Endpoint Protection

Hello

We recieve this message [SID: 23797] HTTP Zombie Exploit Toolkit Request detected.
It appears everytime i enter a Site which uses the Software SlideShowPro, which is also used on our portal. It also appears on the company website of SlideShowPro (especially in the galeries).

http://slideshowpro.net/

I opened a threat there to get some community feedback. It appears that this block is only occuring at our machines, no other customers of SSP - and that since the latest update of the antivirus.

I am kind of confused because there are several threats about this in the web that are very new, and everytime it is caused by norton.

My question is now, if this is really a threat or something else regarding the update?

I would be very thankful to get some answers. Meanwhile i have taken my site offline to prevent any further damage for other users.

Looking forward to get some Feedback!

Best regards

Sascha

Are you using Norton [internet security / 360] or Symantec Endpoint Protection?

As my website use SlideShow Pro too , I took a peek on my site and did not find any issue.
I check to Slideshowpro.net portal and can't seem to replicate the issue too.

I am running SEP 11 with 11 Jan 2011 rev 01 dated NTP definition.

We did update HTTP zombie toolkit request signature in today's update

http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep11_32&year=2011&suid=SAV11_32-SU265-20110111.001

Therefore best to contact Symantec support for them to analyze deeper what's going on. Maybe your Adobe Flash version is not up to date and got compromised.

I use Symantec Endpoint Protection V11 (2011-01-11 rev37).

I have the following Flash Version: 10,1,102,64 installed.
Recording to Adobe it is the newest version?

Is it possible that a machine in our network with an older version could have gotten compromised and spread?

The Network Threat Protection definition version is best to check as Antivirus definition has nothing to do with the HTTP request alert.

If you think its one of the machine within your network, open up your client NTP logs and check the source IP address.

I strongly doubt its coming from internal.

The NTP logs say that there is massive outgoing traffic since this morning. I am kind of overasked to get any more information from the NTP. Does this mean that one of the machines is infected?

Strange is that noone else i ask to surf the (compromised) are getting any errors or warnings.

what is the kind of traffic? is it legit one?

It sounds like the box has an infection. Is the traffic going to an IP that you trust or one that you have no idea what it is?

Make sure defs are updated, pull it offline, boot into safemode and run a full scan.

Also, check the box hosting your site. It's possible it could've been compromised and doling out malware.

we got the same probleme

[SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
Datenverkehr aus dieser Anwendung wurde blockiert: C:\Programme\Internet Explorer\iexplore.exe

version: sep 11.0.6200.754

definition 11. Januar 2011 r20

 

Even if the full scan in safe-mode comes back clean, I would run some additional tools to check this system out for hidden threats.

The SERT (Symantec Endpoint Recovery Tool)is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively.

Get this tool from Fileconnect

How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions –http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

 

 The Load point Analysis Tool generates a detailed report of the programs loaded on your system. It is helpful in listing common loadpoints where threats can live.

Support Tool, Load Point Analysis Tool with Power Eraser Tool included –

http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US

Regards,

Thomas

Here is a log-file of the NTP:

1    12.01.2011 10:15:23    Intrusion Prevention    Kritisch    Ausgehend    TCP    80.74.145.65    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    2    12.01.2011 10:14:22    12.01.2011 10:14:22    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
    
2    12.01.2011 10:16:51    Intrusion Prevention    Kritisch    Ausgehend    TCP    80.74.145.65    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    449    12.01.2011 10:15:39    12.01.2011 10:15:46    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
    
3    12.01.2011 10:18:29    Intrusion Prevention    Kritisch    Ausgehend    TCP    80.74.145.65    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    444    12.01.2011 10:17:09    12.01.2011 10:17:23    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
    
4    12.01.2011 10:28:31    Intrusion Prevention    Kritisch    Ausgehend    TCP    80.74.145.65    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    693    12.01.2011 10:27:21    12.01.2011 10:27:29    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
    
5    12.01.2011 10:29:47    Intrusion Prevention    Kritisch    Ausgehend    TCP    80.74.145.65    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    19    12.01.2011 10:28:42    12.01.2011 10:28:43    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
    
6    12.01.2011 10:32:11    Intrusion Prevention    Kritisch    Ausgehend    TCP    70.32.121.204    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    10    12.01.2011 10:30:51    12.01.2011 10:31:08    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
    
7    12.01.2011 10:33:40    Intrusion Prevention    Kritisch    Ausgehend    TCP    70.32.121.204    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    14    12.01.2011 10:32:14    12.01.2011 10:32:39    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
  

Is there anymore information i can recieve about the outgoing traffic? Because from this log i cannot verify exactly if the traffic is leggit or not... 

Thanks for any help.

80.74.145.65 is from:

IP Address	80.74.145.65
Host	dali.sui-inter.net
Location	CH, Switzerland
City	-, - -
Organization	METANET GmbH, Switzerland
ISP	METANET AG
AS Number	AS21069 METANET AG, Switzerland

 

70.32.121.204 is from:

IP Address	70.32.121.204
Host	slideshowpro.net
Location	US, United States
City	Culver City, CA 90232
Organization	MEDIA TEMPLE
ISP	MEDIA TEMPLE
AS Number	AS31815 Media Temple, Inc.

I had same problem with my own webpage.

After some research I have come into conclusion that the problem is with webpage named "p.php".

I.e. ANY webpage named p.php causes this alert and, at least in my case, gets even blocked from view.

To me it is not that big of problem, but I guess it annoys some bigger business, like the http://slideshowpro.net/

Let's hope they get it fixed soon.

We have seen a large number of these starting today also with SEP v11 HIPS from: 63.135.86.43 (MySpace) 184.168.11.57 (GoDaddy) 144.75.4.120 (VMI) to numerous internal users on both IE and Firefox. All report blocked by SEP HIPS and all of the machines appear to be clean when manually checked. No other monitoring device is reporting this; we also use WebSense and Damballa. As this signature was just updated today according tothe post above is this possibly a false-positive?

Symantec - if you need to contact someone at SlideShowPro regarding this, please contact Todd Dominey at todd@slideshowpro.net (that's me). There are tens of thousands of sites out there that are potentially affected by this (which we suspect is a false-positive concerning the SlideShowPro Director content urls), so we very much want to see this unexpected issue resolved as soon as possible. Thanks in advance.

Hi Todd,

You should report a False Positive to Symantec ASAP.

 

https://submit.symantec.com/false_positive/

False positive report submitted. 

I'm now wondering if this is a false positive. I'm getting pounded with these as well.

Same message is showing, while I run Webex meetmenow application.

I believe something wrong with the current updates. It was running fine earlier.

when I disable Network threat protection the application is working fine.

Please help.

I have seen a number of these as well today. Is there any other inforamtion on this being a false positive. Malware Domain List shows 4 domains that are in there database as serving up Zombie Exploitation Toolkit, the most recent one is from November.

This seems to be a common domain for the alerts I'm seeing (2 out of 3). Adobe On-line Marketing Suite:

2o7.net and omtrdc.net are domains used by Adobe to help provide portions of its Adobe® SiteCatalyst® and Adobe® SearchCenter+ products. Specifically, this domain is used by Adobe to place cookies, on behalf of its customers, on the computers of visitors to customers' selected websites.

 

It has a bad reputation of spyware, malicious content, etc. Anyone else who seeing traffic to this domain at the same time as the NTP event?

I'm getting a bunch of hits on odcdn.com

SEP v. 11.0.6000.550

My question, however, is, the pop dialog says a request was made for the HTTP Zombie Exploit Toolkit, not that the Zombie Exploit Toolkit was found.

So, in other words, SEP is saying don't go to this website ... right?

Are you getting the Network Threat Protection alert from SEP that says something to the effect of:

HTTP Zombie Exploit Toolkit Request detected. Traffic has been blocked from this application: C:\Program Files\Internet Explorer\iexplore.exe

 

If so, then it's not that the AV engine found the toolkit, but the traffic from an IP was blocked with due to that signature.

My log says that traffic has been blocked from iexplore.exe so I'm guessing the request was made and SEP blocked it.

If the Zombie toolkit was actually found, I would think the AV portion caught it but just a guess.

When any of our users visit clear channel radio station websites (www.z104fm.com) we are getting the Zombie exploit message as well. We first received notifications this morning.

Version: 11.0.3001.2224

Virus Defs: 2011-01-11 rev. 037

IPS: 2011-01-11 rev. 001

Not sure what happen overnight [am in Australia] , the FP looks like have been remediated after SU266 or 12 Jan 2011 rev 01 dated NTP signature.

Thanks for all the FP report submitted.

I wouldn't say I'm being overwhelmed by these, and none of the blocked packets were bound for "business related" sites, but I certainly think this is a likely a false positive.

LiveUpdate Defs ID

20110112.001

Should fix this issue.

http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep11_32&year=2011&suid=SAV11_32-SU266-20110112.001

Hello All,

 

In the last 24 hours we have received a large number of reports both via our the Symantec and Norton forums and also via our FP reporting process regarding unexpected Intrusion Prevention detections for multiple trusted web locations. These sites were detected because of an errant detection on our part, aimed at targeting a specific type of malicious network traffic. We make great efforts to avoid detection of clean network traffic, testing each signature thoroughly against known good network traffic, including using both live and historical content from many popular websites. What happened in this case is the result of two specific problems that occurred:

1) an element of the malicious network traffic we targeted for detection was common to many clean websites, and

2) our detection was missing a key constraint that would have prevented detection of the clean sites

 

As of earlier this morning (PST) this issue has been fixed and an updated detection released via our LiveUpdate service. If you are still experiencing unexpected “HTTP Zombie Exploit Toolkit Request” detections and are skeptical about the issue, please update your Norton or Symantec product using LiveUpdate, and the issue should be corrected. Definitions 201101112.001 or later will contain the fix. Instructions on how to update your product using LiveUpdate can be found at the link below:

 

http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080417124026EN&ln=en_US

 

Please don’t hesitate to report this or any additional detections you believe to be False Positives if this fix does not resolve the issue for you.  Our False Positive reporting page is available here:

 

https://submit.symantec.com/false_positive

 

We sincerely apologize for any inconvenience this may have caused you or your customers, and we would like to thank each of the members in our user community responsible for bringing this to our attention so quickly.

 

Symantec Security Response

Thanks. finally it got fixed.

Thank you for fixing this issue!

Best regards

Sascha