Share via

Learn How Your ISA Server Helps Block Win32.Netsky Traffic

  • Article

Note

This page was first published on Thursday, August 05, 2004.

The first course of action taken against W32.Netsky must be protecting and patching all affected computers. Since there are several variants of W32.Netsky, there is no single reference for this virus behavior.

The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2000 and 2004 to help block malicious traffic created by W32.Netsky and its variants and to possibly prevent computers on internal networks from additional infection. Servers running ISA Server 2000 in cache mode cannot restrict W32.Netsky traffic. ISA Server 2004 has no such limitation.

The first section of this article contains technical details about W32.Netsky:

  • Affected Ports
  • Malicious Applications

In addition, this article details three scenarios where ISA Server can mitigate a W32.Netsky attack:

  • Protecting Internal Networks From External Attack With ISA Server
  • Helping to Prevent Outbound W32.Netsky Attacks Through ISA Server
  • Protecting the ISA Server Computer From Win32.Netsky Attacks

This article also discusses:

  • How to Make Sure That ISA Server 2000 Is Correctly Configured
  • How to Make Sure That ISA Server 2004 Is Correctly Configured

Disclaimer

Microsoft makes no warranties about this information. In no event shall Microsoft be liable for any damages whatsoever arising out of or with the use or spread of this information. Any use of this information is at the user's own risk.

Affected Ports

Table 1 lists affected ports known to be used by W32.Netsky. You should block those ports. This data is current as of 09:29:46, Saturday, July 24, 2004.

# IP Protocol Port Number (range) Known to Be Used by W32.Netsky

1

TCP

25

Yes

1

TCP

665

Yes

1

TCP

1549

Yes

1

TCP

5556-5557

Yes

1

TCP

6789

Yes

Warning

Disabling some of the listed ports may have adverse affects on your desired traffic flow through ISA. You should disable them only if you know that you don't require access through ISA for these services. To avoid potential policy conflicts, the Block_Netsky.vbs script does not disable the following protocol/ports.

  • TCP-25: used by SMTP servers and email clients to send mail

Malicious Applications

Table 2 lists the executables known to be installed by W32.Netsky. You should create Firewall Client settings to block these applications. This data is current as of 09:29:42, Saturday, July 24, 2004.

  Process Name Known to Be Used by W32.Netsky?

1

AVBgle

Yes

2

avguard

Yes

3

avpguard

Yes

4

avprotect

Yes

5

AVprotect9x

Yes

6

csrss

Yes

7

EasyAV

Yes

8

FirewallSvr

Yes

9

fooding

Yes

10

fooding

Yes

11

FVProtect

Yes

12

Jammer2nd

Yes

13

KasperskyAVEng

Yes

14

maja

Yes

15

pandaavengine

Yes

16

svchost

Yes

17

SysMonXP

Yes

18

VisualGuard

Yes

19

winlogon

Yes

20

wserver

Yes

Warning

You should verify that none of your existing network applications use any of the above executable names before adding them to the Firewall Client Applications list.

Protecting Internal Networks from External Attack with ISA Server

By default, servers running ISA Server 2000 in firewall or integrated modes or ISA Server 2004 effectively help protect against W32.Netsky by blocking the external attacks on the affected ports. Additionally, ISA Server 2004 is able to protect itself from W32.Netsky attacks.

For the network protected by a server running ISA Server to be vulnerable from outside attack, specific rules would need to be written to allow traffic on these ports.

  • DO enable Internet protocol (IP) packet filtering (ISA 2000).
  • DO NOT create "allow all" policies
  • DO NOT publish P2P applications

Note

Customers who have not enabled IP packet filtering should review the appropriate procedure for their version of ISA Server on this page.

Warning

Avoid server publishing using the ports listed in Table 1 if possible.

Helping to Prevent Outbound W32.Netsky Attacks Through ISA Server

Default installations of ISA Server 2000 in firewall or integrated mode or ISA Server 2004 prevent the spread of W32.Netsky to external networks. However, if your ISA Server is configured with an "allow all" policy for outbound traffic, then you must create protocol rules to block W32.Netsky on its known ports.

To help prevent outbound attacks through ISA Server:

  • DO create protocol rules that block traffic on all ports listed in Table 1.

Note

Customers who have not blocked this traffic should review the appropriate procedure for their version of ISA Server on this page.

  • DO disable the Firewall Client for malicious W32.Netsky processes, if the Firewall Client is being used in your environment. If all outbound access is authenticated, this will help prevent the worm from acting as a Firewall Client through ISA Server.

Note

For instructions how to do this, review the appropriate procedure for your version of ISA Server on this page.

Protecting the ISA Server Computer from W32.Netsky Attacks

A computer that has ISA Server installed is only vulnerable to attack by the W32.Netsky worm if:

  1. You use an email client on the ISA Server itself
  2. You execute an email attachment delivered by W32.Netsky

DO NOT use the ISA Server as a workstation.

How to Make Sure that ISA Server 2000 Is Correctly Configured

To enable IP packet filtering:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>, Access Policy.
  2. Right-click IP Packet Filters, select Properties.
  3. Check the Enable Packet Filtering box.
  4. Click OK.

To verify that no server publishing rules use W32.Netsky ports:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>, Publishing Rules.
  2. Click Protocol Definitions.
  3. In the right-side pane, click the Port Number column header to sort the list by port number.
  4. Write down the names of any protocol definitions that include the port and protocol combination as listed in table 1
  5. In the left pane, expand Publishing.
  6. Click Server Publishing Rules.
  7. Examine all the server publishing rules. If anything in the Protocol column matches the name of a protocol definition that you wrote down in Step 4, that server publishing rule must be disabled or deleted. Make sure you pay particular attention to the warning block following Table 1.

If you are using an "allow all" policy for outbound traffic, protocol definitions need to be created for all ports listed in Table 1. You should create a protocol definition for each port to be blocked, where:

  • <port number> is the number of the port from the second column of Table 1
  • <IP protocol> is TCP

Note

www.isatools.org hosts a block_Netskyscript that will automate the following manual tasks.

To block outbound traffic on known W32.Netsky ports listed in Table 1:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>, Policy Elements.
  2. Right-click Protocol Definitions, point to New, and then click Definition.
  3. Type W32.Netsky (<port number>, <IP protocol>) in the Protocol Definition Name dialog box and then click Next.
  4. Type <port number> in the Port Number dialog box.
  5. Select <prototype type> in the Protocol Type drop-down list.
  6. Select Outbound from the Direction dialog box.
  7. Click Next.
  8. Select No from the Do you want to use secondary connections? option, and then click Next.
  9. Click Finish.
  10. Repeat steps (2) through (9) for each protocol listed in Table 1.

To prevent traffic on known W32.Netsky ports:

  1. In the left pane, expand Access Policy.
  2. Right-click Protocol Rules, point to New, and then click Rule.
  3. Type Block W32.Netsky in the Protocol Rule Definition Name dialog box and then click Next.
  4. Select Deny from the Response to client requests to use this protocol option.
  5. Select Selected protocols from the Apply this rule drop-down list.
  6. In Protocols, check the boxes for the newly created protocol definitions in Steps 1-9.
  7. Click Next.
  8. Select Always from the Use this schedule drop-down list and then click Next.

The malicious W32.Netsky process operates as one or more of the processes listed in Table 2. A Firewall Client rule must be created to disallow access via the Firewall client for each of the listed processes.

To disable the Firewall Client for malicious W32.Netsky processes:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>.
  2. Click Client Configuration.
  3. In the right pane, right-click Firewall Client and then click Properties.
  4. Click the Application Settings tab.
  5. Click New.
  6. Type AVBgle in the Application dialog box.
  7. Select Disable from the Key drop-down list.
  8. Select 1 from the Value drop-down list.
  9. Click OK.
  10. Click OK.
  11. Repeat steps (5) through (10) for each process listed in table 2

Disabling the Firewall Client for the malicious process only prevents the malicious processes on an infected LAT host from acting as a Firewall Client. If the host is also configured as a SecureNAT client, then this setting may have no effect. (To prevent SecureNAT client access across ISA Server, make sure that there are no anonymous Site and Content or Protocol rules.)

How to Make Sure that ISA Server 2004 Is Correctly Configured

To verify that no server publishing rules use W32.Netsky ports:

  1. In ISA Management, expand <ISA Server name>.
  2. Click Firewall Policies.
  3. In the far-right Pane (Toolbox, Tasks & Help), select the ToolBox tab
  4. Click Protocols
  5. Click to expand All Protocols
  6. Double-click the first protocol name
  7. select the Parameters tab
  8. Write down the name of this protocol definition if it includes one or more of the port and protocol combinations as listed in table 1
  9. Repeat steps (6) through (8) until all protocol definitions have been examined
  10. In the center pane, examine all the Server Publishing rules. If any protocol listed in the Protocols column matches the name of a protocol definition that you wrote down in Step 8, that server publishing rule must be disabled or deleted. Make sure you pay particular attention to the warning block following Table 1 before disabling or deleting the publishing rule.

Note

www.isatools.org hosts a block_Netsky script that will automate the following manual tasks.

If you are using an "allow all" policy for outbound traffic, protocol definitions may need to be created for all ports listed in Table 1. You should create a protocol definition for each port to be blocked, where:

  • <port number> is the number of the port from the second column of Table 1
  • <IP protocol> is TCP

To define a W32.Netsky protocol using the ports listed in Table 1:

  1. In ISA Management, expand <ISA Server name>.
  2. Click Firewall Policies.
  3. In the far-right Pane (Toolbox, Tasks & Help), select the ToolBox tab
  4. Click Protocols
  5. In the Protocols menu bar, select New, then Protocol
  6. In the Protocol Definition Name, enter W32.Netsky
  7. In the Primary Protocol Connection Information dialog, click New
  8. In the New/Edit Protocol Connection dialog:
    1. in the Protocol Type drop-down, select the protocol as listed in Table 1
    2. in the Direction drop-down, select Outbound
    3. in the Port Range fields, enter the beginning and ending ports as listed in Table 1. If a single port is listed, enter that value in the From and To fields
  9. Repeat steps (5) through (8.3) for each entry in Table 1.
  10. Click OK, then Next
  11. In the Secondary Connections dialog, select No and click Next
  12. Click Finish

To create a rule denying traffic on known W32.Netsky ports:

  1. In the left pane, select Firewall Policy.
  2. In the far-right pane, select Tasks, and then click Create New Access Rule.
  3. Type Block W32.Netsky in the Access Rule Definition Name dialog box and then click Next.
  4. Select Deny from the Action to take when rule conditions are met option, click Next.
  5. Select Selected protocols from the Apply this rule drop-down list, then click Add.
  6. In the Add Protocols dialog, expand User-Defined and double-click W32.Netsky, then click Close
  7. In the Access Rule Sources dialog, click Add
  8. In the Add Network Entities dialog, expand Computer Sets and double-click Anywhere, then click Close
  9. Click Next.
  10. In the Access Rule Destinations dialog, click Add
  11. In the Add Network Entities dialog, expand Computer Sets and double-click Anywhere, then click Close
  12. Click Next.
  13. In the User Sets dialog, click Next
  14. In the Add Network Entities dialog, expand Computer Sets and double-click Anywhere, then click Close
  15. Click Finish.
  16. Click Apply in the upper pane to make the policy changes take effect
  17. Click OK when the Apply New Configuration OK button is activated

The malicious W32.Netsky process operates as one or more of the processes listed in Table 2. A Firewall Client rule must be created to disallow access via the Firewall client for each of the listed processes.

To disable the Firewall Client for the malicious W32.Netsky process:

  1. In ISA Management, expand <ISA Server name>, Configuration.
  2. Click General.
  3. In the center pane, click Define Firewall Client Settings.
  4. Click the Application Settings tab.
  5. Click New.
  6. Type AVBgle in the Application dialog box.
  7. Select Disable from the Key drop-down list.
  8. Select 1 from the Value drop-down list.
  9. Click OK.
  10. Click New.
  11. Type AVBgle in the Application dialog box.
  12. Select DisableEx from the Key drop-down list.
  13. Select 1 from the Value drop-down list.
  14. Click OK.
  15. Repeat steps (5) through (14) for each additional process listed in table 2
  16. Click Apply, then OK
  17. Click Apply in the upper pane to make the policy changes take effect
  18. Click OK when the Apply New Configuration OK button is activated

Disabling the Firewall Client for the malicious process only prevents the malicious processes on an infected host from acting as a Firewall Client. If the host is also configured as a SecureNET client, then this setting may have no effect. (To prevent SecureNET client access across ISA Server, make sure that there are no anonymous Access Rules.)

For More Information