'Big Yellow' malware exploits Symantec desktop products

Endpoint security firm eEye Digital Security says it has discovered malware that exploits Symantec desktop security products by spreading through an unpatched vulnerability in Symantec’s antivirus software.

The malware, called “Big Yellow” due to the distinct color of Symantec’s brand, is a combined worm and botnet that is controlled through Internet Relay Chat channels, according to Marc Maiffret, eEye’s founder and CTO. The worm/botnet malware appears to have originated in China, Maiffret says.

In May, eEye discovered the underlying buffer-overflow vulnerability in Symantec’s AntiVirus and Client Security products that Big Yellow is said to exploit. Symantec acknowledged and fixed the problem in an advisory at that time.

However, if users didn’t update their Symantec applications -- simply downloading antivirus signatures alone wouldn’t be sufficient -- they would still be vulnerable to the Big Yellow worm, Maiffret says.

While Big Yellow is not the first malware known to exploit the unpatched Symantec application vulnerability, it appears to be the most aggressive and dangerous so far, able to execute arbitrary code with system privileges on a targeted machine.

Maiffret says Big Yellow is notable because it is “non-Microsoft-based malware” that depends on exploiting applications from vendors other than Microsoft.

“IT urgently needs to understand that the new vector for attack will not come from Microsoft but from myriad applications that are scattered throughout its network,” Maiffret points out.

Vincent Weafer, senior director of Symantec Security response, said eEye Digital did not share a sample of the "Big Yellow" malware with Symantec, but late Wednesday Symantec identified a combined worm/bot that may be the same malware. "We call it 'Sagevo'," said Weafer. "We think it's one and the same thing." He added Symantec wasn't getting significant corporate submissions related to it.

"We are seeing some scanning activity," said Weafer about Sagevo. "But for us it's pretty well a non-event."

Weafer added that eEye Digital, while having a great research group, was out to "get attention and get publicity" in its announcement about discovering "Big Yellow."

However, Weafer noted that it is important to make sure the Symantec corporate application is fully updated to prevent malware from exploiting the buffer overflow vulnerability identified last May in the antivirus products.

EEye Digital’s products include vulnerability-assessment and intrusion-prevention software Blink and Retina.