Attackers probing for vulnerable Windows servers
Scanning spike related to buggy ServerProtect antivirus from Trend Micro
Computerworld - Attackers are probing for Windows servers running Trend Micro Inc.'s ServerProtect antivirus software, researchers warned.
Early today, Symantec Corp.'s DeepSight threat network monitored a major spike in traffic over TCP port 5168, which is related to the remote procedure call service in ServerProtect. "This may indicate an ongoing mass-scanning and exploitation attempt trying to exploit vulnerable systems for the newly disclosed vulnerabilities," said Symantec analyst Pukhraj Singh in an alert issued to corporate customers.
Symantec also said its honeypots -- "planted" systems that draw attackers by virtue of their unpatched status -- had recorded at least one successful compromise of ServerProtect. "We are in the process of verifying whether or not [that] attack is in fact leveraging one of the recently reported issues, and not an older one," Singh said.
At its peak, the port scan spike observed by Symantec involved 1,000 devices or systems around the world and originated from more than 300 different IP addresses. Within hours, however, the probing had tapered off somewhat.
Yesterday, the SANS Institute's Internet Storm Center (ISC) also said it had spotted "heavy scanning activity" on TCP 5168, and theorized that the probes were related to ServerProtect. This morning, ISC received samples of suspicious data packets that might be attack code, and farmed it out to analysts for review.
Trend Micro actually updated ServerProtect almost a month ago, but the vulnerabilities only came to light on Monday when VeriSign iDefense published details about them. IDefense had reported the bugs to Trend Micro in mid-June; at least one of the vulnerabilities was partly revealed by researchers who were paid a bounty for their bug-hunting by iDefense's cash-for-vulnerabilities program.
Trend Micro issued a warning of its own yesterday based on the ISC scanning alert to virtually beg ServerProtect users to patch ASAP. "We implore security administrators to apply the latest ServerProtect security patch available from Trend Micro as soon as possible to protect against any potential attack," read the warning.
It's been a rough, and embarrassing, month for security vendors, several of which have had to push out patches to plug holes in their own code. Trend Micro's antispyware scanning engine required a fix this week, as did Check Point's ZoneAlarm line of security products and the open-source Clam AntiVirus.
Interestingly, iDefense first notified Zone Alarm of some of the recently patched bugs almost two years ago, in September 2005.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts