The worm, which both companies referred to as a botworm, acts much like the Windows-targeted network worms of a few years back – it scans for vulnerable hosts on the internet, then attempts to exploit a known vulnerability.
Rather than going after the operating system like Blaster or Slammer, Big Yellow targets a known vulnerability in Symantec’s Client Security and AntiVirus products – its two key desktop security clients.
By exploiting the flaw, the worm is able to download a backdoor program and gain full control of the machine, adding it to the attacker’s existing network of botted PCs.
It targets a vulnerability for which a patch was released by Symantec back in May. However, Symantec does not deliver product updates automatically to corporate customers via its LiveUpdate service, as it does with its consumer base, so there were still some vulnerable machines out there last week.
Vincent Weafer, director of Symantec security response, said that the company had received a handful of calls about incidents, including some from about a dozen educational institutions, which tend to have more complex and not as well-managed, but that the outbreak was not severe.
This was not a significant event, he said, pointing out that even on an unpatched system, the exploit or backdoor could still be caught by the host intrusion prevention or antivirus features of the Symantec software respectively.
The incident does illustrate two interesting trends in malware, however. First, worms targeting applications rather than operating systems are on the increase. This clearly means there are fewer targets for the worms to attack, which not coincidentally illustrates the second trend – malware writers are no longer going for large Blaster-style damaging attacks.
They’re now going for a more softly-softly approach, where they can sneak their malware in under the radar and compromise as many machines as possible before detection and removal tools are created. Controlling a large botnet can translate directly into big money, either through spam, blackmail or advertising click-fraud.