Just a quick word of caution, the MSI::HITME (HoneyPoint Internet Threat Monitoring Environment) is getting nailed by Conflicker worm scans. New hosts (not seen in the last 24 hours) are probing the HITME every 5 mins or so! Scanning for port 445/TCP is growing HUGELY, if not EXPONENTIALLY!
This is important to you for the following reasons if you are an IT person or Infosec person:
- The rate of spread is quite high. Likely, we will see Internet wide traffic impacts over the weekend or by early Monday if it continues at present growth rate.
- Even when it plateaus and tapers, this will mean a HUGE INCREASE in infected bot-net machines, the likes of which will likely compare to Kraken or Storm
- On Monday, you should be prepared for worm war. People who took their machines home and got infected over the weekend will be returning it to your office on Monday or when they come back to work. Look for scanning on a large scale in many organizations.
- You are likely to get “those calls” from a competitor or other company about “why is your network scanning mine” — always fun!
What can you do?
- HoneyPoint users (Personal Edition and Security Server) should deploy Linux or virtual decoy hosts (no SAMBA/CIFS) with a HoneyPoint listening on 445/tcp. (Note that you can’t bind to 445 on Windows systems as Windows is using it to host the possibly vulnerable service) Investigate any host that probes that open port.
- Make sure all servers and as many workstations as possible are patched! (do this NOW!!!!!)(Servers first!!!!)
- Make sure all AV is up to date. Most AV will catch the overt worm, though evolution and mutation seem likely.
- Prepare yourself and your team for the battle ahead.
- If you are a NAC person, pray to the various “NAC Daemons” that your solution actually works and is configured to actually protect you in this event.
- Obviously, make sure all of your Windows hosts are protected by a real firewall and that port 445 is NOT Internet exposed. (Goes without saying, but obviously not…)
Please, pay attention to this one. It looks “slammer/code red” nasty…..
** 1/25 11:00 AM Eastern Update: After talking with many other folks on twitter and with some wonderful visualization help from @pophop, it appears that the growth is linear, AND NOT EXPONENTIAL. Much of the growth is coming from consumer broadband, especially Asia and Europe. Given the oddity of the source host increases and data from other scans, I am wondering if the infection scans for a while and then goes into a sleep mode to await further instructions. More analysis and such on Monday. Thanks to all for the help, especially @pophop and SANS **
SANS port activity plotter at:
Having a real TCP worm on the loose is a something of a blast from the past.
TCP 445 Honeypoints very useful for detecting internal outbreaks. Worked for us.