Firewall Wizards mailing list archives

Re: NIMDA, how to stop it

From: "Robin S. Socha" <robin-dated-1010453951.80d13d () socha net>
Date: Fri, 04 Jan 2002 21:01:18 -0500

begin  R_DuFresne.exe <dufresne () sysinfo com> writes:

On Fri, 4 Jan 2002, Alan Young wrote:

speaking of NIMDA, as a general recommendation, what would you all
recommend as an effecive firewall setup to stop NIMDA?

Can I stop NIMDA with just a PIX? Or do I need some sort of other
"virus firewall" in addition to our PIX?


R., you are focussing one one problem. That's not a viable solution. DoS
attacks launched by, spread through, and propagated with broken software
is nothing you can do away with by using additional software. The proper
solution to fix broken things is to fix them. If your car manufacturer
delivered your car with broken brakes - would you put an air balloon on
your bumper? No? Then why are you advoating virus scanners?

[...]

The best way to defend against this nasty code, in our mind is:

educating users about e-mail and teaching them to not just point and
click on mails they are not sure of origination and contain attachments.


Your point is moot. Microsoft Outlook has executed code upon viewing
messages. Null argument.

anti-virus software not just on the servers, but each desktop also,
keeping the virus signatures on the servers and desktops is a must.


No virus scanner has ever prohibited the spreading of a fast
virus. None. Just as you don't get a little pregnant you don't rely on
broken software (virus scanners are broken because they cannot find
viruses they don't know).

Patching IIS servers to prevent their infection, the patches had been
available before this or code red and it's variants had been released,
few folks took the patches seriously and thus the quick spread of these
nasties as well as the vast number of machines that remain infected to
this day.


I can't find the URL right now but there recently was an interesting
article somewhere on one of the major security websites about how it's
impossible for the average user to install them. Also, Microsoft - being
a marketing shop, not a software manufacturer, because you don't make
money trying to legitimately sell broken software - is not very good at
handling what they refer to as issues: blatant displays of utter, total,
embarrassing inabilities to code even the simplest programs without
major security exploits.

The point is: as long as there are Microsoft products on the net, they
can and will be used as attack tools against other machines. You're
trying to describe helpless attempts to fix broken software - if you are
honest enough to put it this way, that's fine. Your "solution" is not,
however, a solution. Solved problems cease to exist.

Of course, folks not using windows related products are less likely
to face difficulties with these nasties, though others infected
throughout the net can affect your companies bandwidth when such
viri/worms are unleashed and start to spread as quickly as such code
these days does...


I'm sitting on a lot of bandwidth. I also run OpenBSD mailservers with
qmail. I felt all of the recent Microsoft viruses. "Admins" running
MSIS and Exchange are potential enemies. Managements employing these
attack tools are potential enemies. It's time people like you woke up,
got a clue and told the truth: you're not running Microsoft products
because they are superiorer (anyone got any advantages of Win2k/MSIS
over $UNIX/$UNIX_WEBSERVER?) but for other reasons.

Being this worm has a diverse number of attack vectors, some comprising
oten open ports via smtp and http, it has been extremely difficult to
deal with via simple firewalling concepts.  Proxies can help ome, but,
not completely...


You are confused. My mailservers are tarpitted. My webservers have
bandwidth limitations. Tarpitting has proven a good approach agains
Microsoft email viruses. Forcing people like Alan into not using the
attack tools would be even better, though.

Of course, others might have additional or better info, so, I could
well stand corrected, and would appreciate any corrrections.


There is nothing to correct. You approach is completely wrong because
you're focussing on defending broken software with broken software. A
viable strategy is to eliminate the broken software, though. BTW, for
the fun of it do:
find pine4.05 -type f | xargs egrep '(sprintf|strcpy|strcat)' | wc -l
and make sure to have a barf bag at hand.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

RE: The Morris worm to Nimda, how little we've learned o r gained Behm, Jeffrey L. (Jan 03)
- Re: The Morris worm to Nimda, how little we've learned o r gained Jon O . (Jan 04)
- Re: The Morris worm to Nimda, how little we've learned or gained William bradd (Jan 04)
- NIMDA, how to stop it Alan Young (Jan 04)
  - Re: NIMDA, how to stop it R. DuFresne (Jan 04)
    - Re: NIMDA, how to stop it Paul D. Robertson (Jan 04)
    - Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
    - Re: NIMDA, how to stop it Christopher Lee (Jan 05)
  - Re: NIMDA, how to stop it Robin S. Socha (Jan 04)
  - Re: NIMDA, how to stop it Ryan Russell (Jan 04)
    - Re: NIMDA, how to stop it Robin S. Socha (Jan 05)
    - Re: NIMDA, how to stop it Ryan Russell (Jan 06)
    - Re: NIMDA, how to stop it Robin S. Socha (Jan 06)
    - Re: NIMDA, how to stop it Ryan Russell (Jan 07)