Symantec Global internet Security threat report
File transfer, CIFS
File transfer, email attachment
Remotely exploitable vulnerability
File sharing , P2P
File transfer, HTTP, embedded URI, instant messenger
Back door, Kuang2
Back door, SubSeven
File sharing, data files
Table 18. Propagation mechanisms Source: Symantec
in 2009, 42 percent of malicious code that propagated did so through the CiFS protocol, up from 30 percent in 2008. propagation through the CiFS protocol overtook propagation through email in 2009. the increase may be linked to the diversification of mechanisms discussed above. three of the top 10 malicious code threats for 2009 employed the CiFS propagation mechanism, up from two in 2008. this includes the Downadup, Mabezat and Almanahe worms.
the CiFS propagation mechanism can be a threat to organizations because file servers use CiFS to give users access to their shared files. if a computer with access to a file server becomes infected by a threat that propagates through CiFS, the infection could spread to the file server. Since multiple computers within an organization likely access the same file server, this could facilitate the rapid propagation of the threat within the enterprise. if malicious software can infect a single computer through any other propagation method such as email or malicious websites, the CiFS propagation method can rapidly spread infection throughout an entire organization. this is increasingly becoming a threat to home environments as well, because home networks with multiple devices are becoming more commonplace.
to protect against threats that use the CiFS protocol to propagate, all shares should be protected with strong passwords, and only users who require the resources should be given access to them. if other users do not need to write to a share, they should only be given “read” permissions. this will prevent malicious code from copying itself to the shared directory or modifying shared files. Finally, CiFS shares should not be exposed to the internet. Blocking tCp port 445 at the network boundary will help to protect against threats that propagate using CiFS.169
propagation occurring through email attachments dropped from 31 percent in 2008 to 25 percent in 2009, continuing its decline from 32 percent in 2007. Email attachments have now been surpassed by both executable file sharing and CiFS propagation methods.
tCp port 445 is the default port used to run CiFS on tCp.