Control Nimda Virus
Instructions to control the Nimda virus from the
PacketWise browser interface. You can also Control
the Nimda virus from the command line.
Steps:
-
Create
a class under Inbound/ HTTP called Nimda to collect all instances
of the virus. Use this URL criteria:
Name: Nimda
Protocol family: IP
Service Type: HTTP
Service Location: Any
Class Criterion: URL : */root.exe* (note: this means match any
URL with /root.exe in it)
-
Add
a matching rule to the Nimda class using this known URL criteria:
(this catches another version of the attack)
Protocol Family: IP
Service Type: HTTP
Server location: Any
Class Criterion: URL:*system32/cmd.exe* (note: this means match
any URL with system32/cmd.exe in it)
-
Add
a matching rule to the Nimda class using this known URL criteria:
(this catches a third version of the attack)
Protocol Family: IP
Service Type: HTTP
Server location: Any
Class Criterion: URL:*readme.eml*(note: this means match any URL
with readme.eml in it)
- Simulate a Nimda attack. From any web browser, enter www.yahoo.com/system32/cmd.exe.
You will get a message telling you that the document was not found.
Refresh the page. This will show up as a hit on your Nimda class (check
the monitor tab).
- When you are certain the Nimda class is collecting only the proper
traffic, set
a never-admit policy to the Nimda class.
- Copy
the Nimda class to the Outbound branch to prevent any existing Nimda
virus from spreading.
Note: Although PacketWise can help prevent this kind of traffic
and has some firewall characteristics, it is not a firewall. High traffic
demands on PacketWise can result in improper classification; this is not
a risk worth taking. We recommend that you have a firewall in place dedicated
to virus protection. Attacks have been known to get past firewalls under
the best circumstances — use PacketWise as additional protection.
|
