Firewall Wizards mailing list archives
Re: NIMDA, how to stop it
From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 4 Jan 2002 18:17:09 -0700 (MST)
On Fri, 4 Jan 2002, Alan Young wrote:
speaking of NIMDA, as a general recommendation, what would you all recommend as an effecive firewall setup to stop NIMDA?
Firewalls aren't, for the most part, designed to combat the weaknesses that Nimda exploits to spread.
Can I stop NIMDA with just a PIX? Or do I need some sort of other "virus firewall" in addition to our PIX?
You'd want an antivirus gateway, possibly. That would help with Nimda arriving and leaving via email. Possibly also via HTTP, depending on the gateway.
I am sure I must be missing some fundamental firewall knowledge, I suppose there are some good books on this topic???
I haven't ready any books lately that cover protecting from recent worm techniques. That field has been evolving very quickly. For Nimda in particular, you can take a look at an analysis I participated in, if you like technical details: http://aris.securityfocus.com/alerts/nimda/010921-Analysis-Nimda-v2.pdf This is for one of the earliest versions of Nimda, so the little details like filenames are off, but the big picture is accurate. Nimda is pretty bad once it gets inside your network. I've spoken with a local school district in my area has been completely screwed by it. If it gets inside, and you don't have a centrally updatable antivirus install on every desktop, you won't be able to get rid of it. Let me paint a picture: One of the spreading mechanisms is NetBIOS file shares. Any number of students manage to infect the student workstations throughout the day via email or web browsing. Since the workstation is now acting funny, they call over an admin. The admin logs on as themself. If the admin has a home drive, probably on the PDC, then the PDC just got infected. Now every student that logs on gets a copy from the PDC. When it manages to execute on the PDC with privs, it uses its domain trust to infect every drive share in the network neighborhood. They now have to clean every machine, and be extreamly careful about what accounts are allowed to do. One copy could restart the whole process. Desktop AV is the only thing that stops the bulk of the process. We're now up to I think 6 Nimda variants. When a new one comes out there's a 24-48 hour window before you can get a new signature for it from your vendor, and then you have to have a way to update every desktop ASAP. Ryan _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: The Morris worm to Nimda, how little we've learned o r gained Behm, Jeffrey L. (Jan 03)
- Re: The Morris worm to Nimda, how little we've learned o r gained Jon O . (Jan 04)
- Re: The Morris worm to Nimda, how little we've learned or gained William bradd (Jan 04)
- NIMDA, how to stop it Alan Young (Jan 04)
- Re: NIMDA, how to stop it R. DuFresne (Jan 04)
- Re: NIMDA, how to stop it Paul D. Robertson (Jan 04)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
- Re: NIMDA, how to stop it Christopher Lee (Jan 05)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 04)
- Re: NIMDA, how to stop it Ryan Russell (Jan 04)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
- Re: NIMDA, how to stop it Ryan Russell (Jan 06)
- Re: NIMDA, how to stop it Robin S. Socha (Jan 06)
- Re: NIMDA, how to stop it Ryan Russell (Jan 07)
- Re: NIMDA, how to stop it R. DuFresne (Jan 04)