Re: ACLS to block viruses without hurting apps

cyberpete · ‎08-15-2005

Microsoft is actively analyzing and providing guidance on a malicious worm identified as “Worm:Win32/Zotob.A”, which is currently circulating on the Internet. The worm is a malicious attack which exploits the Windows Plug and Play vulnerability addressed in Microsoft Security Bulletin MS05-039 on August 9, 2005. Does anyone know of any Cisco Security Advisories showing how to protect against this using Cisco Access lists? I believe the main ports used are 33333

and 8888

But if I do something like

Deny tcp any any eq 33333

Deny tcp any any eq 8888

(in and outbound)

But will this not affect other legit apps., ftp etc ?

Peter

spremkumar · ‎08-16-2005

hi

AFAIK dont think cisco has released some workaround to control or mitigate this particular worm.

here comes the security advisor repository which u can watch out for the updates from cisco.

http://www.cisco.com/en/US/products/products_security_advisories_listing.html

i feel if you know something about the exact packet size being used by this worm u can block based on that but m not sure whether that would solve your purpose..

regds

spremkumar · ‎08-18-2005

Hi

Got the mitigation procedures for the worms as released by cisco do find the same..

Network Ingress Inbound Filtering

! ZOTOB.(A-F)/BOZARI.(A,B)/WORM_RBOT.CBQ

! Block Initial Scanning

! Note: Care must be taken when blocking TCP/445 to ensure that legitimate connections

are not impacted

access-list 101 deny tcp any any eq 445

!

! ZOTOB.(A-C)

! Block Remote Shell Creation

access-list 101 deny tcp any any eq 8888

!

! ZOTOB.D

! Block Remote Shell Creation

access-list 101 deny tcp any any eq 7778

!

! ZOTOB.E/BOZORI.A

! Block Remote Shell Creation

access-list 101 deny tcp any any eq 8594

!

! ZOTOB.F/BOZORI.B

! Block Remote Shell Creation

access-list 101 deny tcp any any eq 8563

!

! WORM_RBOT.CBQ

! Block Remote Shell Creation

access-list 101 deny tcp any any eq 7778

!

! Permit other traffic here

! Or include other Transit ACL entries

access-list 101 permit ip any any

Network Ingress Outbound Filtering

!

ZOTOB.(A-C)

!

! Block Outbound FTP Requests to Attacking FTP Server (where HAHA.exe file exists)

while permitting legitimate connections

access-list 110 permit tcp

wildcard> any eq 33333 established

access-list 110 deny tcp any any eq 33333

!

! Block Outbound IRC Attempts

access-list 110 deny tcp any any eq 8080

!

! ZOTOB.D

! Block Outbound IRC Attempts

! Note: This may block legitimate IRC connections

!

access-list 110 deny tcp any any eq 6667

!

! Block Outbound FTP Requests to Attacking FTP Server (where HAHA.exe file exists)

while permitting legitimate connections

access-list 110 permit tcp

wildcard> any eq 11173 established

access-list 110 deny tcp any any eq 11173

!

! WORM_RBOT.CBQ/ZOTOB.(E,F)/BOZORI.(A,B)

! Block Outbound TFTP Attempts

access-list 110 permit udp

wildcard> eq 69

access-list 110 deny udp any any eq 69

!

! Block Outbound Propagation for ZOTOB.(A-F)/BOZARI.(A,B)/WORM_RBOT.CBQ

!

! Note: Care must be taken when blocking TCP/445 to ensure that legitimate connections

are not impacted

Access-list 110 deny tcp any any eq 445

Access-list 110 deny tcp any any eq 7778

Access-list 110 deny tcp any any eq 8888

Access-list 110 deny tcp any any eq 8594

!

Access-list 110 deny tcp any any eq 8563

!

Access-list 110 deny tcp any any eq 7778

!

! Permit other traffic here

! Or include other Transit ACL entries

!

access-list 110 permit ip any any

!

! Apply the access-lists to the interface

interface

ip access-group 101 in

ip access-group 110 out

if u need more info on this do revert back..

regds

cyberpete · ‎08-18-2005

Very kind - thanks