[ISN] Symantec 'security scan' distributes rootkit

From: InfoSec News (isnat_private)
Date: Wed Jul 16 2003 - 00:45:08 PDT

  • Next message: InfoSec News: "[ISN] Red alert on the e-war front"

    http://www.theregister.co.uk/content/55/31752.html
    
    By Thomas C Greene in Washington
    Posted: 15/07/2003 
    
    "Symantec Security Check is a free web-based tool that enables users
    to test their computer's exposure to a wide range of on-line threats,"  
    the press release begins. Unfortunately, Symantec Security Check has
    also been installing an on-line threat of its own in the form of a
    dangerous ActiveX control.
    
    "The ActiveX control, named Symantec RuFSI Utility Class or Symantec
    RuFSI Registry Information Class, contains a buffer overflow exploit,"  
    the company says, though we're nearly certain they mean that it's
    exploitable, not that it's actually been infected with something. But
    you never know; the press release is one of those waffly ones that
    doesn't quite tell you everything you want to hear.
    
    The buffer overflow can be exploited by hip Webmasters, and victims
    turning up at their sites risk having malicious code run on their
    Windows boxes.
    
    The easiest way to get rid of the dangerous ActiveX control that
    security experts Symantec have planted on your machine is to visit the
    Security Check Web page again, submit to the security check once more,
    and allow them to install a much better one in its place, which they
    are now prepared to do.
    
    Or, if you've had enough of their security expertise for now, you can,
    in Symantec's words, "attempt to remove" the relevant file thus:
    
    Boot to a DOS prompt and delete the file rufsi.dll from the
    %Windir%\Downloaded Program Files\ directory.
    
    Choose your poison.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Jul 16 2003 - 03:30:19 PDT