Symantec Warns Of Bot Sniffing For Veritas Vulnerability - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

12:10 PM

Symantec Warns Of Bot Sniffing For Veritas Vulnerability

If possible, network shares should be disabled and the latest patches should be deployed, the company's alert says.

A bot is aggressively sniffing for systems equipped with unpatched Veritas software, Symantec warned Wednesday. It urged users to update the backup program, or failing that, take other safety measures.

A surge in scans of TCP port 6101, which is associated with Veritas Backup Exec, was first detected by Symantec's DeepSight network earlier this week. By Wednesday, the Cupertino, Calif. security company had finished its analysis.

"The bot appears to contain propagation functionality that targets numerous [Windows] exploits including LSASS, Workstation, DOCM, ASN1, network share access, and SQL injection," Symantec said in an alert to DeepSight customers. "It is likely that the bot, upon compromising a system using any of these mechanisms, will join the [IRC] channel and begin scanning over TCP port 6101 [for additional systems]."

Most bots, including the one uncovered by Symantec, use IRC (Internet Relay Chat) to send data to and receive instructions from their human controller, or "bot herder."

"[We] strongly encourage administrators to ensure that all systems running Microsoft Windows have been securely locked down…if possible, network shares should be disabled and the latest patches should be deployed," the alert continued. "Those running Veritas software should ensure that the latest versions have been installed to prevent the exploitation of this issue."

Symantec also advised enterprises to filter access to port 6101, as well as several other ports associated with the bot -- TCP ports 80, 135, 139, 445, and 1025 -- and filter any traffic to the IP address to prevent communication with the IRC server used by the bot.

The Backup Exec bug was fixed in December 2004, but by the measure of the bot's success, unpatched systems remain. The patch for Backup Exec 8.6 and 9.x can be downloaded from here.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
What Comes Next for the COVID-19 Computing Consortium
Joao-Pierre S. Ruth, Senior Writer,  11/24/2020
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll