Most attacks still through port 135 and port 445 - how to act...

Hi malware fighters,

Most attacks against networks is still being performed through port 135 and port 445,

this according to statistics provided by SRI International, that tracks daily attack traffic.

Re: http://wasp.csl.sri.com/releases/malware-analysis/public/

During a 551 days’ period more than 16.000 botnet-attacks were found.

SRI was also responsible for a in depth analyzing of Conficker worm.

Re: http://mtc.sri.com/Conficker/

The ‘Honeynet and BotHunter Malware Analysis Automatic Summary Analysis Table’ from this research institute

is a handy source for system admins and IT-professionals alike where new malware is concerned,

for blocking Command & Control servers and formulating intrusion detection rules.

Re: http://wasp.csl.sri.com/releases/malware-analysis/public/

The standard closure of these ports, also known as Microsoft DCE locator (135)

and Microsoft Directory Services (445), merely is an option, because also quite some legit

traffic is run over thee ports.

Blocking

"We can block this traffic naturally on our external boundary, but that does not prevent

malware propagation on the network itself, for instance when someone comes to the job

with an infected laptop or USB-stick or other peripherals to form a source of infection",

according to an anonymous IT-expert that commented on the issue.

"Then also it is not only about blocking, but also about detecting.

Just imagine a system within the network has a Conficker worm infection,

then this cannot contact an external malicious host

because this traffic is being dropped by access-lists.

We still are constantly monitoring trials to reach that particular host,

because we wanna know what systems are infected.

Same can be said about the Command & Control servers of other botnets,

and all further traffic that is being caused by existing malware infestations."

Home users can often just disable these ports, using the freeware “Windows Worm Doors Cleaner” (wwdc.exe).

Download: http://www.softpedia.com/progDownload/Windows-Worms-Doors-Cleaner-Download-107294.html

“Safely” disables ports DCOM/RPC 135, RPC Locator 445, NetBIOS 137/8/9, UPnP 5000, Messenger (NetBIOS RPC).

You could enable it whenever you need something to run over these ports.

Blocking traffic is not the only thing you want to do, you will like to know what systems generate the traffic.

There you want to know whether it is normal traffic or malicious related malcode traffic.

This info will not only aid towards access control, but also serve as input for monitoring routers, firewalls,

intrusion detection systems and vulnerability scanners to make logged acl regels or custom signatures.

Going from this information incidents can be listed to be spread amongst security departments responsible

for infected sytems. This often is for malware not earlier detected by an av-scanner,

or for hosts that do have a bad-functioning or not actual av solution,

polonus