Sniffing of TCP Port Could Herald Attack, Gartner Says

Targeted port is tied to patched Microsoft protocol

An increase in sniffing activity on a communications port associated with a software vulnerability disclosed by Microsoft Corp. this month may be the signal of an impending attack designed to exploit the flaw, according to an alert from Gartner Inc.

The remote code-execution vulnerability affects the Windows Server Message Block (SMB) file-sharing protocol. In its monthly patch release two weeks ago, Microsoft gave the SMB hole a "critical" severity rating because attackers could use it to take control of unprotected systems.

Gartner analyst John Pescatore said in an alert posted on the consulting firm's Web site last Tuesday that the increased sniffing detected on TCP Port 445 poses "a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack." The sniffing activity indicates that attackers may have reverse-engineered Microsoft's SMB patch, developed exploit code and circulated it on the Internet, Pescatore said.

Monitors at Symantec Corp. also spotted the increased activity on Port 445, but they downplayed any immediate threat to corporate systems.

Alfred Huger, senior director of engineering at Symantec, said the Cupertino, Calif.-based company noticed a "significant spike" in sniffing on June 17. Since then, though, activity levels have gone back to normal, according to Huger.

Background Noise

"Activity targeting Port 455 is very common. It's almost like background noise," Huger said. He added that the spike probably indicated an attempt to find vulnerable systems. "The good news is that the vast majority of enterprises don't allow access to this port," he said. Companies that have installed Windows XP Service Pack 2 should already be protected because that version of the operating system closes off access to Port 445 by default, Huger said.

Pescatore said companies need to accelerate system patching, implement recommended work-arounds and ensure that access to Port 445 is blocked where possible. It's also a good idea to update both network and host-based intrusion-prevention filters to deal with the threat, he said.

A Microsoft spokeswoman said the software vendor is aware of public reports about increased sniffing on Port 445. But it doesn't necessarily relate to the SMB flaw, she said. "Port scanning is an activity that may be indicative of an attempt to discover attack vectors against any vendor product and is not an activity unique to Microsoft products," the spokeswoman said. She added that Microsoft had yet to receive any reports of the flaw being exploited.

Copyright © 2005 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon