SANS: Attackers may be attempting Trend Micro exploits

Attackers may be trying to exploit flaws in Trend Micro's ServerProtect, Anti-Spyware and PC-cillin products to hijack vulnerable machines, the SANS Internet Storm Center (ISC) has warned.

ISC handler Kyle Haugsness wrote on the Internet Storm Center Web site that the organisation was seeing "heavy scanning activity on TCP [port] 5168... probably for Trend Micro ServerProtect. It does indeed look like machines are getting owned with this vulnerability."

In a follow-up message, ISC handler William Salusky wrote that while he was unable to confirm the destination target of the suspicious scanners was in fact running a Trend Micro management service, some of the packet data the ISC received did appear suspect.

Antivirus company Symantec is taking the threat to Trend Micro users seriously enough to raise its ThreatCon to Level 2.

An email to customers of Symantec's DeepSight threat management service read: "DeepSight TMS is observing a large spike over TCP port 5168 associated with the Trend ServerProtect service, which was recently found vulnerable to remote code execution flaws. It appears that attackers are scanning for systems running the vulnerable service. We have observed active exploitation of a Trend Micro ServerProtect vulnerability affecting the ServerProtect service on a DeepSight Honeypot."

In an email to SearchSecurity.com, Haugsness said the storm center was observing the same trend. Tokyo-based Trend Micro released a patch and hotfix to address the flaws.

Related story: Trend Micro fixes flaws in ServerProtect, PC-cillin

Trend Micro ServerProtect, an antivirus application designed specifically for servers, is prone to several security holes, including an interger overflow flaw that is exploitable over RPC, according to the Trend Micro ServerProtect security advisory. Specifically, the problem is in the SpntSvc.exe service that listens on TCP port 5168 and is accessible through RPC. Attackers could exploit this to run malicious code with system-level privileges and "completely compromise" affected computers. Failed exploit attempts will result in a denial of service, Trend Micro said.

The problems affect ServerProtect 5.58 Build 1176 and possibly earlier versions.

Meanwhile, Trend Micro Anti-Spyware and PC-cillin Internet contain stack buffer-overflow flaws where the application fails to properly bounds-check user-supplied data before copying it into an insufficiently sized memory buffer, the vendor reported. Trend Micro has released a hotfix to address that problem.

The issue affects the 'vstlib32.dll' library of Trend Micro's SSAPI Engine. When the library processes a local file that has overly-long path data, it fails to handle a subsequent 'ReadDirectoryChangesW' callback notification from Microsoft Windows.

Attackers who exploit this could inflict the same type of damage as exploits against the ServerProtect flaws. Trend Micro Anti-Spyware for Consumers version 3.5 and PC-cillin Internet Security 2007 are affected.