Analysts Warn of Possible TCP Port Attack

Analysts are warning of a possible TCP Port attack after detecting a surge in sniffing on Port 445, which is the port associated with a recently patched Microsoft flaw.

Gartner, Inc., a major industry analyst firm based in Stamford, Conn., has issued an alert, saying the increased scanning activity may signal an impending malicious code attack exploiting a critical Windows vulnerability.

The flaw was connected to the Microsoft Windows Server Message Block (SMB) Protocol, which is associated with Port 445. The port could be used to exploit the Microsoft Incoming SMB Packet Validation Remote Buffer Overflow Vulnerability (MSO5-27). A patch for the bug was released on June 14.

”The Port 445 activity may indicate that — in the week since Microsoft released the Windows patch — attacks have reached the fourth state in this process and may be preparing a mass attack, employing the widely used SMB protocol,” Gartner analysts warned in a written statement.

The analysts note that launching a mass attack is generally a five-state process. First, a vulnerability is identified and a patch is released. Then attackers use the patch to reverse engineer the vulnerability. After that, exploit code is developed and circulated on the Internet, and then attackers scan to find vulnerable systems. The last step actually is launching an attack.

A spokesperson for Symantec Corp., an anti-virus and anti-spam company, says researchers at Symantec’s DeepSight Network detected the surge in sniffing last week. In the last several days, the surge has started to drop off, however.

Windows 2000 and Windows XP use TCP Port 445 to run SMB directly over TCP/IP to manage activities such as file sharing and communication between computers.

Analysts are advising users to make sure that all flaws are patched.