Table of Contents
Advertisement
12.1.5 Example Intrusions
The following are some examples of intrusions.
12.1.5.1 SQL Slammer Worm
W32.SQLExp.Worm is a worm that targets the systems running Microsoft SQL Server 2000,
as well as Microsoft Desktop Engine (MSDE) 2000. The worm sends 376 bytes to UDP port
1434, the SQL Server Resolution Service Port. The worm has the unintended payload of
performing a Denial of Service attack due to the large number of packets it sends. Refer to
Microsoft SQL Server 2000 or MSDE 2000 vulnerabilities in Microsoft Security Bulletin
MS02-039 and Microsoft Security Bulletin MS02-061.
12.1.5.2 Blaster W32.Worm
This is a worm that exploits the DCOM RPC vulnerability (see Microsoft Security Bulletin
MS03-026 and Microsoft Security Bulletin MS03-039) using TCP port 135. The worm targets
only Windows 2000 and Windows XP machines. While Windows NT and Windows 2003
Server machines are vulnerable (if not properly patched), the worm is not coded to replicate on
those systems. This worm attempts to download the msblast.exe file to the
%WinDir%\system32 directory and then execute it. W32.Blaster.Worm does not mass mail to
other devices.
12.1.5.3 Nimda
Its name (backwards for "admin") refers to an "admin.DLL" file that, when run, continues to
propagate the virus. Nimda probes each IP address within a randomly selected range of IP
addresses, attempting to exploit weaknesses that, unless already patched, are known to exist in
computers with Microsoft's Internet Information Server. A system with an exposed IIS Web
server will read a Web page containing an embedded JavaScript that automatically executes,
causing the same JavaScript code to propagate to all Web pages on that server. As Microsoft
Internet Explorer browsers version 5.01 or earlier visit sites at the infected Web server, they
unwittingly download pages with the JavaScript code that automatically executes, causing the
virus to be sent to other computers on the Internet in a somewhat random fashion. Nimda also
can infect users within the Web server's own internal network that have been given a network
share (a portion of file space). Finally, one of the things that Nimda has an infected system do
is to send an e-mail with a "readme.exe" attachment to the addresses in the local Windows
address book. A user who opens or previews this attachment (which is a Web page with the
JavaScript) propagates the virus further.
Server administrators should get and apply the cumulative IIS patch that Microsoft has
provided for previous viruses and ensure that no one at the server opens e-mail. You should
update your Internet Explorer version to IE 5.5 SP2 or later. Scan and cleanse your system
with anti-virus software.
Chapter 12 Intrusion Detection and Prevention (IDP)
ZyWALL 5/35/70 Series User's Guide
238
Advertisement
Table of Contents
Troubleshooting
