ghost16825Use security metrics Premium Member join:2003-08-26 |
Mass Port 445 attack imminent says SymantecTime will tell... » www.eweek.com/article2/0 ··· K0000614An ominous increase in sniffing activity on TCP Port 445 could signal an impending mass malicious code attack targeting a recently patched Microsoft vulnerability, according to a warning from security researchers.
Researchers at Symantec Corp.'s DeepSight Network have detected a surge in scans on Port 445, an indication that malicious hackers may have already created exploits for a flaw in Microsoft Corp.'s implementation of the SMB (Server Message Block) protocol. ... The vulnerability, which was rated "critical," was patched one week ago in Microsoft's MS05-027 bulletin, and the increased noise on that port could be the first sign that a password brute force attack is imminent, Symantec DeepSight warned. ... |
|
|
|
That's interesting, lately I've been seeing a ton of hits on my firewall log to port 445. |
|
|
As have I!!! Yikes, I too have seen massive amounts of traffic on 1025,1026,1027...sighs, the Internet is sooo dirty. I'm glad I have a harden Linux box to keep me safe!!
Don Q |
|
redxii Mod join:2001-02-26 Michigan Asus RT-AC3100 Buffalo WZR-HP-G300NH2
1 edit
2 recommendations |
redxii
Mod
2005-Jun-23 2:06 pm
said by techteam9:I'm glad I have a harden Linux box to keep me safe!! Doesn't matter what OS you have, a router is enough to stop remote attacks like these. I wonder how many will post they have a problem due to this particular attack because they didn't patch. |
|
dave Premium Member join:2000-05-04 not in ohio |
dave
Premium Member
2005-Jun-23 2:22 pm
I don't think I've patched yet. On the other hand, I have a router. |
|
|
to ghost16825
Am patched (far as i know) lol, and am behind a router, but wondered about gkwebs windows worms door cleaner program and rpc locater to disable port 445 ? and is it effective for this ?
Wake |
|
Daniel MVM join:2000-06-26 San Francisco, CA |
to ghost16825
said by the article:
An ominous increase in sniffing activity on TCP Port 445 could signal an impending mass malicious code attack targeting a recently patched Microsoft vulnerability, according to a warning from security researchers. I hate to be pedantic, but exactly how did they become privy to all this "sniffing" activity? |
|
Daniel |
to Wake2
said by Wake2:, but wondered about gkwebs windows worms door cleaner program and rpc locater to disable port 445 ? and is it effective for this ? I wouldn't recommend disabling port 445 necessarily -- especially if you're behind a router. Look into a free host-based firewall if you can't or don't want to run the Windows firewall in XP. This combined with a properly configured router will keep you safe from any attacks over port 445. If you're in doubt, though, use any of the myriad of online scanners available to check the state of your Internet-facing device. Cheers. |
|
jvmorrisI Am The Man Who Was Not There. MVM join:2001-04-03 Reston, VA |
to Daniel
said by Daniel:. . . I hate to be pedantic, but exactly how did they become privy to all this "sniffing" activity? I presume from that product that Blake once worked on, which they picked up in one of their acquisitions. (DeepSight Analyzer, or some such?) I think they typically share the results with corporate subscribers first. I took a quick look at dShield and didn't see anything unusual there but I haven't checked MyNetWatchman yet. |
|
Doctor FourMy other vehicle is a TARDIS Premium Member join:2000-09-05 Dallas, TX |
to ghost16825
MyNetWatchman shows only a 4.3% increase in attacks to port 445, which account for 26% of all malicious traffic reported there: |
|
z0ned join:2002-07-27 Los Angeles, CA |
to Daniel
said by Daniel:I hate to be pedantic, but exactly how did they become privy to all this "sniffing" activity? From » tms.symantec.com/ : "Over 19,000 organizations in over 180 countries have registered to upload incident information to the Symantec Event Database." |
|
jvmorrisI Am The Man Who Was Not There. MVM join:2001-04-03 Reston, VA |
to Doctor Four
That is (I think) primarily nothing more than a 'raw count' of unsolicited probes. I think Deep Sight Analyzer may well include packet captures. If Symantec is referencing something different in the packet captures, that may well be what they are referring to.
I don't know; don't have access to their reports. |
|
psloss Premium Member join:2002-02-24 1 edit |
to jvmorris
said by jvmorris:said by Daniel:. . . I hate to be pedantic, but exactly how did they become privy to all this "sniffing" activity? I presume from that product that Blake once worked on, which they picked up in one of their acquisitions. (DeepSight Analyzer, or some such?) I think they typically share the results with corporate subscribers first. I took a quick look at dShield and didn't see anything unusual there but I haven't checked MyNetWatchman yet. Another issue to me with reports like this is how they can distinguish -- based on a SYN packet -- between probing for this vulnerability versus the constant tcp/445 scanning that goes on. Unless their system is letting these connection attempts go farther...Blake? A quick look at the Windows 2000 "bill of materials" for this patch (MS05-027) suggests that something that goes over the srvsvc pipe got fixed...if that's reasonable (not sure), then these probes would need to be filtered to some extent on activity to that pipe. (The BOM for 32-bit NT 5.1 and NT 5.2 only patches the lanmanserver kernel component, srv.sys; the NT 5.0 one also changes srvsvc.dll...hence, my wild guess...) (Edit: note that several parties probably disassembled the changes in the binaries sometime after the patches were published...) Philip Sloss |
|
|
to ghost16825
Given I designed and built DeepSight with my partner (it was called Aris back then) I'll give you all the run down as to how it works later tonight as at the moment I'm a little short on time, but it can tell the difference between different attacks in detail.
Blake |
|
psloss Premium Member join:2002-02-24 |
psloss
Premium Member
2005-Jun-23 8:11 pm
said by Link Logger:Given I designed and built DeepSight with my partner (it was called Aris back then) I'll give you all the run down as to how it works later tonight as at the moment I'm a little short on time, but it can tell the difference between different attacks in detail. Since I probably won't see this until tomorrow, I'll just say "thanks in advance, Blake." Philip Sloss |
|
z0ned join:2002-07-27 Los Angeles, CA |
to ghost16825
Essentially realtime algorithms are used that trigger when the level of observed activity changes by a statistically significant amount from the level that was observed before. If you have ever studied any statistics, the way an event is discerned from a background is by e.g. 3 sigma. This is highly simplified but this is the basic workings. Then you reduce the sample in a variety of ways so that you have a few different perspectives. More than one metric is required to trigger before you call alarm. Blake will surely go into more detail since he authored this. The knowledge I have is from attending a presentation once by the Senior Manager of Deepsight. |
|
psloss Premium Member join:2002-02-24 1 edit |
psloss
Premium Member
2005-Jun-23 8:58 pm
said by z0ned:Essentially realtime algorithms are used that trigger when the level of observed activity changes by a statistically significant amount from the level that was observed before. If you have ever studied any statistics, the way an event is discerned from a background is by e.g. 3 sigma. This is highly simplified but this is the basic workings. Then you reduce the sample in a variety of ways so that you have a few different perspectives. More than one metric is required to trigger before you call alarm. Blake will surely go into more detail since he authored this. The knowledge I have is from attending a presentation once by the Senior Manager of Deepsight. Do you recall if the system allows for verification via some empirical method? The other question would be if the system can differentiate between a single event and multiple, simultaneous ones. (For example, botnet "churn" could also contribute to spikes in traffic...) Thanks, Philip Sloss |
|
jvmorrisI Am The Man Who Was Not There. MVM join:2001-04-03 Reston, VA 1 edit |
Ya know, at this rate, we're gonna have Blake up all night!
Not that this is anything unusual, of course! |
|
CajunTekInsane Cajun Premium Member join:2003-08-08 Arlington, TX |
to ghost16825
So far.. nothing on my logs from prot 445.. We'll see.. |
|
jvmorrisI Am The Man Who Was Not There. MVM join:2001-04-03 Reston, VA |
But, of course, if what Symantec is talking about is targeted . . . either against websites or corporate WANS, you wouldn't be, would you? |
|
psloss Premium Member join:2002-02-24 |
to jvmorris
said by jvmorris:Ya know, at this rate, we're gonna have Blake up all night! Not that this is anything unusual, of course! That's why I signed off in advance! Actually, yes/no works for me for these questions...I'm not sure this threat is going to be worth that much of Blake's time. Philip Sloss |
|
jvmorrisI Am The Man Who Was Not There. MVM join:2001-04-03 Reston, VA |
Yes, that too. I've seen no other indications of this going on. |
|
|
to techteam9
said by techteam9:Yikes, I too have seen massive amounts of traffic on 1025,1026,1027. Don Q I've also seen in my router logs massive amounts of port probing on 1025,1026 and 1027. They are mostly probes from Asian and China based Ip's. I've seen quite alot from this ISP. » www.zoneedit.com/whois.h ··· 3.54.158. So what can we do to get this kind of crap to stop? Complain to the ISP who owns the IP? I haven't seen anything yet on port 445 |
|
1 recommendation |
to ghost16825
OK now that our Delphi Users Group meeting is finished, DeepSight.
DeepSight works with IDS (Intrusion Detection Systems) like Snort so data which is feed into DeepSight contains packet level details so we knew that an incident was TCP port 445, was a sync packet of size x and contained packet signature z, etc. So what I'm saying is we received and processed data at the level of a packet inspecting IDS. So not only could we tell you for example that it was an RPC buffer overflow attack, but we could in a lot of cases tell you which worm (or even which worm version) it was, based on the packet signature (ie we could tell you if it was a Code Red 1 or Code Red 2 attack as the packet signature was different, so yes we can seen multiple simultaneous events as different events). This differs significantly from other central reporting sites as they tend to limit themselves to firewall information (ie port/protocol). Also DeepSight ties the attack signature to BugTraq so we could see things like worm development time (ie release of exploit to release of worm), vendor analysis, OS and OS versions and such. Also given the huge number of site contributing to DeepSight (businesses, ISPs, etc) and the demographics they also gave we could see things like targeted attacks (ie financial sites get more scans/attacks then anyone else). As you can tell collecting all this information allows for tons of statistical analysis (PhD level people working on this) and trending (in realtime as well), so with DeepSight you can see a lot about the health of the internet and how it has changed over the years (ie currently there are about 15 billion incidents stored in the database). So DeepSight is about as advanced as data allows it to be. When I designed Aris one of the things I was looking for was recon scans or beta releases of worm, such that we could predict impending attacks based on 'blips' on the trends, and we had found cases of those in the past, so perhaps someone at Symantec has noticed something, that I have not seen here (frankly listening to the underground chat channels is likely a more accurate predictor).
Now while I will say I'm very proud of DeepSight, there are some weaknesses as there are in any system. Port reporting (ie data collected from firewalls) does work and in some cases better then IDS reporting as signatures are always an issue (lag time, accuracy, etc) and as such DeepSight has added firewall support so it can do firewall reporting as well. Firewall reporting catches some attacks sooner as the results can be seen sooner. For example I was one of the first to notice SQL Slammer, because I was watching port logging (and did a presentation on the evils of UDP port 1434 about 6 months earlier, I hope they were all listening), so I was able to post a warning on DSLReports about SQL Slammer before DeepSight's alarms went off. Also there are mathematical issues with realtime trending, sample size, time slices, etc which can raise havoc with any automatic system (I used to do some modeling in real time leak detection for gas pipelines, same issues). False positives, bogus data en mass, etc can taint any realtime trending, hence why I prefer the human touch, which of course brings up the biggest factor, people running the system and Symantec does have some very good people, but they are hardly the only good people on the planet and the big reason I hang out at DSLReports is the great people who also hang out here and that Justin gives us a very nice place to meet and discuss with excellent moderators.
Have I missed anything?
Blake |
|
donaldk Premium Member join:2000-10-19 Halifax, NS |
to ghost16825
To disable port 445 follow this EASY step. Modify this reg DWORD found in the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters The name of the DWORD value is "SmbDeviceEnabled" (minus the quotes). Obviously, the value must be set to 0. Bye bye port 445 . In fact my copy of Windows Server 2003 (being used for desktop use) has only the NTP ports open on boot, everything else is closed. Once MSIE has opened (or anything that uses the DNS service), then the DNS listening UDP port is also opened, otherwise my system is hush quite with the ports (no firewall either). Steps: disable Netbios for TCPIP (knocks 135-139) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\ "ListenOnInternet"="0" (REG_SZ) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole "EnableDCOM"="Y" , default, yes certain programs need this like the network connections control panel "EnableDCOMHTTP"="N" "EnableRemoteConnect"="N" Go to Start > Run, type in "C:\windows\system32\com\comexp.msc" Once the DCOM MMC snap in loads, click OK if a nag dialog box pops up (shouldn't on XP 5.1.2600, will on 5.2.3790) Go to Console Root > Component Services > Computers > My Computer and right click the my computer icon and select properties. Select the Default Protocols tab and in the page select each protocol and click the remove button for each. Be aware if for some reasion you have a program that depends on DCOM over LAN then this will break its functionality, you will have to go into the protocol properties and adjust the settings that work best for you. Also if UPNP and its SSDP service are enabled on your WinXP box, disable those services to shut 5000 and I think the SSDP sits on 4500 or something close to that number. If you are really paranoid, disable the Windows Time service and that will close the NTP ports, now you have a windows box that boots up clean to the net with no ports open. Do this and have a firewall and inbound exploits are going to be pretty hard to carry out, this does not stop however any exploits carried out through legimmate pathways (like a webpage loading in MSIE causing a buffer overflow). |
|
|
to ghost16825
This is actually a good time to compare 445 traffic to 445 traffic last year as there was a major event on 445 at about this time in 2004. 445 traffic here has actually been decreasing both in terms of number of scans and in number of systems scanning 445. Now this isn't to say that there isn't a new worm coming as I would find it hard to believe that virus authors would pass up an exploit like this to infect surrounding systems to one which they were able to infect via an email borne attack (think of a corporate setting behind a firewall, infect one and then use a network based attack and you will get a lot more as your now behind the firewall and in the land of naked systems), but as to a major internet attack, I think not for a couple of reasons. First any system that would be vulnerable to said exploit would have to be unpatched and exposed (meaning not hiding behind a firewall). Most of these systems are already infected and likely have an infection history (meaning they have been serially infected). Second even if your XP system is unpatched but your hiding behind XP's firewall (or any other firewall) then you will not be vulnerable to a network based attack. So while this new exploit is very possible, the size of the attack pool isn't much bigger then what is already available in terms of exploitable port 445 systems. Of course you should always be security aware and ensure your defenses are on guard all the time, but I certainly don't see how a major worm could 'appear' on TCP Port 445 anymore. Its been pretty well a year since the last 'new' major network based worm (Sasser), so perhaps we are over due, but I have my doubts that this will amount to much as 445 is already just about as infected as it can get given the current flavour of exploits out there. Actually one of the things that I'm more interested in is the reemergence of ICMP scans (pings) in scan/attack patterns. I have seen an increase in this in June (not a large increase), so it appears that there is at least one virus/worm which is using pings to find systems to attack (wastes less time on protected IP's or systems which are not on). Blake |
|
psloss Premium Member join:2002-02-24 |
to Link Logger
said by Link Logger:DeepSight works with IDS (Intrusion Detection Systems) like Snort so data which is feed into DeepSight contains packet level details so we knew that an incident was TCP port 445, was a sync packet of size x and contained packet signature z, etc. So what I'm saying is we received and processed data at the level of a packet inspecting IDS. Thanks for the elaboration. Since DeepSight uses both IDS data and "port reporting" (like DShield and myNetWatchman), do you know if Symantec's announcement is based purely on looking at IDS data? Or am I being too cynical about other possible reasons why they announced this? Philip Sloss |
|
exocet_cmWriting Premium Member join:2003-03-23 Brooklyn, NY |
to ghost16825
SANS picked it up. » isc.sans.org/ |
|
1 edit |
to psloss
I suspect the indicator that they see is from IDS data, as there hasn't been any kind of port scan indicator that I can see on either DShield or myNetWatchman which would indicate a new attack is coming or is here. Likely the IDS data is showing that the new exploit is being used in the wild (or at least a beta version has been found).
I've kicked on a pot on 445 and generally I have not seen anything there which scares me yet (I've posted some of those attacks in another thread), however it is funny how many infected systems are behind firewalls (security issues existed between keyboard and user).
Blake
edit -> NOTE I'm not spending a lot of time watching this as I do have other items to deal with (ie I'm coding new apps), so don't be taking what I'm saying as someone who is 100% dedicated to watching second by second the evils of the internet, but what I've looked at thus far, its business as usual as far as scum traffic on 445 is concerned at my site. |
|
Link Logger |
to ghost16825
Someone else claiming there is an imminent attack » software.silicon.com/os/ ··· 5,00.htmWere these just scans for open 445 ports or were they looking for open 445 ports with desired vulnerability, huge huge difference. Blake |
|