Amid conflicting reports on the extent of sniffing activity on TCP/IP Port 445, the port associated with a recently patched Windows vulnerability, security experts are warning that exploit code targeting a known Server Message Block flaw has been posted on the Internet.
The exploit code, published on the FrSIRT (French Security Incident Response Team) Web site, could be used to target the “critical” vulnerability addressed in Microsoft Corp.s MS05-011 bulletin.
That bulletin, which was released in February with patches for affected Windows 2000, Windows XP and Windows Server 2003 systems, corrects a weakness in Microsofts SMB protocol implementation but it is entirely separate from the SMB (Server Message Block) fixes dropped off on Patch Day this month.
Earlier this week, researchers at Symantec Corp.s DeepSight Network warned that a noticeable surge in scans on Port 445 just one week after Microsofts SMB patch was an ominous sign that a mass code execution attack may be imminent.
In Windows 2000, Windows XP and Windows Server 2003, Microsoft uses TCP Port 445 to run SMB directly over TCP/IP to handle the sharing of files, printers and serial ports, and also to communicate between computers. Any spike in sniffing activity on that port automatically sets off alarm bells, but security experts caution against overly dramatizing the potential for real danger.
Officials at the Washington-based SANS ISC (Internet Storm Center), which tracks malicious Internet activity, say they have been unable to verify Symantecs port-scanning noise.
“There are always little bumps and random noise [on Port 445], but its not always related to a specific vulnerability or issue. I dont know what Symantecs sensors detected, but weve only really seen a big jump in scans on one day,” said SANS ISC director Marcus Sachs.
The centers Port 445 activity graph shows a dramatic jump in sniffing on May 13 but nothing out of the ordinary since then.
In an interview with Ziff Davis Internet News, Sachs said it is easy to misread scanning activity of Port 445 because it is a “very active port” used for all kinds of internal network communication.
With the publication of an active exploit, Sachs recommended that enterprise IT administrators speed up patch deployment and other protection workarounds. But he insisted that there was no need for panic.
“All hell is not about to break loose. The Internet isnt about to collapse,” Sachs said.
More than anything else, the increased awareness caused by the DeepSight data should be a “gentle warning that you should always be vigilant,” Sachs added.
John Pescatore, vice president of security research at Gartner Inc., said the Symantec DeepSight reports of increased sniffing are a “serious concern for enterprise security managers” because such activity usually means a mass attack is imminent.
In a notice to enterprise clients, Pescatore urged that all firewall policies be immediately reviewed to ensure that Port 445 access is blocked wherever possible. He also recommended that all intrusion prevention system filters, both network- and host-based, be updated to block SMB-related hacker attacks.
Sachs echoed the Gartner guidance and warned that other public exploits for Windows holes are making the rounds. “This reinforces the fact that the window is narrowing rapidly from the time a patch comes out and the time an exploit is created and released. It used to be months before we heard of an exploit, but now its down to days, or in extreme cases, a few hours after the patch.”
“We know theres a working exploit out there, and that should be a nudge to everyone to put protections in place. There has been ample time to do the required tests before patching, and its always good policy to block Port 445 at the gateway anyway,” Sachs added.
Gartners Pescatore stressed that network attacks follow a “highly predictable timeline” that includes port-scanning hacker reconnaissance. In the past, he said attackers have reverse-engineered software patches to create and circulate exploit code. Once that is done, the underworld will start scanning associated ports to pinpoint vulnerable systems before launching a mass attack.
“The Port 445 activity may indicate that—in the week since Microsoft released the Windows patch—attackers have reached the fourth state in this process and may be preparing a mass attack employing the widely used SMB protocol,” Pescatore warned.
Microsoft does not appear to be overly worried about the Port 445 scanning chatter. A company spokeswoman said engineers at the Microsoft Security Response Center have not received any indication of malicious activity associated with the most recent SMB patch.
“Port scanning is an activity that may be indicative of an attempt to discover attack vectors against any vendor product and is not an activity unique to Microsoft products,” she added.
