Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: sober resurfacing

from [k levinson] Network Security [Permanent Link]
Subject: RE: sober resurfacing
Date: Thu, 15 Dec 2005 11:05:49 -0800 (PST) 
That should already be your firewall policy: block
everything by default except for that which you
explicitly need / permit.  That includes outbound
connections as well, and not just NTP but everything. 
[This isn't mandatory, but do realize that not doing
so provides less security and is advisable if you want
more security.]

If you're worried about breaking things, the usual
scenario is to set up a "permit but log" rule, and
check the log a few days later.  Whether or not you
decide to block NTP, it's probably a good idea to keep
logging NTP traffic and checking the logs periodically
for signs of compromise, as long as you have the
resources to do so.

Having said that, don't assume that if the virus can't
make an NTP connection, it won't go ahead and try
downloading anyways.  Blocking NTP may not block this
virus or future variants, depending.

The thing to note about these recent Sober articles is
that this has been going on for two years now.  One
Sober.X activation date already came and gone, and
dozens of previous variants acted in the same way. 
This is nothing new, except that the AV companies have
released more details this time, and the media is
making a bigger deal of it for some reason this time.

If you only block the list of URLs given, you'll
remain vulnerable when the next Sober variant comes
out and the AV companies decide not to publish a list
of the URLs.

- karl levinson



-----Original Message-----
From: Curt Shaffer [mailto:cshaffer@gmail.com]
Sent: Thursday, December 15, 2005 11:50 AM
To: focus-ms@securityfocus.com
Subject: sober resurfacing


All,

I am working on a plan to try and help minimize the

effect of 

the possible
sober resurfacing on Jan. 5/6th. After reading the

security 

focus article
that this worm relies on NTP to know when to

release, I am 

wondering on the
feasibility of blocking NTP out to the internet that

week 

except for the
certain devices that need it. Does anyone have input

on this?


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: sober resurfacing, Jason Thompson
Next by Date:  MS exchange server 2003 - rpc over https access, sanjiv
Previous by Thread:  Re: sober resurfacing, Jason Thompson
Next by Thread:  RE: MS exchange server 2003 - rpc over https access, Jim Harrison (ISA)
Indexes:  [Date] [Thread] [Top] [All Lists]