Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 1 - Port 445 - SMB over TCP

Published: 2009-09-30
Last Updated: 2009-10-01 20:43:23 UTC
by Chris Carboni (Version: 1)
6 comment(s)

Port 445 provides SMB over TCP.  From Microsoft  "Windows supports file and printer sharing traffic by using the Server Message Block (SMB) protocol directly hosted on TCP. This differs from earlier operating systems, in which SMB traffic requires the NetBIOS over TCP (NBT) protocol to work on a TCP/IP transport."

If not at the top of the list, port 445 is always somewhere in the Top 10 list generated from Dshield data for targets, sources and reports.  Just a quick look at the activity graph shows a huge number of systems that are scanning from and being scanned on 445.  This has become much of the background noise on the Internet.

And it's no wonder.  How many worms and bots can you think of off the top of your head that use 445 to scan or exploit other systems?

If you're reading this diary, then hopefully you know to make sure port 445 is blocked at your firewall.  If, for some reason you didn't know to do this, stop what you're doing and block it now.  I'll wait.  :)

Blocking 445 at the firewall is relatively easy and solves many problems.  The real issue with 445 internal.

445 needs to be open in Windows environments and is a prime conduit for the spread of malware internally.

So what can you do to protect yourself?  If you have a good way to limit internal traffic on port 445 in your network, send us a note or leave a comment and I'll post interesting notes as they come in.

Tracy sent a note mentioning one of my favorite was to mitigate exposure due to 445 being open internally, HIPS.

He writes,

There are several great tools out there that you can use, my preference is a Host based IPS (HIPS).  Depending on the maker of the product you have a wide array of options that you can use to keep the system safe.  Some HIPS programs provide the buffer overflow protection for processes that are standard in MS Windows, they can detect scans of the machine and block all traffic from a host for a period of time.  Adding in the fact that they can also get signature updates and create custom signatures, this product gives you the best LAN protection with maintaining a well balanced CIA pyramid.

Well said.  Thanks Tracy!


Christopher Carboni - Handler On Duty

6 comment(s)

To install AV, or Malware - That is the Question

Published: 2009-09-30
Last Updated: 2009-09-30 16:37:33 UTC
by David Goldsmith (Version: 1)
0 comment(s)

Yesterday we posted a diary about the official release of Microsoft's new Security Essentials product.  Today we got a tip about a Websense blog entry alerting folks that they are already seeing Search Engine Optimization (SEO) poisoning attacks that have resulted in malicious URLs being included in the list of results when people search for "Microsoft Security Essentials".

While there *might* be some other sites that are offering up legitimate copies of the valid installation files, you really should go directly to Microsoft's Security Essentials site to download the installation files to be sure you are getting the expected software.

0 comment(s)

Microsoft Security Essentials AV

Published: 2009-09-30
Last Updated: 2009-09-30 01:59:48 UTC
by Mark Hofman (Version: 1)
6 comment(s)

Microsoft Security Essentials (MSE) hit the streets today (Thanks Kia for the heads up).  So I thought we'd have a quick look at it and let you know how it goes.

MSE replaces the Onecare offering and the free Defender installation standard on Vista installations.  It will provide you with malware detection and removal ONLY.  So do not rely on this as your one stop shop for security.   It does not have the features and functionality that many of the AV vendors provide in their products.  Think of this as the AV as it used to be in 2000 or so. 

There is no central management and updates are taken from windows update services (from the looks of it not from WSUS). 

The install is straight forward.  After downloading it (approx. 8MB), run the installer and follow the yellow brick road.  It does a genuine product check and after installation it will go and update itself.   I had troubles getting it to update when behind a proxy server, but I suspect that was a local issue.  Going direct it updates and applies the latest signatures.  Reportedly there will be 3 updates per day on average. 

Detect rates seem to be quite good.  It seems to have found most of the things on a test malware drive.  I have to check more closely if it missed things and if so why. 

There are plenty of people who don't want to pay for AV, we all have one or more in the family.  This will plug that gap, assuming the Windows version being used is legit.  


Mark H

6 comment(s)
Diary Archives