Experts disagreed Thursday whether a recent surge in port sniffing of Windows systems meant a worm attack was on the way.
Last Friday, Symantec reported a climb in scanning activity on TCP port 445, http://www.techweb.com/wire/security/164900734
one of the two ports associated with the Server Message Block (SMB) protocol in Windows. Earlier last week, Microsoft http://www.techweb.com/wire/security/164303082
announced that the protocol suffered from what it called a "critical" vulnerability, and released not only details of the bug, but also a patch.
The scanning was short-lived, said Alfred Huger, vice president of engineering for Symantec's security response team, but reiterated Symantec's position that the post sniffing may be a precursor to an attack. But he thought the odds long.
"This vulnerability isn't a very powerful candidate for a worm," said Huger. "I don't think we'll see a mass exploitation."
That said, however, Huger noted that such port scanning was common, particularly pre-attack, often prior to any real work on the part of hackers. "It's like a try before you buy deal," he said. Hackers want to get an idea of the possible extent of the vulnerability before they go to the effort of crafting a worm, he said.
The quick climb -- and decline -- of the port 445 scanning, Huger said, meant that it was likely a large bot network doing the sniffing. "They can enumerate the whole Internet, so it's unlikely we'll see another scan surge before an attack, if one's coming."
A Gartner security analyst, however, was sounding a more anxious alert about the scanning. "The apparent increase in 'sniffing' on Port 445 is a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack," wrote John Pescatore, a research director at Gartner, in an online note. http://www.gartner.com/DisplayDocument?doc_cd=129313
Pescatore outlined a five-step timeline hackers typically follow, starting with a vulnerability being identified and ending with an attack launch. On Pescatore's timeline, "Attackers scan to find vulnerable systems" is number 4.
"The Port 445 activity may indicate that — in the week since Microsoft released the Windows patch — attackers have reached the fourth state in this process and may be preparing a mass attack employing the widely-used SMB protocol," Pescatore added.
Whether the port scanning is only for reconnaissance, as Huger thinks, or the harbinger of an actual attack, as Pescatore believes, the advice to enterprises and end-users is the same.
"Accelerate your efforts to ensure that all Windows systems are patched," recommended Pescatore, "[and] implement shielding or other workarounds until patching is complete."
One of the workarounds Microsoft described in its security bulletin http://www.microsoft.com/technet/security/bulletin/MS05-027.mspx
of last week was to block ports 139 and 445, inbound and outbound, at the firewall. "[This] will help prevent systems that are behind that firewall from attempts to exploit this vulnerability," said Microsoft. SOURCE