JPCERT-AT-2009-0002
JPCERT/CC
2009-02-05
<<< JPCERT/CC Alert 2009-02-05 >>>
Increased activity targeting TCP port 445
http://www.jpcert.or.jp/at/2009/at090002.txt
I. Overview
JPCERT/CC Internet Scan Data Acquisition System (ISDAS) has observed
that scans against TCP port 445 have been increasing since late
December of 2008. Although the cause of these scans has not been
identified yet, they may be infection attempts by worms exploiting a
Server service vulnerability in Microsoft Windows products (MS08-067),
for which a security update was released last year.
These worms may spread via scans and removable storage devices such
as USB memory. Since scans mainly from inside Japan have been
increasing for the last several days, infection may be spreading in
Japan.
II. Observation status
For the TCP port 445 scan trends observed by ISDAS, refer to the
following website:
ISDAS graph for TCP port 445 (2008/12/05-2009/02/04)
http://www.jpcert.or.jp/isdas/2009/20081205-0204_445_port.png
III. Solution
Users of the services running on TCP port 445 are recommended to
consider taking the following countermeasures:
1) When using a Microsoft Windows product, apply the security
update according to "IV. References".
2) In order to prevent secondary damage from virus infection,
restrict packets from internal to external TCP port 445.
For worms spreading recently, the following should also be
considered:
3) Not to use a vulnerable password for system and network
authentication.
4) Be careful about handling of removable storage devices such as
USB memory
IV. References
Vulnerability in Microsoft Server Service
http://www.jpcert.or.jp/at/2008/at080018.txt
Microsoft
Microsoft Security Advisory (958963)
http://www.microsoft.com/technet/security/advisory/958963.mspx
Japan Vulnerability Notes JVNTA08-297A
Microsoft Windows Server service buffer overflow vulnerability
http://jvn.jp/cert/JVNTA08-297A/index.html
Microsoft Japan Security Team
Summary of Conficker (Downadup) worms
http://blogs.technet.com/jpsecurity/archive/2009/01/24/3191000.aspx
Internet Scan Data Acquisition System (ISDAS)
http://www.jpcert.or.jp/isdas/
If you have any information you could provide regarding this alert,
please contact us.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: 03-3518-4600 FAX: 03-3518-4602
http://www.jpcert.or.jp/
Top