More Port 445 Activity Could Mean Security Trouble
cj writes "An apparent increase in scanning activity may signal an impending malicious-code attack exploiting a critical Windows vulnerability. Take immediate steps to ensure that the affected Windows port is secure.
On 17 June 2005, media reports indicated that security vulnerability sensors have noted an increase in activity on TCP Port 445, which is associated with Microsoft Windows' Server Message Block (SMB) Protocol. This port could potentially be used to exploit the Microsoft Incoming SMB Packet Validation Remote Buffer Overflow Vulnerability (MS05-27), a critical flaw for which Microsoft released a patch on 14 June.
Analysis
The apparent increase in sniffing on Port 445 is a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack. Such attacks typically follow a highly predictable timeline:
A security vulnerability is identified and a patch is released.
Attackers use the patch to reverse-engineer the vulnerability.
Exploit code is developed and circulated on the Internet.
Attackers scan to find vulnerable systems.
A mass attack is launched.
The Port 445 activity may indicate that — in the week since Microsoft released the Windows patch — attackers have reached the fourth state in this process and may be preparing a mass attack employing the widely used SMB protocol.
