How To Protect Yourself Against Swen and MSBlaster II

Welcome Guest. | Log In| Register | Membership Benefits

September 19, 2003 (10:21 AM EDT)

How To Protect Yourself Against Swen and MSBlaster II

With the fast-paced spread of the Swen worm and ongoing concerns that a second MSBlaster worm will soon strike, a variety of security experts and analysts made recommendations Friday on ways to detect and remove the first, and thwart the second.

Swen

To defend against the Swen/Gibe worm, anti-virus firms such as Symantec and Network Associates recommend that users update their anti-virus definition files as soon as possible. All the virus vendors have accounted for Swen in their definitions, and have posted updates on their sites.

Most anti-virus software will also detect an existing Swen infection, even if the software's been installed after Swen has compromised the system.

Removing the worm, however, is currently a laborious process that involves searching for instances of the worm's files and editing the Windows Registry. An example of the instructions for such manual cleansing can be found on the Trend Micros Web site.

Although no automated removal tools are currently posted on the Internet, a spokesperson for Symantec said that the anti-virus firm would have one ready and available for downloading sometime after noon, Pacific Time, Friday. A link to the tool will be placed on the Symantec page dedicated to the Swen worm.

Systems that have been patched with the Microsoft fix to the MIME header vulnerability in Internet Explorer will not automatically execute the worm's payload (which is attached as a file to the e-mail message). For those users, the traditional recommendation of not opening unanticipated file attachments holds true.

Users of Internet Explorer 5.01 and 5.5 (but not 5.01 with SP2 deployed) should immediately apply the fix for the MIME header vulnerability. The patch can be downloaded from the Microsoft TechNet Web site.

MSBlaster II

Although a worm exploiting the most recent Microsoft Windows RPC DCOM vulnerabilities has not yet been detected in the wild, enterprises can take precautions now, according to a Gartner analyst.

"The steps many enterprises took for the recent MSBlaster attack - and the fact that the newly discovered 'exploit' does not specifically target consumer desktops - will limit the impact of the coming attack," said John Pescatore, a Gartner analyst in a brief published Thursday. "However, unprepared enterprises will get hit just as hard as they were by MSBlaster."

Pescatore urged enterprises to immediately:

-- Block UDP ports 135, 137, 138, and 445, as well as TCP ports 135, 139, 445, and 593.

-- Verify that Windows services using these ports are not exposed on extranets or DMZs.

-- Install centrally-managed personal firewalls on all laptop computers, and audit the configurations of these firewalls to guarantee that the vulnerable ports are not accepting connections. (Unprotected laptops brought within the firewall are a potential hazard, since as in MSBlaster, just one infected machine within the corporate network can infect the entire environment in a matter of minutes.)

After taking these protective steps, said Pescatore, enterprise IT managers should deploy the patch for the vulnerability to every desktop and server running Windows NT Workstation 4, NT Server 4, NT Terminal Server Edition, Windows 2000, Windows XP, and Windows Server 2003.

More details about this vulnerability, and the patch, can be found on the Microsoft Web site.