Blocking the Bagle Virus with ISA Server 2004 Firewalls

 Blocking the Bagle Virus with ISA Server 2004 Firewalls

By Thomas W Shinder MD, MVP

Got questions? Discuss this article over at
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000107

The table below lists ports used by Bagle. Outbound access to these ports should be blocked. This data is current as of 12:28:09, Monday, March 8th 2004.

Port Number Transport Protocol Used by Bagle
8866 TCP Yes

By default, the ISA 2004 firewall blocks external attacks on the affected ports. The reason for this is all incoming connections to the ISA firewall are blocked unless explicitly allowed by publishing rules. Do not create Server Publishing Rules that allow the Bagle port inbound access to the corporate network.

Get the New Book!

The default installation of the ISA 2004 firewall blocks outbound access to the Bagle port. You would need to create an Access Rule to allow outbound access to this port. However, if your ISA firewall is configured with an “All Open” Access Rule for outbound traffic, then you will need to create an explicit Deny rule to block outbound access to the Bagle port.

To help prevent outbound attacks through ISA Server:

  • Create Access Rules that Deny traffic on the Bagle port.
  • Disable the Firewall Client for malicious W32.Bagle.B processes. You will need to install the Firewall client on all client operating systems for this method to be effective. We highly recommend that you install the Firewall client on all Windows client operating systems. Do not install the Firewall client on network servers. If all Access Rules require authentication, this will prevent the worm from acting as a Firewall Client through the ISA firewall.

The ISA firewall machine itself vulnerable to attack by the Bagle worm if:

  1. You use an e-mail client on the ISA Server itself. For this reason, we strongly recommend that you never use client applications on the ISA firewall itself, including the Web browser, to connect to Internet resources. Do not treat the ISA firewall as a workstation.
  2. You execute an e-mail attachment delivered by Bagle.

    Note:

    Isatools.org (www.isatools.org) hosts a block Bagle (http://www.isatools.org/block_bagle.b.vbs) script that can automate some of the following steps.

To block outbound traffic on known Bagle ports:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Firewall Policy node.
  2. Click on the Tasks tab in the Task Pane. Click the Create a New Access Rule link.
  3. On the Welcome to the New Access Rule Wizard page, enter Block Bagle in the Access Rule name text box. Click Next.
  4. On the Rule Action page, select the Deny option and click Next.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
  6. In the Add Protocols dialog box, click the New menu, then click the Protocol command.

  1. On the Welcome to the New Protocol Definition Wizard page, enter Bagle Outbound in the Protocol Definition name text box and click Next.
  2. On the Primary Connection Information page, click the New button.
  3. In the New/Edit Protocol Definition dialog box, select the Protocol type as TCP. The Direction is Outbound. The From port is 8866 and the To port is 8866. Click OK.

  1. Click Next on the Primary Connection Information page.

  1. Select the No option on the Secondary Connections page. Click Next.
  2. Click Finish on the Completing the New Protocol Definition Wizard page.
  3. In the Add Protocols dialog box, click the User-defined folder and then double click the Bagle Outbound entry. Click Close.
  4. Click Next on the Protocols page.
  5. On the Access Rule Sources page, click the Add button.
  6. In the Add Network Entities dialog box, click the Network Sets folder and then double click the All Protected Networks entry. Click Close.

  1. Click Next on the Access Rule Sources page.
  2. On the Access Rule Destinations page, click the Add button.
  3. In the Add Network Entities dialog box, click the Networks folder and then double click on the External entry. Click Close.
  4. On the User Sets page, accept the default entry, All Users, and click Next.
  5. Click Finish on the Completing the New Access Rule Wizard page.
  6. Move the Block Bagle Outbound rule to the top of the list of rules.

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box.

The malicious Bagle process operates with the executable name au. You can set the Firewall client configuration settings so that it ignore connections made from this process. This means the au process will need to depend on the host machine’s SecureNAT client configuration. Because the SecureNAT client cannot authenticate, the connect attempt from the au process will fail.

To configure the Firewall Client to block malicious Bagle processes:

  1. In Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node.
  2. Click the General node.
  3. On the General node, click the Define Firewall Client Settings link in the Details pane.
  4. In the Firewall Client Settings dialog box, click the Application Settings tab.
  5. On the Application Settings tab, click the New button.

  1. In the Application Entry Setting dialog box, enter au in the Application text box. Select disable from the Key drop down list. Select 1 from the Value drop down list. Click OK.

  1. Click OK in the Firewall Client Settings dialog box.

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box.

Configuring the Firewall Client for au.exe only prevents the malicious processes on an infected host from using the Firewall client software to remote the connection to the ISA firewall machine. If the host is also configured as a SecureNAT client, then this setting may have no effect. To prevent SecureNAT client access across ISA firewall, make sure that there are no anonymous Access Rules allowing outbound access. The exception is when you allow outbound access to a server via an IP address. While technically this is an anonymous access rule, infected hosts will not be able to use the rules limited to only server access. Servers should not be used as workstations, and you should not use an email client application on servers. The prevents servers from being infected by Bagle.

You can test the functionality of the Block Bagle Outbound rule by using Telnet on a client located on an ISA 2004 firewall protected network.

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Monitoring node in the left pane of the console.
  2. On the Monitoring node, click the Logging tab in the Details pane.
  3. On the Tasks tab of the Task Pane, click the Start Query link.
  4. On a client system located on a protected network, click Start and then click Run. In the Open text box, enter cmd and click OK.
  5. At the command prompt enter telnet 131.107.1.1 5556 and press ENTER.
  6. Return to the Microsoft Internet Security and Acceleration Server 2004 management console and view the real time log monitor. You will see entries indicating that the Block Bagle Access Rule prevented the connection.

For More Information:

What You Should Know About the Bagle Worm

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000107 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top