COMMAND

    InterScan

SYSTEMS AFFECTED

    Trend Micro's InterScan 3.0

PROBLEM

    Karl C.  Lherisson found  following about  Trend Micro's InterScan
    product with  ability to  scan email  for viruses  and to  prevent
    SPAM from being relayed  of our SMTP server.   He decided to  look
    into the FTP  proxy feature that  is included but  it was found  a
    possible  security  hole  in  the  product.   When using InterScan
    version 3.0 as a  stand alone proxy there  is no way to  limit who
    can have access to the FTP proxy.  Unlike the SMTP portion,  where
    one can specify valid source  IP addresses that are able  to relay
    mail,  anyone  on  the  Internet  who  knows the IP address of the
    InterScan FTP  proxy can  use it  to log  onto another network and
    basically hide their identity.

    So if you were a "hacker"  and you wanted to launch an  FTP attack
    on  lets  say  COMPANY  A,  and  you  know  there is a Trend Micro
    InterScan FTP Proxy server at  COMPANY B, well you would  login to
    COMPANY B proxy server and then connect to COMPANY A.  What  makes
    matters worse is  that InterScan 3.0  does not keep  a log of  FTP
    connections  (basically  making  the  hacker  anonymous),  and the
    software will perform the job  of checking the hacker's files  for
    viruses.   Additionally, if  COMPANY A  found out  that they  were
    infiltrated in some way, it  would appear that it originated  from
    COMPANY B.

SOLUTION

    Fortunately, the FTP Proxy Server  can be disabled but this  kills
    1/3 of the product functionality.