07:51 PM

Experts Undecided About Port 445 Sniffing's Impact On Windows Systems

Experts disagreed Thursday whether a recent surge in port sniffing of Windows systems means a worm attack is on the way.

Experts disagreed Thursday whether a recent surge in port sniffing of Windows systems meant a worm attack was on the way.

Last Friday, Symantec reported a climb in scanning activity on TCP port 445, one of the two ports associated with the Server Message Block (SMB) protocol in Windows. Earlier last week, Microsoft announced that the protocol suffered from what it called a "critical" vulnerability, and released not only details of the bug, but also a patch.

The scanning was short-lived, said Alfred Huger, vice president of engineering for Symantec's security response team, but reiterated Symantec's position that the post sniffing may be a precursor to an attack. But he thought the odds long.

"This vulnerability isn't a very powerful candidate for a worm," said Huger. "I don't think we'll see a mass exploitation."

That said, however, Huger noted that such port scanning was common, particularly pre-attack, often prior to any real work on the part of hackers. "It's like a try before you buy deal," he said. Hackers want to get an idea of the possible extent of the vulnerability before they go to the effort of crafting a worm, he said.

The quick climb -- and decline -- of the port 445 scanning, Huger said, meant that it was likely a large bot network doing the sniffing. "They can enumerate the whole Internet, so it's unlikely we'll see another scan surge before an attack, if one's coming."

A Gartner security analyst, however, was sounding a more anxious alert about the scanning. "The apparent increase in 'sniffing' on Port 445 is a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack," wrote John Pescatore, a research director at Gartner, in an online note. Pescatore outlined a five-step timeline hackers typically follow, starting with a vulnerability being identified and ending with an attack launch. On Pescatore's timeline, "Attackers scan to find vulnerable systems" is number 4.

"The Port 445 activity may indicate that — in the week since Microsoft released the Windows patch — attackers have reached the fourth state in this process and may be preparing a mass attack employing the widely-used SMB protocol," Pescatore added.

Whether the port scanning is only for reconnaissance, as Huger thinks, or the harbinger of an actual attack, as Pescatore believes, the advice to enterprises and end-users is the same.

"Accelerate your efforts to ensure that all Windows systems are patched," recommended Pescatore, "[and] implement shielding or other workarounds until patching is complete."

One of the workarounds Microsoft described in its security bulletin of last week was to block ports 139 and 445, inbound and outbound, at the firewall. "[This] will help prevent systems that are behind that firewall from attempts to exploit this vulnerability," said Microsoft.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 24, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.