On 17 June 2005, media reports indicated that security vulnerability sensors have noted an increase in activity on TCP Port 445, which is associated with Microsoft Windows' Server Message Block (SMB) Protocol. This port could potentially be used to exploit the Microsoft Incoming SMB Packet Validation Remote Buffer Overflow Vulnerability (MS05-27), a critical flaw for which Microsoft released a patch on 14 June.
The apparent increase in scanning on Port 445 is a serious concern for enterprise security managers, because it may indicate an impending mass malicious-code attack. Such attacks typically follow a highly predictable timeline:
1. A security vulnerability is identified and a patch is released.
2. Attackers use the patch to reverse-engineer the vulnerability.
3. Exploit code is developed and circulated on the Internet.
4. Attackers scan to find vulnerable systems.
5. A mass attack is launched.
The Port 445 activity may indicate that — in the week since Microsoft released the Windows patch — attackers have reached the fourth state in this process and may be preparing a mass attack employing the widely used SMB protocol.
Analytical Source: John Pescatore, Gartner Research
Recommended Reading and Related Research
(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)
|Resource Id: 481906|