[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Port 12345: Hacker haven or Net X-File?
From:       InfoSec News <isn () c4i ! org>
Date:       2002-01-24 8:16:07
[Download RAW message or body]

http://zdnet.com.com/2100-1105-819807.html

By Nicole Bellamy 
ZDNet Australia
January 22, 2002, 6:45 AM PT

Increased activity on TCP port 12345--best known as both the NetBus
Trojan's default port and the port used for a Trend Micro antivirus
product--has the security community arguing about who is responsible.

Is it Trend Micro customers who have yet to patch known
vulnerabilities, script kiddies looking for an easy hit, or an
Internet X-file?

A recent increase in port scanning activity on the Internet has
centered around Transmission Control Protocol (TCP) port 12345.

Webopedia.com defines port scanning as the act of systematically
scanning a computer's ports--places where information enters and exits
a computer. While port scanning has legitimate uses in managing
networks, it can also be malicious in nature, if someone is looking
for a weakened access point to break into another computer.
 
Port 12345 is best known as the default of NetBus, a Trojan developed
years ago, that allows a hacker to access data and gain control over
some functions on a remote computer system.

More recently, it has been associated with Trend Micro's OfficeScan
anti-virus product, which also uses, or listens on, port 12345.

According to Stephen Northcutt, director of the SANS (System
Administration, Networking, and Security) Institute, his organization
has seen a dramatic increase in the amount of scanning for 12345.

"Last year, the biggest scanning pattern was for a piece of malicious
software called SubSeven. This year, as I keep looking at logs, I find
that they are scanning for a pattern for NetBus," said Northcutt,
adding, "I'm willing to bet you there is some other vulnerability that
made the terribly unfortunate choice of scanning 12345."

This "unfortunate choice" looks to have been made by antivirus vendor,
Trend Micro, which offers a product that listens on 12345.

According to Edward Luck, network security consultant with
Australia-based IT infrastructure providers, Fulcrum Consulting Group,
this software is a problem unto itself, as it contains a number of
vulnerabilities.

"Not only is it (OfficeScan) listening on the same port as NetBus, but
it also happens to have its own vulnerabilities...without too much
trouble, you can actually tell a system running Trend Micro's
OfficeScan to do things such as uninstall itself, not scan certain
files, and you can also place files of your own designs (such as a
Trojan), on the system," said Luck.

Luck believes the antivirus software could provide another reason for
increased scanning on the port and has discussed this theory with
fellow members of the SANS community.

"We were initially under the assumption that (the increase) may have
been people scanning for NetBus--which is an older Trojan. After some
discussion with the SANS community, our suggestion is that people are
actually looking for systems running the antivirus software. Because
the vulnerabilities on this software are so severe, people could
actually use the vulnerability to plant their own, more advanced
Trojans on the system," said Luck.

While Trend Micro admits to the vulnerability highlighted by Luck, it
has also rushes to point out that patches have been issued for all
vulnerabilities discovered in the OfficeScan products.

According to Andrew Gordon, managed services architect for Trend Micro
Australia, a vulnerability was discovered in August 2001 that allowed
remote attackers to access configuration files containing passwords.  
This vulnerability was patched in October, 2001.

"That bug has been fixed with a patch which is available from our Web
site, www.antivirus.com. We are also due to release a new version of
our OfficeScan product--version 5.0--in the next day or so which
already has those security issues resolved," said Gordon.

Gordon stated that the latest version of OfficeScan does not use port
12345 for its communications processes. According to Gordon, the
decision to change the port resulted from customer concerns about
hacking attempts.

"As far as I am aware, the new version of OfficeScan does not use the
port 12345 for the communications process. We have changed this due to
people's queries and concerns in regards to having such an easy to
remember port," said Gordon, explaining that often "junior hackers"  
will scan on port 12345, rather than "pulling other digits out of a
hat."

Gordon pointed out that since the patch was made available, Trend
Micro has not had any "issues" with its customers. "They (OfficeScan
customers) obviously have to be vigilant in patching the products,"  
said Gordon, adding that if people were still complaining about
vulnerabilities, "those customers have not downloaded that patch and
applied it."

When queried about the reason for the sudden hike in scanning to port
12345, Gordon said that he could not provide any information as to
"why the port would jump in use, apart from the fact that it's easy to
do a scan on."

According to Fulcrum Consulting Group's Luck, one way to discover the
cause of the increased scans would be to set up a honey-pot.

"We won't really know (what is responsible) unless someone receives
one of those scans and pulls the packet apart to see if there is some
signature in it. The best thing to do would be to set up a honey-pot.  
Set-up a machine on the Internet running Trend Micro's OfficeScan,
wait for a connection attempt on that port, and if one was made, see
if they actually continued with it and started to actually do, and
send, Trend Micro commands. Then, I'd guess we'd know if people were
scanning for Trend Micro or NetBus," said Luck.

The SANS Institute is also seeking more information before releasing
its verdict on the issue. As such, SANS' Northcutt has requested that
businesses noticing one of their systems answering a query on TCP port
12345, send an e-mail to intrusions@incidents.org.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo@attrition.org with 'unsubscribe isn' in the BODY
of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]