Firewall Wizards mailing list archives
Re: NIMDA, how to stop it
From: "Paul D. Robertson" <proberts () patriot net>
Date: Fri, 4 Jan 2002 19:51:36 -0500 (EST)
On Fri, 4 Jan 2002, R. DuFresne wrote:
It's a pretty nasty and hard to control viri/worm, much more potents then what has been seen in the past.
Agreed. [snip]
The best way to defend against this nasty code, in our mind is: educating users about e-mail and teaching them to not just point and click on mails they are not sure of origination and contain attachments.
Education will fail, and users are too used to getting attachments from people the "trust," which is why most of the worms use address books (really a social vector.) It'd be kind of interesting to see how many people out you have to go to be in someone's address book (sort of like the everyone in the world knows someone who knows 1 in N people they meet stuff.) I'm increasingly convinced that having e-mail on a server that displays messages via HTTPS and allows download of specificly permitted attachment types is a bigger win than posting signs in the elevators or having people attend training simply because training doesn't stick well enough due to the large social use of attachments and e-mail.
anti-virus software not just on the servers, but each desktop also, keeping the virus signatures on the servers and desktops is a must.
NIMDA spread rapily enough that detection wasn't on time for a large number of people. Whilst this point *is* important for known malcode, it's less useful for rapidly spreading new stuff.
Patching IIS servers to prevent their infection, the patches had been available before this or code red and it's variants had been released, few folks took the patches seriously and thus the quick spread of these nasties as well as the vast number of machines that remain infected to this day.
Absolutely. Let's not forget the client-side patching that everyone seems to have completely given up on.
Of course, folks not using windows related products are less likely to face difficulties with these nasties, though others infected throughout the net can affect your companies bandwidth when such viri/worms are unleashed and start to spread as quickly as such code these days does...
Poisonbox wormed Solaris boxen to deface IIS servers, and 1i0n/ramen/adore weren't exactly benign, so less dilligence isn't recommended. We're *still* seeing relatively large incidences of BIND/RPC/FTP compromises, so I'd restrict this to the collateral damage stuff and not press too hard on the Win* stuff.
Being this worm has a diverse number of attack vectors, some comprising oten open ports via smtp and http, it has been extremely difficult to deal with via simple firewalling concepts. Proxies can help ome, but, not completely...
Egress filtering for Web servers would have helped tremendously.
Of course, others might have additional or better info, so, I could well stand corrected, and would appreciate any corrrections.
Good thoughts, I'm just not sure that everyone has mapped the traditional thinking to the rate of spread of an agressive multi-vector/target worm like NIMDA. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The Morris worm to Nimda, how little we've learned o r gained Behm, Jeffrey L. (Jan 03)
- Re: The Morris worm to Nimda, how little we've learned o r gained Jon O . (Jan 04)
- Re: The Morris worm to Nimda, how little we've learned or gained William bradd (Jan 04)
- NIMDA, how to stop it Alan Young (Jan 04)
- Re: NIMDA, how to stop it R. DuFresne (Jan 04)
- Re: NIMDA, how to stop it Paul D. Robertson (Jan 04)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
- Re: NIMDA, how to stop it Christopher Lee (Jan 05)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 04)
- Re: NIMDA, how to stop it Ryan Russell (Jan 04)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
- Re: NIMDA, how to stop it Ryan Russell (Jan 06)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 06)
- Re: NIMDA, how to stop it Ryan Russell (Jan 07)
- Re: NIMDA, how to stop it R. DuFresne (Jan 04)