Mimail.R/MyDoom
Subscription Advisory
Attack ID: CPAI-2004-02
Last Update: 29-Jan-2004
Category: Mass-mailing worm
Vulnerable Systems: Windows 2000
Windows 95
Windows 98
Windows Me, Windows NT
Windows Server 2003
Windows XP
Source: Trend Micro
Description: Mimail.R/MyDoom is a mass-mailing worm, currently propagating on the Internet, infecting users with Windows operating systems, via malicious e-mail attachements.
Severity: High
Details: The user receives an e-mail with subject "Hi" or other subject and an executable attached. Upon execution of the attachment it scans the infected machine for files with e-mail addresses in them and then sends itself to those e-mail addresses, using its own SMTP engine.
In addition, it also begins to listen on ports TCP 3127 to 3198, allowing remote attacker access to the infected machine.
Lastly, the worm copies itself to the KaZaa download directory and disguises itself, thus spreading itself through file sharing.
Attack Detection: Using the SmartView Tracker identify attempts to receive and send e-mails (SMTP traffic) that contain attachments with .EXE or other executable extensions.
Solution:
Last Updated
29-Jan-04 Define SMTP resource that blocks executable files and MIME types of message/partial.
The SMTP inbound rule looks like the following:
SRC=ANY, DST=Incoming SMTP server, Service=Resourced SMTP, Action=accept and log
The SMTP outbound rule looks like the following: SRC=Internal, DST=ANY, Service=Resourced, Action=accept and log
The SMTP resource looks like the following:
SMTP Resource->Action2 tab
Strip MIME of type: message/partial
Strip file by name: *.exe; *.pif; *.scr; *.cmd; *.bat; *.zip
Weeding: Strip all Script Tags, links and port strings
To identify a possible infected machine, one can use the HTTP header detection feature to block the Trojan component from announcing its presence.
Users deploying VPN-1 NG with Application Intelligence R54 and above should configure the following:
Choose the SmartDefense tab from within SmartDashboard
Open the "Application Intelligence" tree
Open the "Web" tree
Click on "HTTP protocol inspection" and specify if the HTTP protocol inspection is to be performed in all HTTP connections or only on connections that have a resource defined. If you choose the "Configurations apply only to connections related to resources used in the Rule Base" then an HTTP resource should be configured. If you choose "Configurations apply to all connections", then any rule which allows HTTP connections, will perform the inspection.
Resource configuration:
Manage > Resources
In the resources menu press the "NEW" tab and choose URI
Type "Header-Scanning" in the "Name" window
Choose the "Match" tab
Mark "http" under "Schemes"
Remove the "*" sign from the "Other" window
Press "OK"
Open the "HTTP protocol Inspection" tree
Mark "Peer to Peer" if it is not marked already
Mark KaZaa related inspections
In case you have selected not to relate the HTTP inspection with a resource rule (as explained in section 4) the rule should look the following:
SRC=<internal network>, DST=any, Service=HTTP, Accept and log.
In case you require a resourced rule, the rule should look the following:
SRC=<Internal Network>, DST=Any, Service=HTTP with "Header Scanning" resource, Accept and log.
Install the security policy on all modules
Detection of the worm may be achieved by using the Network Quota:
Choose "SmartDefense" tab from within SmartDashboard
Open "Network Security" tree
Open "IP and ICMP"
Mark Network Quota
Configure how many connections per second you may accept from the same source.
Choose whether to block a host exceeding the number of connection allowed or just log the events.
Install policy on all modules.
InterSpect should select KaZaa under the Peer-to-Peer tab in order to block it.
It is recommended to add an anti-virus server acting as a CVP server, as another method to contain this attack.
Mimail.R/MyDoom variant supplement:
A new variant of MyDoom has been discovered. This variant scans random networks looking for a backdoor installed by an old version of the worm. Users deploying InterSpect, can easily block the worm’s propagation through internal segments, by applying the following:
Blocking TCP port 3127 which the worm uses as a back door. InterSpect users should configure the following:
Choose the "Segmentation" tab in the SmartDashboard
Select the relevant zone
Select the "Exception" tab in the "Connection to zone" and/or "connection to zone" window
Press "Add"
Fill in: Port – 3127, Protocol – TCP, Action- Block, Track – Log
Select the "Action" pull down menu -> Activate all settings
Adding a Peer-to-Peer pattern manually, blocking access to www.sco.com (In all NG with Application Intelligence versions and InterSpect):
Select the SmartDefense tab from SmartDashboard
Select Application Intelligence -> Web -> HTTP protocol inspection
Mark "Peer to Peer" if it is not marked
Choose "Add" in the "Header Detection" menu
Fill In Application Name: MyDoom, Header Name: Host, Select the "Specific" option and fill in www.sco.com
Install Policy on all modules
NOTE: Adding this Peer-to-Peer header, will deny connectivity to www.sco.com.
Subscription Advisory
Attack ID: CPAI-2004-02
Last Update: 29-Jan-2004
Category: Mass-mailing worm
Vulnerable Systems: Windows 2000
Windows 95
Windows 98
Windows Me, Windows NT
Windows Server 2003
Windows XP
Source: Trend Micro
Description: Mimail.R/MyDoom is a mass-mailing worm, currently propagating on the Internet, infecting users with Windows operating systems, via malicious e-mail attachements.
Severity: High
Details: The user receives an e-mail with subject "Hi" or other subject and an executable attached. Upon execution of the attachment it scans the infected machine for files with e-mail addresses in them and then sends itself to those e-mail addresses, using its own SMTP engine.
In addition, it also begins to listen on ports TCP 3127 to 3198, allowing remote attacker access to the infected machine.
Lastly, the worm copies itself to the KaZaa download directory and disguises itself, thus spreading itself through file sharing.
Attack Detection: Using the SmartView Tracker identify attempts to receive and send e-mails (SMTP traffic) that contain attachments with .EXE or other executable extensions.
Solution:
Last Updated
29-Jan-04 Define SMTP resource that blocks executable files and MIME types of message/partial.
The SMTP inbound rule looks like the following:
SRC=ANY, DST=Incoming SMTP server, Service=Resourced SMTP, Action=accept and log
The SMTP outbound rule looks like the following: SRC=Internal, DST=ANY, Service=Resourced, Action=accept and log
The SMTP resource looks like the following:
SMTP Resource->Action2 tab
Strip MIME of type: message/partial
Strip file by name: *.exe; *.pif; *.scr; *.cmd; *.bat; *.zip
Weeding: Strip all Script Tags, links and port strings
To identify a possible infected machine, one can use the HTTP header detection feature to block the Trojan component from announcing its presence.
Users deploying VPN-1 NG with Application Intelligence R54 and above should configure the following:
Choose the SmartDefense tab from within SmartDashboard
Open the "Application Intelligence" tree
Open the "Web" tree
Click on "HTTP protocol inspection" and specify if the HTTP protocol inspection is to be performed in all HTTP connections or only on connections that have a resource defined. If you choose the "Configurations apply only to connections related to resources used in the Rule Base" then an HTTP resource should be configured. If you choose "Configurations apply to all connections", then any rule which allows HTTP connections, will perform the inspection.
Resource configuration:
Manage > Resources
In the resources menu press the "NEW" tab and choose URI
Type "Header-Scanning" in the "Name" window
Choose the "Match" tab
Mark "http" under "Schemes"
Remove the "*" sign from the "Other" window
Press "OK"
Open the "HTTP protocol Inspection" tree
Mark "Peer to Peer" if it is not marked already
Mark KaZaa related inspections
In case you have selected not to relate the HTTP inspection with a resource rule (as explained in section 4) the rule should look the following:
SRC=<internal network>, DST=any, Service=HTTP, Accept and log.
In case you require a resourced rule, the rule should look the following:
SRC=<Internal Network>, DST=Any, Service=HTTP with "Header Scanning" resource, Accept and log.
Install the security policy on all modules
Detection of the worm may be achieved by using the Network Quota:
Choose "SmartDefense" tab from within SmartDashboard
Open "Network Security" tree
Open "IP and ICMP"
Mark Network Quota
Configure how many connections per second you may accept from the same source.
Choose whether to block a host exceeding the number of connection allowed or just log the events.
Install policy on all modules.
InterSpect should select KaZaa under the Peer-to-Peer tab in order to block it.
It is recommended to add an anti-virus server acting as a CVP server, as another method to contain this attack.
Mimail.R/MyDoom variant supplement:
A new variant of MyDoom has been discovered. This variant scans random networks looking for a backdoor installed by an old version of the worm. Users deploying InterSpect, can easily block the worm’s propagation through internal segments, by applying the following:
Blocking TCP port 3127 which the worm uses as a back door. InterSpect users should configure the following:
Choose the "Segmentation" tab in the SmartDashboard
Select the relevant zone
Select the "Exception" tab in the "Connection to zone" and/or "connection to zone" window
Press "Add"
Fill in: Port – 3127, Protocol – TCP, Action- Block, Track – Log
Select the "Action" pull down menu -> Activate all settings
Adding a Peer-to-Peer pattern manually, blocking access to www.sco.com (In all NG with Application Intelligence versions and InterSpect):
Select the SmartDefense tab from SmartDashboard
Select Application Intelligence -> Web -> HTTP protocol inspection
Mark "Peer to Peer" if it is not marked
Choose "Add" in the "Header Detection" menu
Fill In Application Name: MyDoom, Header Name: Host, Select the "Specific" option and fill in www.sco.com
Install Policy on all modules
NOTE: Adding this Peer-to-Peer header, will deny connectivity to www.sco.com.
