[ISN] Port 12345: Hacker haven or Net X-File?

From: InfoSec News (isnat_private)
Date: Thu Jan 24 2002 - 00:16:07 PST

  • Next message: InfoSec News: "[ISN] Alleged eBay hacker wants lawyer back"

    By Nicole Bellamy 
    ZDNet Australia
    January 22, 2002, 6:45 AM PT
    Increased activity on TCP port 12345--best known as both the NetBus
    Trojan's default port and the port used for a Trend Micro antivirus
    product--has the security community arguing about who is responsible.
    Is it Trend Micro customers who have yet to patch known
    vulnerabilities, script kiddies looking for an easy hit, or an
    Internet X-file?
    A recent increase in port scanning activity on the Internet has
    centered around Transmission Control Protocol (TCP) port 12345.
    Webopedia.com defines port scanning as the act of systematically
    scanning a computer's ports--places where information enters and exits
    a computer. While port scanning has legitimate uses in managing
    networks, it can also be malicious in nature, if someone is looking
    for a weakened access point to break into another computer.
    Port 12345 is best known as the default of NetBus, a Trojan developed
    years ago, that allows a hacker to access data and gain control over
    some functions on a remote computer system.
    More recently, it has been associated with Trend Micro's OfficeScan
    anti-virus product, which also uses, or listens on, port 12345.
    According to Stephen Northcutt, director of the SANS (System
    Administration, Networking, and Security) Institute, his organization
    has seen a dramatic increase in the amount of scanning for 12345.
    "Last year, the biggest scanning pattern was for a piece of malicious
    software called SubSeven. This year, as I keep looking at logs, I find
    that they are scanning for a pattern for NetBus," said Northcutt,
    adding, "I'm willing to bet you there is some other vulnerability that
    made the terribly unfortunate choice of scanning 12345."
    This "unfortunate choice" looks to have been made by antivirus vendor,
    Trend Micro, which offers a product that listens on 12345.
    According to Edward Luck, network security consultant with
    Australia-based IT infrastructure providers, Fulcrum Consulting Group,
    this software is a problem unto itself, as it contains a number of
    "Not only is it (OfficeScan) listening on the same port as NetBus, but
    it also happens to have its own vulnerabilities...without too much
    trouble, you can actually tell a system running Trend Micro's
    OfficeScan to do things such as uninstall itself, not scan certain
    files, and you can also place files of your own designs (such as a
    Trojan), on the system," said Luck.
    Luck believes the antivirus software could provide another reason for
    increased scanning on the port and has discussed this theory with
    fellow members of the SANS community.
    "We were initially under the assumption that (the increase) may have
    been people scanning for NetBus--which is an older Trojan. After some
    discussion with the SANS community, our suggestion is that people are
    actually looking for systems running the antivirus software. Because
    the vulnerabilities on this software are so severe, people could
    actually use the vulnerability to plant their own, more advanced
    Trojans on the system," said Luck.
    While Trend Micro admits to the vulnerability highlighted by Luck, it
    has also rushes to point out that patches have been issued for all
    vulnerabilities discovered in the OfficeScan products.
    According to Andrew Gordon, managed services architect for Trend Micro
    Australia, a vulnerability was discovered in August 2001 that allowed
    remote attackers to access configuration files containing passwords.  
    This vulnerability was patched in October, 2001.
    "That bug has been fixed with a patch which is available from our Web
    site, www.antivirus.com. We are also due to release a new version of
    our OfficeScan product--version 5.0--in the next day or so which
    already has those security issues resolved," said Gordon.
    Gordon stated that the latest version of OfficeScan does not use port
    12345 for its communications processes. According to Gordon, the
    decision to change the port resulted from customer concerns about
    hacking attempts.
    "As far as I am aware, the new version of OfficeScan does not use the
    port 12345 for the communications process. We have changed this due to
    people's queries and concerns in regards to having such an easy to
    remember port," said Gordon, explaining that often "junior hackers"  
    will scan on port 12345, rather than "pulling other digits out of a
    Gordon pointed out that since the patch was made available, Trend
    Micro has not had any "issues" with its customers. "They (OfficeScan
    customers) obviously have to be vigilant in patching the products,"  
    said Gordon, adding that if people were still complaining about
    vulnerabilities, "those customers have not downloaded that patch and
    applied it."
    When queried about the reason for the sudden hike in scanning to port
    12345, Gordon said that he could not provide any information as to
    "why the port would jump in use, apart from the fact that it's easy to
    do a scan on."
    According to Fulcrum Consulting Group's Luck, one way to discover the
    cause of the increased scans would be to set up a honey-pot.
    "We won't really know (what is responsible) unless someone receives
    one of those scans and pulls the packet apart to see if there is some
    signature in it. The best thing to do would be to set up a honey-pot.  
    Set-up a machine on the Internet running Trend Micro's OfficeScan,
    wait for a connection attempt on that port, and if one was made, see
    if they actually continued with it and started to actually do, and
    send, Trend Micro commands. Then, I'd guess we'd know if people were
    scanning for Trend Micro or NetBus," said Luck.
    The SANS Institute is also seeking more information before releasing
    its verdict on the issue. As such, SANS' Northcutt has requested that
    businesses noticing one of their systems answering a query on TCP port
    12345, send an e-mail to intrusionsat_private
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Thu Jan 24 2002 - 03:54:51 PST