both code and AV sample to Symantec, you can also see some screenshots above and VirusTotal link for the malware sample.
That's what initially started my follow-up to this thread; only later I noticed the missing signature issue. So either the issue is "cosmetic", as you describe it, and "hidden" IPS and AV signatures are useless against this attack, despite being active, OR they are missing altogether, which explains lack of detection. Either way, I can't say I'm pleased with the result.

Dimitri 

UPDATE: It looks like Friday AV definitions (r7 as of 1/22/2010) are catching *some* versions of trojans that the exploit is launching via Trojan.Malscript!.html signature. Actual buffer overflow is still not being detected via the IPS signature (missing or otherwise).

 As of 1/22/2010 there is a KB article that lists this issue as being known since 1/20/2010 and that Symantec is aware of the IPS sigs not being updated, and is working on a solution.

DocID 2010012009350848

Buffer overflow is now detected via IPS signature, despite signature count is still at 1812, which I'm told is a "cosmetical" issue similar to 2010 bug. Whatever the issue is, or when it's getting to be fixed I do not know, but as far as I can tell, we are fully protected via both IPS and A/V signatures.
Thank you all for playing! 

Following this KB works well.
Basically, set your cached LU updates down to 1, run LU, see that the cache was flushed, then set it back to 12 or 16 or whatever you had it at before you set it back to 1.
The look at the list - it'll show all 1821 perfectly.
Of course, the cached downloads are gone............. but your list will be fresh.
It seems they are actually there, just not showing up as I gather it.

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/3258d8fd2c85689f882576b1006098a2?OpenDocument

@ ShadowPapa

Good info, thanks!

Dimitri,

Thanks for your follow-up on this issue!  After you reported the initial detection not working, I followed up with our Response folks who confirmed the updated detection that went out on Tuesday 1/19 provided protection against the website that you had reported to Paul.  Thanksalso for your persitance in working to make sure the protection is working for all folks here and the display issue!   Having the additional layer of protection against the underlying vulnerability with the IPS/Network Threat Protection solution is crucial and it is good to see you having it enabled.

Thanks,
John

I agree Dimitri is to be thanked for the SPECIFIC information and the actual TESTING to prove one way or another, and not just "guess".
It's real helpful to customers and Symantec support to have such detailed information!
It helped me to figure things out here, too..........

ditto!  Thanks for posting that as well!
cheers,
John