Port 12345: Hacker haven or Net X-File?

Increased activity on TCP port 12345--best known as both the NetBus Trojan's default port and the port used for a Trend Micro antivirus product--has the security community arguing about who is responsible. Is it Trend Micro customers who have yet to patch known vulnerabilities, script kiddies looking for an easy hit, or an Internet X-file?

A recent increase in port scanning activity on the Internet has centered around Transmission Control Protocol (TCP) port 12345.

Webopedia.com defines port scanning as the act of systematically scanning a computer's ports--places where information enters and exits a computer. While port scanning has legitimate uses in managing networks, it can also be malicious in nature, if someone is looking for a weakened access point to break into another computer.

Port 12345 is best known as the default of NetBus, a Trojan developed years ago, that allows a hacker to access data and gain control over some functions on a remote computer system.

More recently, it has been associated with Trend Micro's OfficeScan anti-virus product, which also uses, or listens on, port 12345.

According to Stephen Northcutt, director of the SANS (System Administration, Networking, and Security) Institute, his organization has seen a dramatic increase in the amount of scanning for 12345.

"Last year, the biggest scanning pattern was for a piece of malicious software called SubSeven. This year, as I keep looking at logs, I find that they are scanning for a pattern for NetBus," said Northcutt, adding, "I'm willing to bet you there is some other vulnerability that made the terribly unfortunate choice of scanning 12345."

This "unfortunate choice" looks to have been made by antivirus vendor, Trend Micro, which offers a product that listens on 12345.

According to Edward Luck, network security consultant with Australia-based IT infrastructure providers, Fulcrum Consulting Group, this software is a problem unto itself, as it contains a number of vulnerabilities.

"Not only is it (OfficeScan) listening on the same port as NetBus, but it also happens to have its own vulnerabilities...without too much trouble, you can actually tell a system running Trend Micro's OfficeScan to do things such as uninstall itself, not scan certain files, and you can also place files of your own designs (such as a Trojan), on the system," said Luck.

Luck believes the antivirus software could provide another reason for increased scanning on the port and has discussed this theory with fellow members of the SANS community.

"We were initially under the assumption that (the increase) may have been people scanning for NetBus--which is an older Trojan. After some discussion with the SANS community, our suggestion is that people are actually looking for systems running the antivirus software. Because the vulnerabilities on this software are so severe, people could actually use the vulnerability to plant their own, more advanced Trojans on the system," said Luck.

While Trend Micro admits to the vulnerability highlighted by Luck, it has also rushes to point out that patches have been issued for all vulnerabilities discovered in the OfficeScan products.

According to Andrew Gordon, managed services architect for Trend Micro Australia, a vulnerability was discovered in August 2001 that allowed remote attackers to access configuration files containing passwords. This vulnerability was patched in October, 2001.

"That bug has been fixed with a patch which is available from our Web site, www.antivirus.com. We are also due to release a new version of our OfficeScan product--version 5.0--in the next day or so which already has those security issues resolved," said Gordon.

Gordon stated that the latest version of OfficeScan does not use port 12345 for its communications processes. According to Gordon, the decision to change the port resulted from customer concerns about hacking attempts.

"As far as I am aware, the new version of OfficeScan does not use the port 12345 for the communications process. We have changed this due to people's queries and concerns in regards to having such an easy to remember port," said Gordon, explaining that often "junior hackers" will scan on port 12345, rather than "pulling other digits out of a hat."

Gordon pointed out that since the patch was made available, Trend Micro has not had any "issues" with its customers. "They (OfficeScan customers) obviously have to be vigilant in patching the products," said Gordon, adding that if people were still complaining about vulnerabilities, "those customers have not downloaded that patch and applied it."

When queried about the reason for the sudden hike in scanning to port 12345, Gordon said that he could not provide any information as to "why the port would jump in use, apart from the fact that it's easy to do a scan on."

According to Fulcrum Consulting Group's Luck, one way to discover the cause of the increased scans would be to set up a honey-pot.

"We won't really know (what is responsible) unless someone receives one of those scans and pulls the packet apart to see if there is some signature in it. The best thing to do would be to set up a honey-pot. Set-up a machine on the Internet running Trend Micro's OfficeScan, wait for a connection attempt on that port, and if one was made, see if they actually continued with it and started to actually do, and send, Trend Micro commands. Then, I'd guess we'd know if people were scanning for Trend Micro or NetBus," said Luck.

The SANS Institute is also seeking more information before releasing its verdict on the issue. As such, SANS' Northcutt has requested that businesses noticing one of their systems answering a query on TCP port 12345, send an e-mail to intrusions@incidents.org.