Veritas Software Under Attack - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:22 PM

Veritas Software Under Attack

One of the seven vulnerabilities recently found in various Veritas backup components is under attack, says security vendor Symantec.

One of the seven vulnerabilities recently found in various Veritas backup components is under attack, said security vendor Symantec Wednesday. The company -- which recently finalized a merger with Veritas -- recommended that users patch post haste.

The multiple vulnerabilities in Veritas' Backup Exec first went public last week, when the Mountain View, Calif.-based storage software company released a slew of security advisories that outlined problems ranging from possible denial-of-service (DoS) attacks to remote execution of code. Veritas ranked five of the seven as "High" impact, its most dire threat level, while two were rated as "Low."

Within two days of the vulnerabilities going public -- the researchers who discovered the vulnerabilities held the news until patches were produced by Veritas -- Symantec warned that an exploit had been released for one of the most dangerous bugs.

That vulnerability, a buffer overflow flaw in Backup Exec's Remote Agent, could be exploited, said Symantec, by hackers passing an extra-long password to the Agent, software which listens on TCP port 10000 and accepts connections from the backup server when a backup is scheduled.

One day later, Symantec began monitoring a sudden increase in port scanning for port 10000. SANS' Internet Storm Center detected the same spike in port sniffing. "Scans for port 10000/tcp have been increasing ever since the release of the Veritas Backup Exec exploit," the center warned in an online briefing Monday.

According to Symantec's DeepSight Threat Network, the Cupertino, Calif.-based security giant's global network of sensors, the number of distinct IP addresses found scanning for port 10000 jumped from essentially zero on Sunday, June 26, to almost 8,000 by the end of the next day.

"The increase is likely indicative of a bot network performing a consistent and controlled propagation to vulnerable hosts on the Internet," said Symantec in a DeepSight alert sent to customers.

Although the actually exploit had yet to be captured, Symantec was sure the vigorous port scanning was a sign of it being used on a wide scale, and again recommended that Veritas users patch as soon as possible.

As is typical, the bot author used several techniques to hide the code from analysts, and to make it difficult to predict which port may be used by the exploit to communicate back to its creator for additional instructions and/or software.

A "honeypot" system that Symantec set up, however, grabbed a sample of the exploit on Thursday when an analyst was able to simulate a partial infection on a PC and trick the attacker into sending the rest of the code.

"This is indeed the result of a malicious IRC-based bot program, known as W32.Toxbot," Symantec researchers said in the report issued Thursday. Toxbot, which was first discovered in March, can also use various Microsoft vulnerabilities, including those in SQL Server, DCOM, and LSASS, the trio that spawned Slammer, MSBlast, and Sasser, respectively.

"The DeepSight team strongly encourages network and system administrators to take immediate action to patch or mitigate the threat in the vulnerability," the report continued.

But what with the aggressive spread of Toxbot, it may be too late for some.

"Machines that have been left unprotected following the original release [of the security bulletin] may have already been compromised or exposed to attack," Symantec's researchers warned.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

IT Leadership: 10 Ways to Unleash Enterprise Innovation
Lisa Morgan, Freelance Writer,  6/8/2021
Preparing for the Upcoming Quantum Computing Revolution
John Edwards, Technology Journalist & Author,  6/3/2021
How SolarWinds Changed Cybersecurity Leadership's Priorities
Jessica Davis, Senior Editor, Enterprise Apps,  5/26/2021
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll