Sniffing of TCP Port Could Herald Attack, Gartner Says
Targeted port is tied to patched Microsoft protocol
Computerworld - An increase in sniffing activity on a communications port associated with a software vulnerability disclosed by Microsoft Corp. this month may be the signal of an impending attack designed to exploit the flaw, according to an alert from Gartner Inc.
The remote code-execution vulnerability affects the Windows Server Message Block (SMB) file-sharing protocol. In its monthly patch release two weeks ago, Microsoft gave the SMB hole a "critical" severity rating because attackers could use it to take control of unprotected systems.
Gartner analyst John Pescatore said in an alert posted on the consulting firm's Web site last Tuesday that the increased sniffing detected on TCP Port 445 poses "a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack." The sniffing activity indicates that attackers may have reverse-engineered Microsoft's SMB patch, developed exploit code and circulated it on the Internet, Pescatore said.
Monitors at Symantec Corp. also spotted the increased activity on Port 445, but they downplayed any immediate threat to corporate systems.
Alfred Huger, senior director of engineering at Symantec, said the Cupertino, Calif.-based company noticed a "significant spike" in sniffing on June 17. Since then, though, activity levels have gone back to normal, according to Huger.
"Activity targeting Port 455 is very common. It's almost like background noise," Huger said. He added that the spike probably indicated an attempt to find vulnerable systems. "The good news is that the vast majority of enterprises don't allow access to this port," he said. Companies that have installed Windows XP Service Pack 2 should already be protected because that version of the operating system closes off access to Port 445 by default, Huger said.
Pescatore said companies need to accelerate system patching, implement recommended work-arounds and ensure that access to Port 445 is blocked where possible. It's also a good idea to update both network and host-based intrusion-prevention filters to deal with the threat, he said.
A Microsoft spokeswoman said the software vendor is aware of public reports about increased sniffing on Port 445. But it doesn't necessarily relate to the SMB flaw, she said. "Port scanning is an activity that may be indicative of an attempt to discover attack vectors against any vendor product and is not an activity unique to Microsoft products," the spokeswoman said. She added that Microsoft had yet to receive any reports of the flaw being exploited.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Software Asset Management: Ensuring Today's Assets Today's trends like BYOD and SaaS are new and exciting in terms of how they will help make our jobs more productive but...
- Trends Shaping Software Management: 2014 Most IT executives recognize the relationship between mobile computing and worker productivity, and have long issued notebook computers and other mobile devices to...
- Software Asset Management: Pay Attention or Pay Up There is a wide range of options for managing software assets, from in-house solutions to the cloud to managed services providers. Read this...
- Are You Prepared for a Software Audit? Just the word "audit" is enough to make anyone shiver, and when it comes to a software audit, the reaction is no different....
- Transform Your IT Service Management Watch this webinar, to learn how EasyVista can increase IT productivity & efficiency and deliver streamlined & integrated IT Service & Asset Mgmt.
- Top 4 Digital Signage Fails Join RMG Networks for a look at four of the most common reasons digital signage fails in corporate businesses. Learn about strategies to... All Management White Papers | Webcasts