Blocking the SoBig Virus with ISA 2004 Firewalls (v1.1)

Blocking the SoBig Virus with ISA 2004 Firewalls (v1.1)


By Thomas W Shinder MD, MVP

Got questions? Discuss this article over at
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000110

The table below lists ports used by SoBig. Outbound access to these ports should be blocked. This data is current as of 12:00 P.M. on August 22, 2003.

Port Numbers Transport Protocol Used by SoBig
123 UDP Yes
995-999 UDP Yes
8998 UDP Yes

By default, the ISA 2004 firewall blocks external attacks on the affected ports. The reason for this is all incoming connections to the ISA firewall are blocked unless explicitly allowed by publishing rules. Do not create Server Publishing Rules allowing the SoBig ports inbound access to the corporate network.

The default installation of the ISA 2004 firewall blocks outbound access to the SoBig ports. You would need to create an Access Rule to allow outbound access to these ports. However, if your ISA firewall is configured with an “All Open” Access Rule for outbound traffic, then you will need to create an explicit Deny rule to block outbound access to the SoBig ports.

To help prevent outbound attacks through ISA Server:

  • Create Access Rules that Deny traffic on the SoBig ports.
  • Disable the Firewall Client for malicious SoBig processes. You will need to install the Firewall client on all client operating systems for this method to be effective. We highly recommend that you install the Firewall client on all Windows client operating systems. Do not install the Firewall client on network servers. If all Access Rules require authentication, this will prevent the worm from acting as a Firewall Client through the ISA firewall. For network servers that do not have the Firewall client installed and do not authenticate, then create Computer network objects for these servers and use those objects to control outbound access for non-authenticating servers.

Note:

UDP port 123 is used by the Windows Time Service. If you depend on access to external time servers, then do not block this port and use the Firewall client method to block the SoBig virus.

The ISA firewall machine itself is vulnerable to attack by the SoBig worm if:

1. You use an e-mail client on the ISA Server itself. For this reason, we strongly recommend that you never use client applications on the ISA firewall itself, including the Web browser, to connect to Internet resources. Do not treat the ISA firewall as a workstation or general purpose network server.

2. You execute an e-mail attachment delivered by SoBig.

To block outbound traffic on known SoBig ports:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Click on the Firewall Policy node.
  2. Click on the Tasks tab in the Task Pane. Click the Create a New Access Rule link.
  3. On the Welcome to the New Access Rule Wizard page, enter Block SoBig in the Access Rule name text box. Click Next.
  4. On the Rule Action page, select the Deny option and click Next.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
  6. In the Add Protocols dialog box, click the New menu, then click the Protocol command.
  7. On the Welcome to the New Protocol Definition Wizard page, enter SoBig Outbound in the Protocol Definition name text box and click Next.
  8. On the Primary Connection Information page, click the New button.
  9. In the New/Edit Protocol Definition dialog box, select the Protocol type as UDP. The Direction is Outbound. The From port is 123 and the To port is 123. Click OK.
  10. On the Primary Connection Information page, click the New button.
  11. In the New/Edit Protocol Definition dialog box, select the Protocol type as UDP. The Direction is Outbound. The From port is 995 and the To port is 999. Click OK.
  12. On the Primary Connection Information page, click the New button.
  13. In the New/Edit Protocol Definition dialog box, select the Protocol type as UDP. The Direction is Outbound. The From port is 8998 and the To port is 8998. Click OK.
  14. Click Next on the Primary Connection Information page.
  15. Select the No option on the Secondary Connections page. Click Next.
  16. Click Finish on the Completing the New Protocol Definition Wizard page.
  17. In the Add Protocols dialog box, click the User-defined folder and then double click the SoBig Outbound entry. Click Close.

  1. Click Next on the Protocols page.
  2. On the Access Rule Sources page, click the Add button.
  3. In the Add Network Entities dialog box, click the Network Sets folder and then double click the All Networks (and Local Host) entry. Click Close.

    Note:

    We are using the All Networks (and Local Host) network option to protect all networks from each other so that the SoBig connections are always blocked. For example, if you created a rule that had the Source Network set as All Protected Networks and Destination Network as External, this would prevent Internal network hosts from infecting hosts on Internet located networks, but would not protect hosts on your DMZ and perimeter network segments.

  1. Click Next on the Access Rule Sources page.
  2. On the Access Rule Destinations page, click the Add button.
  3. In the Add Network Entities dialog box, click the Network Sets folder and then double click on the All Networks (and Local Host) entry. Click Close.
  4. On the User Sets page, accept the default entry, All Users, and click Next.
  5. Click Finish on the Completing the New Access Rule Wizard page.
  6. Move the Block SoBig rule to the top of the list of rules.

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box.

The malicious SoBig process operates with the executable name winppr3.exe. You can set the Firewall client configuration setting so that it ignores connections made from this processes. This means the winppr3 process will need to depend on the host machine’s SecureNAT client configuration. Because the SecureNAT client cannot authenticate, connection attempts from these processes will fail.

To configure the Firewall Client to block malicious SoBig processes:

  1. In Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node.
  2. Click the General node.
  3. On the General node, click the Define Firewall Client Settings link in the Details pane.
  4. In the Firewall Client Settings dialog box, click the Application Settings tab.
  5. On the Application Settings tab, click the New button.

  1. In the Application Entry Setting dialog box, enter explorer in the Application text box. Select disable from the Key drop down list. Select 1 from the Value drop down list. Click OK.

  1. Repeat the above procedure, this time using the shimgapi application. Repeat it one more time for the taskmon application. The click Apply and then OK on the Firewall Client Settings page.

  1. Click Apply to save the changes and update the firewall policy.
  2. Click OK in the Apply New Configuration dialog box.

Configuring the Firewall Client for the malicious process only prevents the malicious processes on an infected host from using the Firewall client to remote connections to the ISA firewall. If the host is also configured as a SecureNAT client, then this setting may have no effect. (To prevent SecureNAT client access across the ISA firewall, make sure there are no anonymous Access Rules allowing outbound access to these applications.)

You can test the functionality of the Block SoBig Outbound rule by using Telnet on a client located on an ISA 2004 firewall protected network.

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Monitoring node in the left pane of the console.
  2. On the Monitoring node, click the Logging tab in the Details pane.
  3. On the Tasks tab of the Task Pane, click the Start Query link.
  4. On a client system located on a protected network, click Start and then click Run. In the Open text box, enter cmd and click OK.
  5. At the command prompt enter telnet 131.107.1.1 999 and press ENTER.
  6. Return to the Microsoft Internet Security and Acceleration Server 2004 management console and view the real time log monitor. You will see entries indicating that the Block SoBig Access Rule prevented the connection.

For More Information

What You Should Know About the Sobig Worm

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000110 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

Leave a Comment

Your email address will not be published.

Scroll to Top