Attackers may be planning an attack against Windows servers running a vulnerable domain name system service, according to security researchers.
A major spike in activity targeting TCP Port 1025 on Windows systems may be a sign of intelligence gathering for an upcoming attack against unpatched servers, Symantec warned.
Symantec's DeepSight threat network has seen a "pretty sizable" increase in the number of sensors that have registered events on port 1025, said Mimi Hoang, group product manager with the company's security response team.
"A normal level of activity would be 30 or so [source] IP addresses, give or take, with the number of events below 100," said Hoang. "But here we're seeing 1,400 to 1,500 IP addresses and more than 8,000 events.
"A spike like this doesn't happen without a reason," she said.
Hoang wouldn't definitively connect it with the Windows DNS Server Service vulnerability that Microsoft acknowledged last week, but she did say, "We suspect it's because any high port above 1024 is associated with Microsoft's RPC [Remote Procedure Call protocol]. And 1025 is the first open port used by RPC."
The bug in Windows 2000 Server and Windows Server 2003 can be exploited by sending a malicious RPC packet via port 105 or higher. Microsoft, in fact, has recommended that businesses block all inbound unsolicited traffic on ports 1024 and greater.
"Considering the recent Microsoft Windows DNS Remote Procedure Call Interface Vulnerability, this traffic spike may be associated with scanning and intelligence gathering aimed at assessing available Windows RPC endpoints," Symantec's warning said. "The traffic may also be indicating an increase in exploit attempts over TCP 1025, although this has not been verified at the time of this writing."
Hoang reiterated that Symantec has not confirmed any link between the port activity and actual exploits.
Exploits, however, continue to proliferate, Symantec and other security organisations said. Florida-based Immunity has released an exploit for the DNS server bug for its Canvas penetration-testing framework, putting the total of publicly posted exploits at five. One recent exploit reportedly uses TCP and UDP Port 445, which Microsoft recommended blocking only yesterday.
Researchers are positing additional attack strategies, in part because the normal routes through client PCs running Windows 2000, Windows XP or Windows Vista aren't available.
Maarten Van Horenbeeck, one of the analysts in SANS Institute's Internet Storm Center, noted that hosting service servers running Windows 2003 Server may be at risk because although they run DNS services as well as others - HTTP and FTP, for example - they're usually not shielded by a separate firewall. Active Directory servers may be in danger, too, said Van Horenbeeck.
"Active directory servers hosted on the internal network are often combined with DNS functionality," Horenbeeck said in an ISC research note. "These machines are usually less protected than DMZ DNS servers, and other functionality provisioned may require the RPC ports to be available. If your active directory server is compromised, the game is essentially over."
Microsoft has said several times that it is working on a patch, but it has not yet committed to a release date. The company's next scheduled patch day is three weeks away, on 8 May.