Re: NIMDA, how to stop it

[Christopher Lee <complexity () bigfoot com>]

I am in a bashing mood today, so I am going to throw into a couple of wise-
cracks here...  ;-)

First of all, if your firewall supports some sort URL restriction (either 
native or via an external program), you could always have all inbound/outbound 
HTTP traffic scanned for the very string that invoked the attack (or an unique 
part of the string, since it's extremely long).  This is the approach by 
serveral IDS vendors (and officially endorsed by one of the major firewall 
vendor, who shall remain nameless).  As many of the guys on the list will 
quickly point out, this could denied access to legitament uses of those 
executables on IIS, not to mention the administrative overhead (imagine you got 
to do this for every worm)...

Now, before I get flamed on this one, please allow me to declare my personal 
opporsition to do such type of anti-virus scheme on the firewall.  I was on the 
receiving end of being forced into doing this for last couple of worms...  And 
let me tell ya, it wasn't fun at all (having to invent the pattern to block on 
the firewall, then parse through the logs to locate the source of the traffic, 
and developed a script to monitor worm behaviour from the firewall log and page 
someone when it starts again)...

My two cents (and the conclusion on this) are:
1, multiple-tier anti-virus solution (one gateway based, and one on the 
desktops).  This would at least control the spreading of the worm (after the 
signature is made available).
2, please, hire some guy and make him response for keeping the internet-facing 
infrastructure up to date.  he doesn't have to do it, but he has to make 
everyone else aware of the latest security patches.
3, if you could afford, implement some sort of a (semi) real-time traffic 
pattern analysis program (this can be done by a fairly simple shell script if 
your firewall log is exportable live).  This will let you know when a worm is 
starting to spread.

Regards,

Christopher Lee
PGP Fingerprint: 15C1 65D0 E051 C64D 5246  89FC 5AE3 DE2C 8F1E 89A7
Personal Web Page: http://complexity.webhop.net


Quoting "R. DuFresne" <dufresne () sysinfo com>:

> It's a pretty nasty and hard to control viri/worm, much more potents then
> what has been seen in the past.
>
> here's a pretty good link for solid info on it:
>
> http://www.europe.f-secure.com/v-descs/nimda.shtml
>
> The best way to defend against this nasty code, in our mind is:
>
> educating users about e-mail and teaching them to not just point and click
> on mails they are not sure of origination and contain attachments.  
>
> anti-virus software not just on the servers, but each desktop also,
> keeping the virus signatures on the servers and desktops is a must.
>
> Patching IIS servers to prevent their infection, the patches had been
> available before this or code red and it's variants had been released, few
> folks took the patches seriously and thus the quick spread of these
> nasties as well as the vast number of machines that remain infected to
> this day.
>
>
> Of course, folks not using windows related products are less likely to
> face difficulties with these nasties, though others infected throughout
> the net can affect your companies bandwidth when such viri/worms are
> unleashed and start to spread as quickly as such code these days does...
>
> Being this worm has a diverse number of attack vectors, some comprising
> oten open ports via smtp and http, it has been extremely difficult to deal
> with via simple firewalling concepts.  Proxies can help ome, but, not
> completely...
>
> Of course, others might have additional or better info, so, I could well
> stand corrected, and would appreciate any corrrections.
>
> Thanks,
>
> Ron DuFresne
>
>
> On Fri, 4 Jan 2002, Alan Young wrote:
>
> > speaking of NIMDA, as a general recommendation, what would you all
> recommend
> > as an effecive firewall setup to stop NIMDA?
> >
> > Can I stop NIMDA with just a PIX? Or do I need some sort of other "virus
> > firewall" in addition to our PIX?
> >
> > Please forgive my ignorance, I cant search the archives (the search
> function
> > is broken) so I dont know if this has been asked before.
> >
> > I am sure I must be missing some fundamental firewall knowledge, I
> suppose
> > there are some good books on this topic???
> >
> > Alan Young
> >
> >
> > > -----Original Message-----
> > > From: firewall-wizards-admin () nfr com
> > > [mailto:firewall-wizards-admin () nfr com]On Behalf Of Behm, Jeffrey L.
> > > Sent: Thursday, January 03, 2002 3:05 PM
> > > To: firewall-wizards () nfr net
> > > Subject: RE: [fw-wiz] The Morris worm to Nimda, how little
> > > we've learned
> > > or gained
> > >
> > >
> > > > At the very least, jobs should be on the line when companies are
> > > compromised by code
> > > > that could have long been prevented by patching of
> > > applications and OS's,
> > > > especially when those patches have been widely available and publicly
> > > > announced.  Even an arson victim faces penalties if they
> > > have violated
> > >
> > > I agree with your article as a whole, but take minor
> > > exception to the above
> > > paragraph.
> > >
> > > Is the job on the line if there are no or very little
> > > resources available to
> > > test the patches?
> > > I don't think you aren't suggesting blind application of all security
> > > related patches released from a given vendor, so how does one
> > > decide which
> > > are the "real" ones to apply, and which are the "ones we
> > > don't really need."
> > > It's the old adage of "apply patches and take a chance of breaking
> > > something" vs. "don't apply the patch until you are sure you
> > > need it" (but
> > > how are you "sure"?)
> > >
> > > I.E. Is my job on the line if I apply a patch and it causes
> > > more damage (due
> > > to my own corporate implementation) than the issue it was
> > > supposed to fix?
> > >
> > > I will give you that there are some patches that one should
> > > apply due to the
> > > severity of the consequences of not applying it (BIND, Sendmail, and
> > > others). My point is that if the company is not willing to provide the
> > > resources (time, hardware, people) needed to properly test
> > > the patch(es),
> > > the job should not be "on the line."
> > >
> > > A minor point, perhaps, but with the lack of skilled security
> > > admins, and
> > > unwillingness of companies to provide adequate resource to security
> > > infrastructure (including patch testing), I don't think all
> > > the blame lies
> > > on the ones that "should have known the patches needed to be applied."
> > >
> > > IMHO (and no flame nor offense intended!),
> > > Jeff
> > >
> > > Statements made are my personal opinion and in no way reflect
> > > the views of
> > > any company, corporation, or business.
> > >
> > > > -----Original Message-----
> > > > From: R. DuFresne [mailto:dufresne () sysinfo com]
> > > > Sent: Thursday, January 03, 02 3:11 AM
> > > > To: firewall-wizards () nfr net
> > > > Subject: [fw-wiz] The Morris worm to Nimda, how little we've
> > > learned or
> > > > gained
> > > >
> > > >
> > > >
> > > >
> > > >                 The Morris worm to Nimda
> > > >            how little we've learned or gained
> > > >
> > > >
> > > >                               by:  Ron DuFresne
> > > >                                              (c) 2001
> > > >
> > > >
> > > >
> > > >
> > > > 2001 was a tumultuous year.  Prior to the September 11 airline
> > > > attacks on
> > >
> > > <snip>
> > > _______________________________________________
> > > firewall-wizards mailing list
> > > firewall-wizards () nfr com
> > > http://list.nfr.com/mailman/listinfo/firewall-wizards
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () nfr com
> > http://list.nfr.com/mailman/listinfo/firewall-wizards
>
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior consultant:  sysinfo.com
>                   http://sysinfo.com
>
> "Cutting the space budget really restores my faith in humanity.  It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation."
>                 -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards


-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards