The multiple vulnerabilities in Veritas' Backup Exec first went public last week, when the Mountain View, Calif.-based storage software company released a slew of security advisories that outlined problems ranging from possible denial-of-service (DoS) attacks to remote execution of code. Veritas ranked five of the seven as "High" impact, its most dire threat level, while two were rated as "Low."
Within two days of the vulnerabilities going public -- the researchers who discovered the vulnerabilities held the news until patches were produced by Veritas -- Symantec warned that an exploit had been released for one of the most dangerous bugs.
That vulnerability, a buffer overflow flaw in Backup Exec's Remote Agent, could be exploited, said Symantec, by hackers passing an extra-long password to the Agent, software which listens on TCP port 10000 and accepts connections from the backup server when a backup is scheduled.
One day later, Symantec began monitoring a sudden increase in port scanning for port 10000. SANS' Internet Storm Center detected the same spike in port sniffing. "Scans for port 10000/tcp have been increasing ever since the release of the Veritas Backup Exec exploit," the center warned in an online briefing Monday.
According to Symantec's DeepSight Threat Network, the Cupertino, Calif.-based security giant's global network of sensors, the number of distinct IP addresses found scanning for port 10000 jumped from essentially zero on Sunday, June 26, to almost 8,000 by the end of the next day.
"The increase is likely indicative of a bot network performing a consistent and controlled propagation to vulnerable hosts on the Internet," said Symantec in a DeepSight alert sent to customers.
Although the actually exploit had yet to be captured, Symantec was sure the vigorous port scanning was a sign of it being used on a wide scale, and again recommended that Veritas users patch as soon as possible.
As is typical, the bot author used several techniques to hide the code from analysts, and to make it difficult to predict which port may be used by the exploit to communicate back to its creator for additional instructions and/or software.
A "honeypot" system that Symantec set up, however, grabbed a sample of the exploit on Thursday when an analyst was able to simulate a partial infection on a PC and trick the attacker into sending the rest of the code.
"This is indeed the result of a malicious IRC-based bot program, known as W32.Toxbot," Symantec researchers said in the report issued Thursday. Toxbot, which was first discovered in March, can also use various Microsoft vulnerabilities, including those in SQL Server, DCOM, and LSASS, the trio that spawned Slammer, MSBlast, and Sasser, respectively.
"The DeepSight team strongly encourages network and system administrators to take immediate action to patch or mitigate the threat in the vulnerability," the report continued.
But what with the aggressive spread of Toxbot, it may be too late for some.
"Machines that have been left unprotected following the original release [of the security bulletin] may have already been compromised or exposed to attack," Symantec's researchers warned.