Endpoint Protection

Expand all | Collapse all

HTTP Zombie Exploit Toolkit Request

Migration User01-12-2011 01:49 PM

ℬrίαη01-12-2011 03:55 PM

Migration User01-13-2011 02:01 AM

  • 1.  HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 07:13 AM

    Hello

    We recieve this message [SID: 23797] HTTP Zombie Exploit Toolkit Request detected.
    It appears everytime i enter a Site which uses the Software SlideShowPro, which is also used on our portal. It also appears on the company website of SlideShowPro (especially in the galeries).

    http://slideshowpro.net/

    I opened a threat there to get some community feedback. It appears that this block is only occuring at our machines, no other customers of SSP - and that since the latest update of the antivirus.

    I am kind of confused because there are several threats about this in the web that are very new, and everytime it is caused by norton.

    My question is now, if this is really a threat or something else regarding the update?

    I would be very thankful to get some answers. Meanwhile i have taken my site offline to prevent any further damage for other users.

    Looking forward to get some Feedback!

    Best regards

    Sascha



  • 2.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 07:29 AM

    Are you using Norton [internet security / 360] or Symantec Endpoint Protection?

    As my website use SlideShow Pro too , I took a peek on my site and did not find any issue.
    I check to Slideshowpro.net portal and can't seem to replicate the issue too.

    I am running SEP 11 with 11 Jan 2011 rev 01 dated NTP definition.

    We did update HTTP zombie toolkit request signature in today's update

    http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep11_32&year=2011&suid=SAV11_32-SU265-20110111.001

    Therefore best to contact Symantec support for them to analyze deeper what's going on. Maybe your Adobe Flash version is not up to date and got compromised.



  • 3.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 07:42 AM

    I use Symantec Endpoint Protection V11 (2011-01-11 rev37).

    I have the following Flash Version: 10,1,102,64 installed.
    Recording to Adobe it is the newest version?

    Is it possible that a machine in our network with an older version could have gotten compromised and spread?



  • 4.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 07:50 AM

    The Network Threat Protection definition version is best to check as Antivirus definition has nothing to do with the HTTP request alert.

    If you think its one of the machine within your network, open up your client NTP logs and check the source IP address.

    I strongly doubt its coming from internal.



  • 5.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 08:55 AM

    The NTP logs say that there is massive outgoing traffic since this morning. I am kind of overasked to get any more information from the NTP. Does this mean that one of the machines is infected?

    Strange is that noone else i ask to surf the (compromised) are getting any errors or warnings.



  • 6.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 08:58 AM

    what is the kind of traffic? is it legit one?



  • 7.  RE: HTTP Zombie Exploit Toolkit Request

    Posted 01-12-2011 08:59 AM

    It sounds like the box has an infection. Is the traffic going to an IP that you trust or one that you have no idea what it is?

    Make sure defs are updated, pull it offline, boot into safemode and run a full scan.

    Also, check the box hosting your site. It's possible it could've been compromised and doling out malware.



  • 8.  RE: HTTP Zombie Exploit Toolkit Request

    Posted 01-12-2011 09:44 AM

    we got the same probleme

    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
    Datenverkehr aus dieser Anwendung wurde blockiert: C:\Programme\Internet Explorer\iexplore.exe

    version: sep 11.0.6200.754

    definition 11. Januar 2011 r20

     



  • 9.  RE: HTTP Zombie Exploit Toolkit Request

    Posted 01-12-2011 09:58 AM

    Even if the full scan in safe-mode comes back clean, I would run some additional tools to check this system out for hidden threats.

    The SERT (Symantec Endpoint Recovery Tool)is useful in situations where computers are too heavily infected for the Symantec Endpoint Protection client installed upon them to clean effectively.

    Get this tool from Fileconnect

    How To Use the Symantec Endpoint Recovery Tool with the Latest Virus Definitions –http://www.symantec.com/business/support/index?page=content&id=TECH131732&locale=en_US

     

     The Load point Analysis Tool generates a detailed report of the programs loaded on your system. It is helpful in listing common loadpoints where threats can live.

    Support Tool, Load Point Analysis Tool with Power Eraser Tool included –

    http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US


    Regards,

    Thomas



  • 10.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 10:10 AM

    Here is a log-file of the NTP:

    1    12.01.2011 10:15:23    Intrusion Prevention    Kritisch    Ausgehend    TCP    80.74.145.65    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    2    12.01.2011 10:14:22    12.01.2011 10:14:22    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
        
    2    12.01.2011 10:16:51    Intrusion Prevention    Kritisch    Ausgehend    TCP    80.74.145.65    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    449    12.01.2011 10:15:39    12.01.2011 10:15:46    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
        
    3    12.01.2011 10:18:29    Intrusion Prevention    Kritisch    Ausgehend    TCP    80.74.145.65    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    444    12.01.2011 10:17:09    12.01.2011 10:17:23    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
        
    4    12.01.2011 10:28:31    Intrusion Prevention    Kritisch    Ausgehend    TCP    80.74.145.65    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    693    12.01.2011 10:27:21    12.01.2011 10:27:29    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
        
    5    12.01.2011 10:29:47    Intrusion Prevention    Kritisch    Ausgehend    TCP    80.74.145.65    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    19    12.01.2011 10:28:42    12.01.2011 10:28:43    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
        
    6    12.01.2011 10:32:11    Intrusion Prevention    Kritisch    Ausgehend    TCP    70.32.121.204    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    10    12.01.2011 10:30:51    12.01.2011 10:31:08    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
        
    7    12.01.2011 10:33:40    Intrusion Prevention    Kritisch    Ausgehend    TCP    70.32.121.204    00-00-00-00-00-00    192.168.1.181    20-CF-30-3B-5C-56    C:\Program Files (x86)\Internet Explorer\iexplore.exe    m.schuler    SIAG    Standard    14    12.01.2011 10:32:14    12.01.2011 10:32:39    [SID: 23979] HTTP Zombie Exploit Toolkit Request erkannt.
      

    Is there anymore information i can recieve about the outgoing traffic? Because from this log i cannot verify exactly if the traffic is leggit or not... 

    Thanks for any help.



  • 11.  RE: HTTP Zombie Exploit Toolkit Request

    Posted 01-12-2011 12:10 PM

    80.74.145.65 is from:

    IP Address 80.74.145.65
    Host dali.sui-inter.net
    Location CH CH, Switzerland
    City -, - -
    Organization METANET GmbH, Switzerland
    ISP METANET AG
    AS Number AS21069 METANET AG, Switzerland

     

    70.32.121.204 is from:

    IP Address 70.32.121.204
    Host slideshowpro.net
    Location US US, United States
    City Culver City, CA 90232
    Organization MEDIA TEMPLE
    ISP MEDIA TEMPLE
    AS Number AS31815 Media Temple, Inc.


  • 12.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 12:58 PM

    I had same problem with my own webpage.

    After some research I have come into conclusion that the problem is with webpage named "p.php".

    I.e. ANY webpage named p.php causes this alert and, at least in my case, gets even blocked from view.

    To me it is not that big of problem, but I guess it annoys some bigger business, like the http://slideshowpro.net/

    Let's hope they get it fixed soon.



  • 13.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 01:03 PM
    We have seen a large number of these starting today also with SEP v11 HIPS from: 63.135.86.43 (MySpace) 184.168.11.57 (GoDaddy) 144.75.4.120 (VMI) to numerous internal users on both IE and Firefox. All report blocked by SEP HIPS and all of the machines appear to be clean when manually checked. No other monitoring device is reporting this; we also use WebSense and Damballa. As this signature was just updated today according tothe post above is this possibly a false-positive?


  • 14.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 01:15 PM

    Symantec - if you need to contact someone at SlideShowPro regarding this, please contact Todd Dominey at todd@slideshowpro.net (that's me). There are tens of thousands of sites out there that are potentially affected by this (which we suspect is a false-positive concerning the SlideShowPro Director content urls), so we very much want to see this unexpected issue resolved as soon as possible. Thanks in advance.



  • 15.  RE: HTTP Zombie Exploit Toolkit Request

    Posted 01-12-2011 01:30 PM

    Hi Todd,

    You should report a False Positive to Symantec ASAP.

     

    https://submit.symantec.com/false_positive/



  • 16.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 01:49 PM

    False positive report submitted. 



  • 17.  RE: HTTP Zombie Exploit Toolkit Request

    Posted 01-12-2011 01:59 PM

    I'm now wondering if this is a false positive. I'm getting pounded with these as well.



  • 18.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 02:13 PM

    Same message is showing, while I run Webex meetmenow application.

    I believe something wrong with the current updates. It was running fine earlier.

    when I disable Network threat protection the application is working fine.

    Please help.



  • 19.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 03:11 PM

    I have seen a number of these as well today. Is there any other inforamtion on this being a false positive. Malware Domain List shows 4 domains that are in there database as serving up Zombie Exploitation Toolkit, the most recent one is from November.



  • 20.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 03:18 PM

    This seems to be a common domain for the alerts I'm seeing (2 out of 3). Adobe On-line Marketing Suite:

    2o7.net and omtrdc.net are domains used by Adobe to help provide portions of its Adobe® SiteCatalyst® and Adobe® SearchCenter+ products. Specifically, this domain is used by Adobe to place cookies, on behalf of its customers, on the computers of visitors to customers' selected websites.

     

    It has a bad reputation of spyware, malicious content, etc. Anyone else who seeing traffic to this domain at the same time as the NTP event?



  • 21.  RE: HTTP Zombie Exploit Toolkit Request

    Posted 01-12-2011 03:55 PM

    I'm getting a bunch of hits on odcdn.com



  • 22.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 04:11 PM

    SEP v. 11.0.6000.550

    My question, however, is, the pop dialog says a request was made for the HTTP Zombie Exploit Toolkit, not that the Zombie Exploit Toolkit was found.

    So, in other words, SEP is saying don't go to this website ... right?



  • 23.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 04:22 PM

    Are you getting the Network Threat Protection alert from SEP that says something to the effect of:

    HTTP Zombie Exploit Toolkit Request detected. Traffic has been blocked from this application: C:\Program Files\Internet Explorer\iexplore.exe

     

    If so, then it's not that the AV engine found the toolkit, but the traffic from an IP was blocked with due to that signature.



  • 24.  RE: HTTP Zombie Exploit Toolkit Request

    Posted 01-12-2011 04:23 PM

    My log says that traffic has been blocked from iexplore.exe so I'm guessing the request was made and SEP blocked it.

    If the Zombie toolkit was actually found, I would think the AV portion caught it but just a guess.



  • 25.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 04:50 PM

    When any of our users visit clear channel radio station websites (www.z104fm.com) we are getting the Zombie exploit message as well. We first received notifications this morning.

    Version: 11.0.3001.2224

    Virus Defs: 2011-01-11 rev. 037

    IPS: 2011-01-11 rev. 001



  • 26.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 04:54 PM

    Not sure what happen overnight [am in Australia] , the FP looks like have been remediated after SU266 or 12 Jan 2011 rev 01 dated NTP signature.

    Thanks for all the FP report submitted.



  • 27.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 04:59 PM

    I wouldn't say I'm being overwhelmed by these, and none of the blocked packets were bound for "business related" sites, but I certainly think this is a likely a false positive.



  • 28.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 05:48 PM

    LiveUpdate Defs ID

    20110112.001

    Should fix this issue.

    http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=sep&pvid=sep11_32&year=2011&suid=SAV11_32-SU266-20110112.001



  • 29.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-12-2011 10:14 PM

    Hello All,

     

    In the last 24 hours we have received a large number of reports both via our the Symantec and Norton forums and also via our FP reporting process regarding unexpected Intrusion Prevention detections for multiple trusted web locations. These sites were detected because of an errant detection on our part, aimed at targeting a specific type of malicious network traffic. We make great efforts to avoid detection of clean network traffic, testing each signature thoroughly against known good network traffic, including using both live and historical content from many popular websites. What happened in this case is the result of two specific problems that occurred:

    1) an element of the malicious network traffic we targeted for detection was common to many clean websites, and

    2) our detection was missing a key constraint that would have prevented detection of the clean sites

     

    As of earlier this morning (PST) this issue has been fixed and an updated detection released via our LiveUpdate service. If you are still experiencing unexpected “HTTP Zombie Exploit Toolkit Request” detections and are skeptical about the issue, please update your Norton or Symantec product using LiveUpdate, and the issue should be corrected. Definitions 201101112.001 or later will contain the fix. Instructions on how to update your product using LiveUpdate can be found at the link below:

     

    http://us.norton.com/support/kb/web_view.jsp?wv_type=public_web&docurl=20080417124026EN&ln=en_US

     

    Please don’t hesitate to report this or any additional detections you believe to be False Positives if this fix does not resolve the issue for you.  Our False Positive reporting page is available here:

     

    https://submit.symantec.com/false_positive

     

    We sincerely apologize for any inconvenience this may have caused you or your customers, and we would like to thank each of the members in our user community responsible for bringing this to our attention so quickly.

     

    Symantec Security Response



  • 30.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-13-2011 02:01 AM

    Thanks. finally it got fixed.



  • 31.  RE: HTTP Zombie Exploit Toolkit Request

    Broadcom Employee
    Posted 01-13-2011 02:27 AM

    Thank you for fixing this issue!

    Best regards

    Sascha