Symantec: Bot Sniffs For Veritas Vulnerability
A surge in scans of TCP port 6101, which is associated with Veritas Backup Exec, was first detected by Symantec's DeepSight network earlier this week. By Wednesday, the Cupertino, Calif. security company had finished its analysis.
"The bot appears to contain propagation functionality that targets numerous [Windows] exploits including LSASS, Workstation, DOCM, ASN1, network share access, and SQL injection," Symantec said in an alert to DeepSight customers. "It is likely that the bot, upon compromising a system using any of these mechanisms, will join the [IRC] channel and begin scanning over TCP port 6101 [for additional systems]."
Most bots, including the one uncovered by Symantec, use IRC (Internet Relay Chat) to send data to and receive instructions from their human controller, or "bot herder."
"[We] strongly encourage administrators to ensure that all systems running Microsoft Windows have been securely locked down…if possible, network shares should be disabled and the latest patches should be deployed," the alert continued. "Those running Veritas software should ensure that the latest versions have been installed to prevent the exploitation of this issue."
Symantec also advised enterprises to filter access to port 6101, as well as several other ports associated with the bot -- TCP ports 80, 135, 139, 445, and 1025 -- and filter any traffic to the IP address 65.110.182.68 to prevent communication with the IRC server used by the bot.
The Backup Exec bug was fixed in December 2004, but by the measure of the bot's success, unpatched systems remain. The patch for Backup Exec 8.6 and 9.x can be downloaded from here.