Firewall Wizards mailing list archives

Re: NIMDA, how to stop it

From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 4 Jan 2002 18:17:09 -0700 (MST)

On Fri, 4 Jan 2002, Alan Young wrote:

speaking of NIMDA, as a general recommendation, what would you all recommend
as an effecive firewall setup to stop NIMDA?


Firewalls aren't, for the most part, designed to combat the weaknesses
that Nimda exploits to spread.

Can I stop NIMDA with just a PIX? Or do I need some sort of other "virus
firewall" in addition to our PIX?


You'd want an antivirus gateway, possibly.  That would help with Nimda
arriving and leaving via email.  Possibly also via HTTP, depending on the
gateway.


I am sure I must be missing some fundamental firewall knowledge, I suppose
there are some good books on this topic???


I haven't ready any books lately that cover protecting from recent worm
techniques.  That field has been evolving very quickly.  For Nimda in
particular, you can take a look at an analysis I participated in, if you
like technical details:
http://aris.securityfocus.com/alerts/nimda/010921-Analysis-Nimda-v2.pdf
This is for one of the earliest versions of Nimda, so the little details
like filenames are off, but the big picture is accurate.

Nimda is pretty bad once it gets inside your network.  I've spoken with a
local school district in my area has been completely screwed by it.  If it
gets inside, and you don't have a centrally updatable antivirus install on
every desktop, you won't be able to get rid of it.

Let me paint a picture:
One of the spreading mechanisms is NetBIOS file shares.  Any number of
students manage to infect the student workstations throughout the day via
email or web browsing.  Since the workstation is now acting funny, they
call over an admin.  The admin logs on as themself.  If the admin has a
home drive, probably on the PDC, then the PDC just got infected.  Now
every student that logs on gets a copy from the PDC.  When it manages to
execute on the PDC with privs, it uses its domain trust to infect every
drive share in the network neighborhood.  They now have to clean every
machine, and be extreamly careful about what accounts are allowed to do.
One copy could restart the whole process.

Desktop AV is the only thing that stops the bulk of the process.  We're
now up to I think 6 Nimda variants.  When a new one comes out there's a
24-48 hour window before you can get a new signature for it from your
vendor, and then you have to have a way to update every desktop ASAP.

                                        Ryan

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: The Morris worm to Nimda, how little we've learned o r gained Behm, Jeffrey L. (Jan 03)
- Re: The Morris worm to Nimda, how little we've learned o r gained Jon O . (Jan 04)
- Re: The Morris worm to Nimda, how little we've learned or gained William bradd (Jan 04)
- NIMDA, how to stop it Alan Young (Jan 04)
  - Re: NIMDA, how to stop it R. DuFresne (Jan 04)
    - Re: NIMDA, how to stop it Paul D. Robertson (Jan 04)
    - Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
    - Re: NIMDA, how to stop it Christopher Lee (Jan 05)
  - Re: NIMDA, how to stop it Robin S. Socha (Jan 04)
  - Re: NIMDA, how to stop it Ryan Russell (Jan 04)
    - Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
    - Re: NIMDA, how to stop it Ryan Russell (Jan 06)
    - Re: NIMDA, how to stop it Robin S. Socha (Jan 06)
    - Re: NIMDA, how to stop it Ryan Russell (Jan 07)