Increased port 'sniffing' could herald attack, Gartner warns
It's pointing to increased activity on TCP Port 445
Computerworld - An increase in "sniffing" activity on a port associated with a recently patched Microsoft Corp. vulnerability may be the signal of an impending attack attempting to exploit the flaw, according to an alert from analyst firm Gartner Inc.
The flaw in question is a remote code execution vulnerability associated with the Microsoft Windows Server Message Block (SMB) Protocol. It was rated as critical by the company in its June security bulletin, released earlier this month, because attackers who exploit it could take complete control of affected systems, according to Microsoft (see Microsoft offers three 'critical' patches in monthly security update).
An increase in activity on TCP Port 445, which is associated with the SMB protocol, may be a signal that attackers are attempting to exploit the hole, Gartner analyst John Pescatore said in an alert posted yesterday.
The activity poses "a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack," Pescatore said. The Port 445 activity indicates that attackers may have already reverse-engineered the patch, developed exploit code and circulated it on the Internet, he said.
Officials at Symantec Corp. also spotted increased activity on Port 445, but they downplayed any immediate threat.
Alfred Huger, senior director of engineering at Symantec, said his company noted a "significant spike" in activity last Friday. Since then, activity levels have gone back to normal.
"Activity targeting Port 455 is very common. It's almost like background noise," Huger said, adding that the spike was probably an attempt by attackers to find systems that were vulnerable to the SMB flaw. "The good news is the vast majority of enterprise don't allow access to this port."
Companies that have installed Microsoft's Windows XP SP2 should also be protected against the flaw because it closes off access to Port 445 by default, Huger said.
Pescatore said companies need to accelerate efforts to patch affected systems, implement recommended work-arounds and ensure that access to Port 445 is blocked where possible. It is also a good idea to update both network and host-based intrusion prevention filters to deal with the threat, he said.
In an e-mailed response, a Microsoft spokeswoman said the company is aware of public reports about increased sniffing activity on Port 445.
"Port scanning is an activity that may be indicative of an attempt to discover attack vectors against any vendor product and is not an activity unique to Microsoft products," she said. So far, at least, Microsoft has not received any reports of the flaw being exploited, she said.
"Enterprise customers are urged to enable their firewall to block TCP Port 445 at the perimeter, as well as install all recent security updates to prevent any malicious attacks," she said.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.



- Excel 2010 Cheat Sheet
- Register for this Computerworld Insider Cheat Sheet and gain access to hundreds of premium content articles, guides, product reviews and more.
- Reducing the Cost and Complexity of Web Vulnerability Management
- Hackers and cybercriminals are constantly refining their attacks and targets; which means you need agile tools to stay ahead of them.
Download this... - Overcome Top 7 Admin Challenges of Active Directory
- As Active Directory's role in the enterprise has drastically increased, so has the need to secure the data. Gain insight on creating repeatable,...
- Insiders Can Ruin Your Company. Take Action.
- Did you know that 80 percent of threats to an organization come from the inside? The threat from insiders is often overlooked in...
- Top Solutions and Tools to Prevent Devastating Malware
- Custom malware frequently goes undetected. According to Forrester Research, the best way to reduce risk of breach is to deploy file integrity monitoring...
- Streamline Compliance and Increase ROI
- Streamline, simplify, and automate compliance related activities; especially those that impact multiple business units. This white paper from NetIQ, outlines solutions that will... All Malware and Vulnerabilities White Papers
- Optimizing Networks for the Cloud
- Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
- Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
- Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
- Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
- Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
- Customer Spotlight: How IPC The Hospitalist Company Implemented Oracle on VMware
- Have you been looking to hear about customer's experiences with the new VMware vCenter Site Recovery Manager product? View this webcast to learn...
- Virtualize Business-Critical Applications with Confidence
- Virtualizing business-critical applications has become a key focus for organizations as they move along their virtualization journey. With the launch of VMware vSphere®... All Malware and Vulnerabilities Webcasts