Increased port 'sniffing' could herald attack, Gartner warns

Computerworld - An increase in "sniffing" activity on a port associated with a recently patched Microsoft Corp. vulnerability may be the signal of an impending attack attempting to exploit the flaw, according to an alert from analyst firm Gartner Inc.
The flaw in question is a remote code execution vulnerability associated with the Microsoft Windows Server Message Block (SMB) Protocol. It was rated as critical by the company in its June security bulletin, released earlier this month, because attackers who exploit it could take complete control of affected systems, according to Microsoft (see Microsoft offers three 'critical' patches in monthly security update).
An increase in activity on TCP Port 445, which is associated with the SMB protocol, may be a signal that attackers are attempting to exploit the hole, Gartner analyst John Pescatore said in an alert posted yesterday.
The activity poses "a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack," Pescatore said. The Port 445 activity indicates that attackers may have already reverse-engineered the patch, developed exploit code and circulated it on the Internet, he said.
Officials at Symantec Corp. also spotted increased activity on Port 445, but they downplayed any immediate threat.
Alfred Huger, senior director of engineering at Symantec, said his company noted a "significant spike" in activity last Friday. Since then, activity levels have gone back to normal.
"Activity targeting Port 455 is very common. It's almost like background noise," Huger said, adding that the spike was probably an attempt by attackers to find systems that were vulnerable to the SMB flaw. "The good news is the vast majority of enterprise don't allow access to this port."
Companies that have installed Microsoft's Windows XP SP2 should also be protected against the flaw because it closes off access to Port 445 by default, Huger said.
Pescatore said companies need to accelerate efforts to patch affected systems, implement recommended work-arounds and ensure that access to Port 445 is blocked where possible. It is also a good idea to update both network and host-based intrusion prevention filters to deal with the threat, he said.
In an e-mailed response, a Microsoft spokeswoman said the company is aware of public reports about increased sniffing activity on Port 445.
"Port scanning is an activity that may be indicative of an attempt to discover attack vectors against any vendor product and is not an activity unique to Microsoft products," she said. So far, at least, Microsoft has not received any reports of the flaw being exploited, she said.
"Enterprise customers are urged to enable their firewall to block TCP Port 445 at the perimeter, as well as install all recent security updates to prevent any malicious attacks," she said.