Experts Undecided About Port 445 Sniffing's Impact On Windows Systems - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

07:51 PM

Experts Undecided About Port 445 Sniffing's Impact On Windows Systems

Experts disagreed Thursday whether a recent surge in port sniffing of Windows systems means a worm attack is on the way.

Experts disagreed Thursday whether a recent surge in port sniffing of Windows systems meant a worm attack was on the way.

Last Friday, Symantec reported a climb in scanning activity on TCP port 445, one of the two ports associated with the Server Message Block (SMB) protocol in Windows. Earlier last week, Microsoft announced that the protocol suffered from what it called a "critical" vulnerability, and released not only details of the bug, but also a patch.

The scanning was short-lived, said Alfred Huger, vice president of engineering for Symantec's security response team, but reiterated Symantec's position that the post sniffing may be a precursor to an attack. But he thought the odds long.

"This vulnerability isn't a very powerful candidate for a worm," said Huger. "I don't think we'll see a mass exploitation."

That said, however, Huger noted that such port scanning was common, particularly pre-attack, often prior to any real work on the part of hackers. "It's like a try before you buy deal," he said. Hackers want to get an idea of the possible extent of the vulnerability before they go to the effort of crafting a worm, he said.

The quick climb -- and decline -- of the port 445 scanning, Huger said, meant that it was likely a large bot network doing the sniffing. "They can enumerate the whole Internet, so it's unlikely we'll see another scan surge before an attack, if one's coming."

A Gartner security analyst, however, was sounding a more anxious alert about the scanning. "The apparent increase in 'sniffing' on Port 445 is a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack," wrote John Pescatore, a research director at Gartner, in an online note. Pescatore outlined a five-step timeline hackers typically follow, starting with a vulnerability being identified and ending with an attack launch. On Pescatore's timeline, "Attackers scan to find vulnerable systems" is number 4.

"The Port 445 activity may indicate that — in the week since Microsoft released the Windows patch — attackers have reached the fourth state in this process and may be preparing a mass attack employing the widely-used SMB protocol," Pescatore added.

Whether the port scanning is only for reconnaissance, as Huger thinks, or the harbinger of an actual attack, as Pescatore believes, the advice to enterprises and end-users is the same.

"Accelerate your efforts to ensure that all Windows systems are patched," recommended Pescatore, "[and] implement shielding or other workarounds until patching is complete."

One of the workarounds Microsoft described in its security bulletin of last week was to block ports 139 and 445, inbound and outbound, at the firewall. "[This] will help prevent systems that are behind that firewall from attempts to exploit this vulnerability," said Microsoft.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Can Low Code Measure Up to Tomorrow's Programming Demands?
Joao-Pierre S. Ruth, Senior Writer,  11/16/2020
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll