Symantec has rained their TheatCon to 2, citing:
The ThreatCon is at level 2. Symantec Threat Management System sensors are observing a dramatic rise in IPs attacking TCP port 445. This activity is corroborated by activity on our honeypot systems. Currently this activity appears to be related to the exploitation of the vulnerability addressed by the Microsoft security bulletin MS08-067.
MS008-067 is indeed a serious vulnerability and English-language vulnerabilty/exploit specifics have been made available and are making the rounds. So why hasn’t Arbor raised it’s TheatIndex?
In our ATLAS system, we’re not seeing this rise, not on TCP port 445 and not on TCP port 139. Looking over the last month we don’t see this rise in MS08-067 attacks that would raise any alarms for us. Here’s attacks on TCP port 445 from ATLAS for the past month, grouped by source country:
That rise in the past few days corresponds to attacks on older vulnerabilities, specifically CVE-2005-1935 and CVE-2003-0818; we’re not seeing any significant activity on CVE-2008-4250 (MS08-067).
Until we do, we’ll keep it at ThreadIndex 1.