http://www.informationweek.com/story/showArticle.jhtml?articleID=164903957
By Gregg Keizer
TechWeb News
June 29, 2005
One of the seven vulnerabilities recently found in various Veritas
backup components is under attack, said security vendor Symantec
Wednesday. The company -- which recently finalized a merger with
Veritas -- recommended that users patch post haste.
The multiple vulnerabilities in Veritas' Backup Exec first went public
last week, when the Mountain View, Calif.-based storage software
company released a slew of security advisories that outlined problems
ranging from possible denial-of-service (DoS) attacks to remote
execution of code. Veritas ranked five of the seven as "High" impact,
its most dire threat level, while two were rated as "Low."
Within two days of the vulnerabilities going public -- the researchers
who discovered the vulnerabilities held the news until patches were
produced by Veritas -- Symantec warned that an exploit had been
released for one of the most dangerous bugs.
That vulnerability, a buffer overflow flaw in Backup Exec's Remote
Agent, could be exploited, said Symantec, by hackers passing an
extra-long password to the Agent, software which listens on TCP port
10000 and accepts connections from the backup server when a backup is
scheduled.
One day later, Symantec began monitoring a sudden increase in port
scanning for port 10000. SANS' Internet Storm Center detected the same
spike in port sniffing. "Scans for port 10000/tcp have been increasing
ever since the release of the Veritas Backup Exec exploit," the center
warned in an online briefing Monday.
According to Symantec's DeepSight Threat Network, the Cupertino,
Calif.-based security giant's global network of sensors, the number of
distinct IP addresses found scanning for port 10000 jumped from
essentially zero on Sunday, June 26, to almost 8,000 by the end of the
next day.
"The increase is likely indicative of a bot network performing a
consistent and controlled propagation to vulnerable hosts on the
Internet," said Symantec in a DeepSight alert sent to customers.
Although the actually exploit had yet to be captured, Symantec was
sure the vigorous port scanning was a sign of it being used on a wide
scale, and again recommended that Veritas users patch as soon as
possible.
As is typical, the bot author used several techniques to hide the code
from analysts, and to make it difficult to predict which port may be
used by the exploit to communicate back to its creator for additional
instructions and/or software.
A "honeypot" system that Symantec set up, however, grabbed a sample of
the exploit on Thursday when an analyst was able to simulate a partial
infection on a PC and trick the attacker into sending the rest of the
code.
"This is indeed the result of a malicious IRC-based bot program, known
as W32.Toxbot," Symantec researchers said in the report issued
Thursday. Toxbot, which was first discovered in March, can also use
various Microsoft vulnerabilities, including those in SQL Server,
DCOM, and LSASS, the trio that spawned Slammer, MSBlast, and Sasser,
respectively.
"The DeepSight team strongly encourages network and system
administrators to take immediate action to patch or mitigate the
threat in the vulnerability," the report continued.
But what with the aggressive spread of Toxbot, it may be too late for
some.
"Machines that have been left unprotected following the original
release [of the security bulletin] may have already been compromised
or exposed to attack," Symantec's researchers warned.
_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.
www.blackhat.com
