Stonesoft News
(3 votes, average: 5.00 out of 5)
Loading ...Hi All,
The Conficker worm has now activated its new update system. This was expected. The worm’s update routine is now enhanced and it’s more difficult to block it.
The worm has not done anything else, as expected. We’ll be monitoring the situation and provide updates.
//Opi
(7 votes, average: 5.00 out of 5) Loading ...Hi everybody!
One question that I’ve been seeing quite a much lately is:
“How does the SGIPS protect my network from the Downadup / Conficker worm?”
Well here’s your answer. But first, some details about the worm.
The Downadup worm is rather nasty case. It has three spreading vectors and it can update itself. The attack vectors are:
- Exploit MS08-067 msrpc vulnerability.
- Brute force administrator password via connecting to $ADMIN share
- Copy itself to removable media such as USB sticks. When the removable media is connected to a computer, the worm will be run via windows autorun feature.
The StoneGate IPS can block all attacks against the MSRPC vulnerability. In fact, we had a pre-emptive protection against this vulnerability, check out this press release. The fingerprint situation blocking exploits against vulnerability MS06-040 released in year 2006 also protected the MS08-067 vulnerability. So hosts protected by inline SGIPS with the default policy, cannot get exploited by the Downadup.
The StoneGate IPS is also able to detect Brute Force attacks against Windows shares, such as the $ADMIN share. Although the default action for situation “Analyzer SMB Brute Force Attack detected” is an alert, it is possible to configure a black listing response to this situation, limiting the Worm’s brute force attempts. The nice guys in F-Secure have a list of the passwords used within the brute force attacks, so making sure that your hosts won’t use the passwords mentioned in http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml prevents the worm’s brute forcing also.
Then the USB stick spreading vector. If the worm spreads via USB stick or such, SGIPS is still able to detect the compromised hosts so that the system administrators can clean them. First of all, the worm tries to exploit other hosts. SGIPS sees and blocks the attacks. Secondly, the worm tries to call home. The SGIPS has a signature for this also, so if there’s any Downadup worm compromised hosts in your nework, SGIPS will know.
Here’s the vulnerability and all the situations related to the worm available in SGIPS:
VID related to MS08-067: Windows-MSRPC-SRVSVC-Unicode-Buffer-Overflow
SIDS:
MSRPC-TCP_CPS-Microsoft-Windows-Server-Service-NetPathCompare-Buffer-Overrun
MSRPC-TCP_CPS-Microsoft-Windows-WKSSVC-Path-Memory-Corruption
MSRPC-TCP_CPS-Vulnerable-Microsoft-Windows-Server-Service-Function-Called
MSRPC-TCP_CPS-Vulnerable-Microsoft-Windows-Server-Service-Function-Called-2
MSRPC-TCP_CPS-Windows-MSRPC-SRVSVC-Unicode-Buffer-Overflow
MSRPC-TCP_CPS-Microsoft-Windows-Server-Service-Buffer-Overrun
MSRPC-TCP_CPS-Vulnerable-Microsoft-Windows-Server-Service-Function-Called
MSRPC-TCP_Microsoft-Windows-Server-Service-Buffer-Overrun
MSRPC-TCP_Vulnerable-Microsoft-Windows-Server-Service-Function-Called
Analyzer SMB Brute Force Attack detected
SMB-TCP_Failed-Session-Setup
HTTP_CS-Downandup-Worm-Request
Well, if you’re the unlucky, how can you get rid of the worm?
Recent Comments