Ads by TechWords

See your link here
Receive the latest technology news and information.
Security
Virus and Vulnerability Roundup
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
Cloud Computing
View all newsletters




Privacy Policy
 

Increased port 'sniffing' could herald attack, Gartner warns

It's pointing to increased activity on TCP Port 445

June 22, 2005 12:00 PM ET

Computerworld - An increase in "sniffing" activity on a port associated with a recently patched Microsoft Corp. vulnerability may be the signal of an impending attack attempting to exploit the flaw, according to an alert from analyst firm Gartner Inc.
The flaw in question is a remote code execution vulnerability associated with the Microsoft Windows Server Message Block (SMB) Protocol. It was rated as critical by the company in its June security bulletin, released earlier this month, because attackers who exploit it could take complete control of affected systems, according to Microsoft (see Microsoft offers three 'critical' patches in monthly security update).
An increase in activity on TCP Port 445, which is associated with the SMB protocol, may be a signal that attackers are attempting to exploit the hole, Gartner analyst John Pescatore said in an alert posted yesterday.
The activity poses "a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack," Pescatore said. The Port 445 activity indicates that attackers may have already reverse-engineered the patch, developed exploit code and circulated it on the Internet, he said.
Officials at Symantec Corp. also spotted increased activity on Port 445, but they downplayed any immediate threat.
Alfred Huger, senior director of engineering at Symantec, said his company noted a "significant spike" in activity last Friday. Since then, activity levels have gone back to normal.
"Activity targeting Port 455 is very common. It's almost like background noise," Huger said, adding that the spike was probably an attempt by attackers to find systems that were vulnerable to the SMB flaw. "The good news is the vast majority of enterprise don't allow access to this port."
Companies that have installed Microsoft's Windows XP SP2 should also be protected against the flaw because it closes off access to Port 445 by default, Huger said.
Pescatore said companies need to accelerate efforts to patch affected systems, implement recommended work-arounds and ensure that access to Port 445 is blocked where possible. It is also a good idea to update both network and host-based intrusion prevention filters to deal with the threat, he said.
In an e-mailed response, a Microsoft spokeswoman said the company is aware of public reports about increased sniffing activity on Port 445.
"Port scanning is an activity that may be indicative of an attempt to discover attack vectors against any vendor product and is not an activity unique to Microsoft products," she said. So far, at least, Microsoft has not received any reports of the flaw being exploited, she said.
"Enterprise customers are urged to enable their firewall to block TCP Port 445 at the perimeter, as well as install all recent security updates to prevent any malicious attacks," she said.



Jump to comments

Viruses

Additional Resources

Xerox
By using solid ink technology only from Xerox, you could save up to 65% by printing color for the cost of black and white. Enter for a chance to WIN a PhaserTM 8860 network color printer!
Microsoft
Save time and mitigate security risk. Deploy it now.
Sybase
In this white paper, IDC analyzes the role of next-generation mobile enterprise platforms as organizations seek a more strategic deployment of mobile solutions.

Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.