myNetWatchman   KnowledgeBase

Pooling knowledge to
secure the internet.


mNW Reports  FAQ: mNW Reports




(Registered Users Only)


Look Up Incidents by IP Address
 

 

Protocol: TCP
Port: 445
Description: Microsoft Networking (Windows 2000/XP)

TCP port 445 is used for *direct* Microsoft Networking access. More specifically, it enables direct TCP/IP access to Microsoft Networking functions WITHOUT the need for a Netbios layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2000 and XP).

2004-05-01 - W32.Sasser worm released:

See: W32.Sasser

Hosts which are generating port probing to this port are usually worm infected. The most recent worm released with this pattern is the W32.Deloader worm (see Below). Most anti-virus vendors didn't release anti-virus definitions for 2-3 days after the worm appeared allowing even anti-virus protected systems to become infected.

Additionally, because Deloader uses a much more extensive password list in it's password crack routine we are seeing it being more prolific than earlier worms using this same technique. We are also seeing firewall-protected networks becoming infected as a result of mobile laptops, AOL connections, and other VPN connections in much the same manner as the Opaserv worm, see: udp/137

This port is also a common target for Warez hackers who seek to turn your PC into a public file server. If anti-virus scans don't find a problem, you'll have to do a manual forensic analysis to identify possible Pubstro compromise as show here: mNW Pubstro Analysis Guide

2003-03-09 - W32.Deloader worm Released:

See: W32.Deloader Worm

2002-12-14 - IraqiWorm (aka iraq_oil, Lioten ):

See: mNW Alert: IraqiWorm exploits Microsoft Null Sessions

CRITICAL: Other potential issues

Null Session attacks are a very, very old technique and have been used by hacker groups for years. For example, compromising machines to turn them into Warez servers or for use as DDoS Zombies. The big difference is that they keep their activity relatively quiet so as not to draw attention to themselves (unlike the IraqiWorm which is very noisy).

All of IraqiWorm systems we analyzed had MULTIPLE issues and had either Warez or DDoS agents installed on them as well.

As anti-virus products do NOT detect Warez activity, we strongly suggest you do a full, manual forensic analysis of IraqiWorm infected systems to identify the full-extent of the compromise.

See: mNW Guide: Detecting Pubstro Activity