An ominous increase in sniffing activity on TCP Port 445 could signal an impending mass malicious code attack targeting a recently patched Microsoft vulnerability, according to a warning from security researchers.
Researchers at Symantec Corp.s DeepSight Network have detected a surge in scans on Port 445, an indication that malicious hackers may have already created exploits for a flaw in Microsoft Corp.s implementation of the SMB (Server Message Block) protocol.
In Windows 2000, Windows XP and Windows Server 2003, Microsoft uses TCP Port 445 to run SMB directly over TCP/IP to handle the sharing of files, printers, serial ports, and also to communicate between computers.
The vulnerability, which was rated “critical,” was patched one week ago in Microsofts MS05-027 bulletin, and the increased noise on that port could be the first sign that a password brute force attack is imminent, Symantec DeepSight warned.
A spokesperson for Microsofts Security Response Center said the company was not aware of any active attempts to exploit the vulnerability.
“Port scanning is an activity that may be indicative of an attempt to discover attack vectors against any vendor product and is not an activity unique to Microsoft products,” she added.
She said software engineers at Redmond would continue to analyze and monitor for any malicious activity but stressed that she was not aware of any customers being attacked via sniffing against TCP Port 445 and have not received any indication of malicious activity associated with MS05-027.
However, the company urged enterprise customers to apply the update and enable firewalls to block TCP Port 445 at the perimeter as a protection mechanism.
John Pescatore, VP of security research at Gartner Inc., said the reports of increased sniffing on Port 445 are a “serious concern for enterprise security managers” because such activity usually means a mass attack is imminent.
“Such attacks typically follow a highly predictable timeline,” Pescatore said, warning that attackers have in the past reverse-engineered patches to create exploit code or widespread circulation.
Once exploits are created, attackers typically scan associated ports to pinpoint vulnerable systems before launching a mass attack.
“The Port 445 activity may indicate that—in the week since Microsoft released the Windows patch—attackers have reached the fourth state in this process and may be preparing a mass attack employing the widely used SMB protocol,” Pescatore warned.
He recommended that enterprise IT administrators accelerate efforts to ensure all Windows systems are patching.
In the interim, Pescatore said businesses should implement shielding or other workarounds until the patching process is complete.
“[Administrators must] immediately review all firewall policies (including those covering personal firewall software) to ensure that Port 445 access is blocked wherever possible [and] update all intrusion prevention system filters (both network- and host-based) to block attempts to exploit this vulnerability,” Pescatore added.
