dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
8621
ghost16825
Use security metrics
Premium Member
join:2003-08-26

ghost16825

Premium Member

Mass Port 445 attack imminent says Symantec

Time will tell...
»www.eweek.com/article2/0 ··· K0000614
An ominous increase in sniffing activity on TCP Port 445 could signal an impending mass malicious code attack targeting a recently patched Microsoft vulnerability, according to a warning from security researchers.

Researchers at Symantec Corp.'s DeepSight Network have detected a surge in scans on Port 445, an indication that malicious hackers may have already created exploits for a flaw in Microsoft Corp.'s implementation of the SMB (Server Message Block) protocol.
...
The vulnerability, which was rated "critical," was patched one week ago in Microsoft's MS05-027 bulletin, and the increased noise on that port could be the first sign that a password brute force attack is imminent, Symantec DeepSight warned.
...

craezer
join:2003-12-15

craezer

Member

That's interesting, lately I've been seeing a ton of hits on my firewall log to port 445.
techteam9
join:2005-06-17
Meadville, PA

techteam9

Member

As have I!!! Yikes, I too have seen massive amounts of traffic on 1025,1026,1027...sighs, the Internet is sooo dirty. I'm glad I have a harden Linux box to keep me safe!!

Don Q

redxii
Mod
join:2001-02-26
Michigan
Asus RT-AC3100
Buffalo WZR-HP-G300NH2

1 edit

2 recommendations

redxii

Mod

said by techteam9:

I'm glad I have a harden Linux box to keep me safe!!
Doesn't matter what OS you have, a router is enough to stop remote attacks like these.

I wonder how many will post they have a problem due to this particular attack because they didn't patch.
dave
Premium Member
join:2000-05-04
not in ohio

dave

Premium Member

I don't think I've patched yet. On the other hand, I have a router.
Wake2
join:2005-04-30

Wake2 to ghost16825

Member

to ghost16825
Am patched (far as i know) lol, and am behind
a router, but wondered about gkwebs windows
worms door cleaner program and rpc locater
to disable port 445 ? and is it effective
for this ?

Wake

Daniel
MVM
join:2000-06-26
San Francisco, CA

Daniel to ghost16825

MVM

to ghost16825
said by the article:

An ominous increase in sniffing activity on TCP Port 445 could signal an impending mass malicious code attack targeting a recently patched Microsoft vulnerability, according to a warning from security researchers.
I hate to be pedantic, but exactly how did they become privy to all this "sniffing" activity?
Daniel

Daniel to Wake2

MVM

to Wake2
said by Wake2:

, but wondered about gkwebs windows
worms door cleaner program and rpc locater
to disable port 445 ? and is it effective
for this ?
I wouldn't recommend disabling port 445 necessarily -- especially if you're behind a router. Look into a free host-based firewall if you can't or don't want to run the Windows firewall in XP.

This combined with a properly configured router will keep you safe from any attacks over port 445. If you're in doubt, though, use any of the myriad of online scanners available to check the state of your Internet-facing device.

Cheers.

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to Daniel

MVM

to Daniel
said by Daniel:

. . . I hate to be pedantic, but exactly how did they become privy to all this "sniffing" activity?
I presume from that product that Blake once worked on, which they picked up in one of their acquisitions. (DeepSight Analyzer, or some such?) I think they typically share the results with corporate subscribers first. I took a quick look at dShield and didn't see anything unusual there but I haven't checked MyNetWatchman yet.

Doctor Four
My other vehicle is a TARDIS
Premium Member
join:2000-09-05
Dallas, TX

Doctor Four to ghost16825

Premium Member

to ghost16825
Click for full size
MyNetWatchman shows only a 4.3% increase in attacks to port
445, which account for 26% of all malicious traffic reported
there:

z0ned
join:2002-07-27
Los Angeles, CA

z0ned to Daniel

Member

to Daniel
said by Daniel:

I hate to be pedantic, but exactly how did they become privy to all this "sniffing" activity?
From »tms.symantec.com/ :

"Over 19,000 organizations in over 180 countries have registered to upload incident information to the Symantec Event Database."

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris to Doctor Four

MVM

to Doctor Four
That is (I think) primarily nothing more than a 'raw count' of unsolicited probes. I think Deep Sight Analyzer may well include packet captures. If Symantec is referencing something different in the packet captures, that may well be what they are referring to.

I don't know; don't have access to their reports.
psloss
Premium Member
join:2002-02-24

1 edit

psloss to jvmorris

Premium Member

to jvmorris
said by jvmorris:
said by Daniel:

. . . I hate to be pedantic, but exactly how did they become privy to all this "sniffing" activity?
I presume from that product that Blake once worked on, which they picked up in one of their acquisitions. (DeepSight Analyzer, or some such?) I think they typically share the results with corporate subscribers first. I took a quick look at dShield and didn't see anything unusual there but I haven't checked MyNetWatchman yet.
Another issue to me with reports like this is how they can distinguish -- based on a SYN packet -- between probing for this vulnerability versus the constant tcp/445 scanning that goes on. Unless their system is letting these connection attempts go farther...Blake?

A quick look at the Windows 2000 "bill of materials" for this patch (MS05-027) suggests that something that goes over the srvsvc pipe got fixed...if that's reasonable (not sure), then these probes would need to be filtered to some extent on activity to that pipe.

(The BOM for 32-bit NT 5.1 and NT 5.2 only patches the lanmanserver kernel component, srv.sys; the NT 5.0 one also changes srvsvc.dll...hence, my wild guess...)

(Edit: note that several parties probably disassembled the changes in the binaries sometime after the patches were published...)

Philip Sloss

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to ghost16825

MVM

to ghost16825
Given I designed and built DeepSight with my partner (it was called Aris back then) I'll give you all the run down as to how it works later tonight as at the moment I'm a little short on time, but it can tell the difference between different attacks in detail.

Blake
psloss
Premium Member
join:2002-02-24

psloss

Premium Member

said by Link Logger:

Given I designed and built DeepSight with my partner (it was called Aris back then) I'll give you all the run down as to how it works later tonight as at the moment I'm a little short on time, but it can tell the difference between different attacks in detail.
Since I probably won't see this until tomorrow, I'll just say "thanks in advance, Blake."

Philip Sloss

z0ned
join:2002-07-27
Los Angeles, CA

z0ned to ghost16825

Member

to ghost16825
Essentially realtime algorithms are used that trigger when the level of observed activity changes by a statistically significant amount from the level that was observed before. If you have ever studied any statistics, the way an event is discerned from a background is by e.g. 3 sigma. This is highly simplified but this is the basic workings. Then you reduce the sample in a variety of ways so that you have a few different perspectives. More than one metric is required to trigger before you call alarm. Blake will surely go into more detail since he authored this. The knowledge I have is from attending a presentation once by the Senior Manager of Deepsight.
psloss
Premium Member
join:2002-02-24

1 edit

psloss

Premium Member

said by z0ned:

Essentially realtime algorithms are used that trigger when the level of observed activity changes by a statistically significant amount from the level that was observed before. If you have ever studied any statistics, the way an event is discerned from a background is by e.g. 3 sigma. This is highly simplified but this is the basic workings. Then you reduce the sample in a variety of ways so that you have a few different perspectives. More than one metric is required to trigger before you call alarm. Blake will surely go into more detail since he authored this. The knowledge I have is from attending a presentation once by the Senior Manager of Deepsight.
Do you recall if the system allows for verification via some empirical method? The other question would be if the system can differentiate between a single event and multiple, simultaneous ones. (For example, botnet "churn" could also contribute to spikes in traffic...)

Thanks,

Philip Sloss

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

1 edit

jvmorris

MVM

Ya know, at this rate, we're gonna have Blake up all night!

Not that this is anything unusual, of course!

CajunTek
Insane Cajun
Premium Member
join:2003-08-08
Arlington, TX

CajunTek to ghost16825

Premium Member

to ghost16825
So far.. nothing on my logs from prot 445.. We'll see..

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris

MVM

But, of course, if what Symantec is talking about is targeted . . . either against websites or corporate WANS, you wouldn't be, would you?
psloss
Premium Member
join:2002-02-24

psloss to jvmorris

Premium Member

to jvmorris
said by jvmorris:

Ya know, at this rate, we're gonna have Blake up all night!

Not that this is anything unusual, of course!
That's why I signed off in advance!

Actually, yes/no works for me for these questions...I'm not sure this threat is going to be worth that much of Blake's time.

Philip Sloss

jvmorris
I Am The Man Who Was Not There.
MVM
join:2001-04-03
Reston, VA

jvmorris

MVM

Yes, that too. I've seen no other indications of this going on.

KPSlider
join:2000-09-17
Hurst, TX

KPSlider to techteam9

Member

to techteam9
said by techteam9:

Yikes, I too have seen massive amounts of traffic on 1025,1026,1027. Don Q
I've also seen in my router logs massive amounts of port probing on 1025,1026 and 1027. They are mostly probes from Asian and China based Ip's. I've seen quite alot from this ISP. »www.zoneedit.com/whois.h ··· 3.54.158. So what can we do to get this kind of crap to stop? Complain to the ISP who owns the IP?
I haven't seen anything yet on port 445

Link Logger
MVM
join:2001-03-29
Calgary, AB

1 recommendation

Link Logger to ghost16825

MVM

to ghost16825
OK now that our Delphi Users Group meeting is finished, DeepSight.

DeepSight works with IDS (Intrusion Detection Systems) like Snort so data which is feed into DeepSight contains packet level details so we knew that an incident was TCP port 445, was a sync packet of size x and contained packet signature z, etc. So what I'm saying is we received and processed data at the level of a packet inspecting IDS. So not only could we tell you for example that it was an RPC buffer overflow attack, but we could in a lot of cases tell you which worm (or even which worm version) it was, based on the packet signature (ie we could tell you if it was a Code Red 1 or Code Red 2 attack as the packet signature was different, so yes we can seen multiple simultaneous events as different events). This differs significantly from other central reporting sites as they tend to limit themselves to firewall information (ie port/protocol). Also DeepSight ties the attack signature to BugTraq so we could see things like worm development time (ie release of exploit to release of worm), vendor analysis, OS and OS versions and such. Also given the huge number of site contributing to DeepSight (businesses, ISPs, etc) and the demographics they also gave we could see things like targeted attacks (ie financial sites get more scans/attacks then anyone else). As you can tell collecting all this information allows for tons of statistical analysis (PhD level people working on this) and trending (in realtime as well), so with DeepSight you can see a lot about the health of the internet and how it has changed over the years (ie currently there are about 15 billion incidents stored in the database). So DeepSight is about as advanced as data allows it to be. When I designed Aris one of the things I was looking for was recon scans or beta releases of worm, such that we could predict impending attacks based on 'blips' on the trends, and we had found cases of those in the past, so perhaps someone at Symantec has noticed something, that I have not seen here (frankly listening to the underground chat channels is likely a more accurate predictor).

Now while I will say I'm very proud of DeepSight, there are some weaknesses as there are in any system. Port reporting (ie data collected from firewalls) does work and in some cases better then IDS reporting as signatures are always an issue (lag time, accuracy, etc) and as such DeepSight has added firewall support so it can do firewall reporting as well. Firewall reporting catches some attacks sooner as the results can be seen sooner. For example I was one of the first to notice SQL Slammer, because I was watching port logging (and did a presentation on the evils of UDP port 1434 about 6 months earlier, I hope they were all listening), so I was able to post a warning on DSLReports about SQL Slammer before DeepSight's alarms went off. Also there are mathematical issues with realtime trending, sample size, time slices, etc which can raise havoc with any automatic system (I used to do some modeling in real time leak detection for gas pipelines, same issues). False positives, bogus data en mass, etc can taint any realtime trending, hence why I prefer the human touch, which of course brings up the biggest factor, people running the system and Symantec does have some very good people, but they are hardly the only good people on the planet and the big reason I hang out at DSLReports is the great people who also hang out here and that Justin gives us a very nice place to meet and discuss with excellent moderators.

Have I missed anything?

Blake
donaldk
Premium Member
join:2000-10-19
Halifax, NS

donaldk to ghost16825

Premium Member

to ghost16825
To disable port 445 follow this EASY step.

Modify this reg DWORD found in the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters

The name of the DWORD value is "SmbDeviceEnabled" (minus the quotes). Obviously, the value must be set to 0. Bye bye port 445 .

In fact my copy of Windows Server 2003 (being used for desktop use) has only the NTP ports open on boot, everything else is closed. Once MSIE has opened (or anything that uses the DNS service), then the DNS listening UDP port is also opened, otherwise my system is hush quite with the ports (no firewall either).

Steps:
disable Netbios for TCPIP (knocks 135-139)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RpcSs\
"ListenOnInternet"="0" (REG_SZ)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole
"EnableDCOM"="Y" , default, yes certain programs need this like the network connections control panel
"EnableDCOMHTTP"="N"
"EnableRemoteConnect"="N"

Go to Start > Run, type in "C:\windows\system32\com\comexp.msc"

Once the DCOM MMC snap in loads, click OK if a nag dialog box pops up (shouldn't on XP 5.1.2600, will on 5.2.3790)

Go to Console Root > Component Services > Computers > My Computer and right click the my computer icon and select properties. Select the Default Protocols tab and in the page select each protocol and click the remove button for each. Be aware if for some reasion you have a program that depends on DCOM over LAN then this will break its functionality, you will have to go into the protocol properties and adjust the settings that work best for you.

Also if UPNP and its SSDP service are enabled on your WinXP box, disable those services to shut 5000 and I think the SSDP sits on 4500 or something close to that number. If you are really paranoid, disable the Windows Time service and that will close the NTP ports, now you have a windows box that boots up clean to the net with no ports open. Do this and have a firewall and inbound exploits are going to be pretty hard to carry out, this does not stop however any exploits carried out through legimmate pathways (like a webpage loading in MSIE causing a buffer overflow).

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to ghost16825

MVM

to ghost16825
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
Click for full size
This is actually a good time to compare 445 traffic to 445 traffic last year as there was a major event on 445 at about this time in 2004.

445 traffic here has actually been decreasing both in terms of number of scans and in number of systems scanning 445. Now this isn't to say that there isn't a new worm coming as I would find it hard to believe that virus authors would pass up an exploit like this to infect surrounding systems to one which they were able to infect via an email borne attack (think of a corporate setting behind a firewall, infect one and then use a network based attack and you will get a lot more as your now behind the firewall and in the land of naked systems), but as to a major internet attack, I think not for a couple of reasons. First any system that would be vulnerable to said exploit would have to be unpatched and exposed (meaning not hiding behind a firewall). Most of these systems are already infected and likely have an infection history (meaning they have been serially infected). Second even if your XP system is unpatched but your hiding behind XP's firewall (or any other firewall) then you will not be vulnerable to a network based attack. So while this new exploit is very possible, the size of the attack pool isn't much bigger then what is already available in terms of exploitable port 445 systems. Of course you should always be security aware and ensure your defenses are on guard all the time, but I certainly don't see how a major worm could 'appear' on TCP Port 445 anymore. Its been pretty well a year since the last 'new' major network based worm (Sasser), so perhaps we are over due, but I have my doubts that this will amount to much as 445 is already just about as infected as it can get given the current flavour of exploits out there.

Actually one of the things that I'm more interested in is the reemergence of ICMP scans (pings) in scan/attack patterns. I have seen an increase in this in June (not a large increase), so it appears that there is at least one virus/worm which is using pings to find systems to attack (wastes less time on protected IP's or systems which are not on).

Blake
psloss
Premium Member
join:2002-02-24

psloss to Link Logger

Premium Member

to Link Logger
said by Link Logger:

DeepSight works with IDS (Intrusion Detection Systems) like Snort so data which is feed into DeepSight contains packet level details so we knew that an incident was TCP port 445, was a sync packet of size x and contained packet signature z, etc. So what I'm saying is we received and processed data at the level of a packet inspecting IDS.
Thanks for the elaboration. Since DeepSight uses both IDS data and "port reporting" (like DShield and myNetWatchman), do you know if Symantec's announcement is based purely on looking at IDS data?

Or am I being too cynical about other possible reasons why they announced this?

Philip Sloss

exocet_cm
Writing
Premium Member
join:2003-03-23
Brooklyn, NY

exocet_cm to ghost16825

Premium Member

to ghost16825
SANS picked it up.

»isc.sans.org/

Link Logger
MVM
join:2001-03-29
Calgary, AB

1 edit

Link Logger to psloss

MVM

to psloss
I suspect the indicator that they see is from IDS data, as there hasn't been any kind of port scan indicator that I can see on either DShield or myNetWatchman which would indicate a new attack is coming or is here. Likely the IDS data is showing that the new exploit is being used in the wild (or at least a beta version has been found).

I've kicked on a pot on 445 and generally I have not seen anything there which scares me yet (I've posted some of those attacks in another thread), however it is funny how many infected systems are behind firewalls (security issues existed between keyboard and user).

Blake

edit -> NOTE I'm not spending a lot of time watching this as I do have other items to deal with (ie I'm coding new apps), so don't be taking what I'm saying as someone who is 100% dedicated to watching second by second the evils of the internet, but what I've looked at thus far, its business as usual as far as scum traffic on 445 is concerned at my site.
Link Logger

Link Logger to ghost16825

MVM

to ghost16825
Someone else claiming there is an imminent attack »software.silicon.com/os/ ··· 5,00.htm

Were these just scans for open 445 ports or were they looking for open 445 ports with desired vulnerability, huge huge difference.

Blake