Re: NIMDA, how to stop it

["Paul D. Robertson" <proberts () patriot net>]

On Fri, 4 Jan 2002, R. DuFresne wrote:

> It's a pretty nasty and hard to control viri/worm, much more potents then
> what has been seen in the past.

Agreed.

[snip]

> The best way to defend against this nasty code, in our mind is:
>
> educating users about e-mail and teaching them to not just point and click
> on mails they are not sure of origination and contain attachments.  

Education will fail, and users are too used to getting attachments from 
people the "trust," which is why most of the worms use address books 
(really a social vector.)

It'd be kind of interesting to see how many people out you have to go to 
be in someone's address book (sort of like the everyone in the world knows 
someone who knows 1 in N people they meet stuff.)
 
I'm increasingly convinced that having e-mail on a server that displays 
messages via HTTPS and allows download of specificly permitted attachment 
types is a bigger win than posting signs in the elevators or having people 
attend training simply because training doesn't stick well enough due to 
the large social use of attachments and e-mail.

> anti-virus software not just on the servers, but each desktop also,
> keeping the virus signatures on the servers and desktops is a must.

NIMDA spread rapily enough that detection wasn't on time for a large 
number of people.  Whilst this point *is* important for known malcode, it's 
less useful for rapidly spreading new stuff.

> Patching IIS servers to prevent their infection, the patches had been
> available before this or code red and it's variants had been released, few
> folks took the patches seriously and thus the quick spread of these
> nasties as well as the vast number of machines that remain infected to
> this day.

Absolutely.  Let's not forget the client-side patching that everyone seems 
to have completely given up on.

> Of course, folks not using windows related products are less likely to
> face difficulties with these nasties, though others infected throughout
> the net can affect your companies bandwidth when such viri/worms are
> unleashed and start to spread as quickly as such code these days does...

Poisonbox wormed Solaris boxen to deface IIS servers, and 1i0n/ramen/adore 
weren't exactly benign, so less dilligence isn't recommended.  We're 
*still* seeing relatively large incidences of BIND/RPC/FTP compromises, so 
I'd restrict this to the collateral damage stuff and not press too hard on 
the Win* stuff.

> Being this worm has a diverse number of attack vectors, some comprising
> oten open ports via smtp and http, it has been extremely difficult to deal
> with via simple firewalling concepts.  Proxies can help ome, but, not
> completely...

Egress filtering for Web servers would have helped tremendously.

> Of course, others might have additional or better info, so, I could well
> stand corrected, and would appreciate any corrrections.

Good thoughts, I'm just not sure that everyone has mapped the traditional 
thinking to the rate of spread of an agressive multi-vector/target worm 
like NIMDA.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards