Time for another Bagle

Subject: Time for another Bagle
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Mon, 19 Jul 2004 10:22:03 -0400
Content-Type: multipart/alternative; boundary="=====================_5112296==.ALT"

re: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci993356,00.html

"Another Bagel variant, W32Bagle-AG@mm, has been upgraded to a medium threat by AV vendors after last week's sudden outbreak of Bagle-AF, which spread for a short period of time when AV scanners failed to detect it."

"If a machine becomes infected, Symantec said, it will allow the attacker to have remote, unauthorized access to the machine. "Due to the ability of the remote user to perform so many different actions on the server system -- including installation of applications -- it is highly recommended that compromised systems be reinstalled," Symantec advised.

"Herndon, Va.-based TruSecure Corp. recommended blocking the .com, .cpl, .exe, .hta, .scr, .vbs and .zip (password-protected) executable extensions at the gateway to prevent infection by similar worm outbreaks. When available, updated antivirus signatures will detect the worm. "

Note - "which spread for a short period of time when AV scanners failed to detect it". Things happen FAST now and there is simply no reasonable expectation that this period of time will become small enough to not pose a risk. There is going to be some time between discovery and availability of new scanner definition, let alone time to download of new definition and installation on all your machines.

1. Seems to speak to AV with very frequent AV updates at the system boundaries, both Internet and likely some internal segmentations as well (a few machines to be rapidly updated). (PS: This is in addition to AV on each host. :-)

As to blocking certain extensions, remember:

1. This is not a complete list of extensions that have ever caused problems; for example .MP3 or .WMA (CERT CA 2002-37).

2. Just remember that it is easy to change the extension, notify the recipient, and bypass the filtering. (Exposure is reduced because the file is now expected from a known source, yet that source is subject to infection just like everyone else. :-)

Cheers,
Gary

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20899-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
* http://csrc.nist.gov/staff/stoneburner/gshome.html
**************************************************************************

Prev by Date: Service Pack 2: Patching the unpatchable
Next by Date: Automated SQL injection: What your enterprise needs to know
Prev by thread: Automated SQL injection: What your enterprise needs to know
Next by thread: Service Pack 2: Patching the unpatchable

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov