Learn How Your ISA Server Helps Block Sasser Traffic

  • Article

The first course of action taken against the W32.Sasser (Sasser) worm must be protecting and patching all affected computers. Find out what you should know about the Sasser worm. Sasser exploits the vulnerability that was addressed by Microsoft Security Bulletin MS04-011.

The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2000 to help block malicious traffic created by Sasser and its variants and to possibly prevent propagation of the worm through an ISA Server computer. Servers running ISA Server in cache mode do not have any protection against Sasser and are themselves vulnerable to attack by this worm.

The first section of this article contains technical details about Sasser:

  • Affected Ports

In addition, this article discusses the scenario where ISA Server can mitigate a Sasser attack:

  • Protecting Internal Networks From External Attack With ISA Server
  • Helping to Prevent Outbound Sasser Attacks Through ISA Server
  • Protecting the ISA Server Computer From Sasser Attacks

This article also discusses:

  • How to Make Sure That ISA Server Is Correctly Configured

Disclaimer

Microsoft makes no warranties about this information. In no event shall Microsoft be liable for any damages whatsoever arising out of or with the use or spread of this information. Any use of this information is at the user's own risk.

Affected Ports

Table 1 lists affected ports known to be used by Sasser and its variants with potential vectors for exploiting the vulnerability described in MS04-011. You should block all of the ports that are known to be used by Sasser. This data is current as of 12:00 P.M. on August 21, 2003; visit the PSS Security Response Team Alert-New Worm: W32.Sasser.worm page for the latest information.

# Port Number IP Protocol Known to Be Used by Sasser ?

1

445

TCP

Yes

1

5554

TCP

Yes

1

9996

TCP

Yes

Protecting Internal Networks from External Attack with ISA Server

By default, servers running ISA Server in firewall or integrated mode effectively help protect against Sasser by blocking the external attacks on the affected ports. For the network protected by a server running ISA Server to be vulnerable, specific rules would need to be written to allow traffic on these ports.

  • DO enable Internet protocol (IP) packet filtering.

Note

Customers who have not enabled IP packet filtering should review the packet filtering section of this page.

Warning

Do not create server publishing rules using the ports listed in Table 1.

Helping to Prevent Outbound Sasser Attacks Through ISA Server

Default installations of ISA Server in firewall or integrated mode prevent the spread of Sasser to external networks (through File Transfer Protocol, or FTP). However, if your ISA Server computer is configured with an "allow all" policy for outbound traffic, then you must create protocol rules to block Sasser on its known ports.

To help prevent outbound attacks through ISA Server:

  • DO create protocol rules that block traffic on all ports listed in Table 1. Blocking TCP port 445 in the outbound direction will prevent outbound CIFS traffic from working across ISA Server, and blocking TCP ports 5554 and 9996 in the outbound direction will prevent an infected host from acting as an FTP server and spreading the worm.

Note

Customers who have not blocked this traffic should review the block outbound traffic procedure on this page.

  • DO disable the Firewall Client for malicious Sasser processes, if the Firewall Client application is being used in your environment. If all outbound access is authenticated, this will prevent the worm from acting as a Firewall Client through ISA Server.

Note

For instructions on how to do this, review the disable malicious Sasser processes section on this page.

Protecting the ISA Server Computer from Sasser Attacks

A computer that has ISA Server installed is vulnerable to internal attack by the Sasser worm if the attack originates from a computer that is in the ISA Server local address table (LAT). It is vulnerable to external attack if an IP packet filter exists that allows inbound traffic on the ports listed in table 1.

Warning

To help protect the ISA Server computer itself from a Sasser attack, do not create IP packet filters that allow inbound traffic on the ports listed in table 1.

How to Make Sure that ISA Server Is Correctly Configured

To enable IP packet filtering:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>, Access Policy.
  2. Right-click IP Packet Filters, select Properties.
  3. Check the Enable Packet Filtering box.
  4. Click OK.

To verify that no server publishing rules use the ports listed in Table 1:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>, Policy Elements.
  2. Click Protocol Definitions.
  3. In the right-side pane, click the Port Number column header to sort the list by port number.
  4. Write down the names of any protocol definitions that use a port number from table 1 and "User" in the Defined By column.
  5. In the left pane, expand Publishing.
  6. Click Server Publishing Rules.
  7. Examine all the server publishing rules. If anything in the Protocol column matches the name of a protocol definition that you wrote down in Step 4, that server publishing rule must be disabled or deleted.

If you are using an "allow all" policy for outbound traffic, protocol definitions need to be created for all ports listed in Table 1. You should create a protocol definition for each port to be blocked with the name Sasser( <port number>, <ip protocol>), where:

  • <port number> is the number of the port from the second column of Table 1
  • <IP protocol> is TCP

Then create a protocol rule protocol rule that denies use of all the new protocol definitions.

To block outbound traffic on the known Sasser ports listed in Table 1:

  1. In ISA Management, expand Servers and Arrays, <ISA name Server>, and Policy Elements.
  2. Right-click Protocol Definitions, point to New, and then click Definition.
  3. Type Sasser (<port number>, <ip protocol>) in the Protocol Definition Name dialog box and then click Next.
  4. Type <port number> in the Port Number dialog box.
  5. Select TCP in the Protocol Type drop-down list.
  6. Select Outbound from the Direction dialog box.
  7. Click Next.
  8. Select No from the Do you want to use secondary connections? option, and then click Next.
  9. Click Finish.

To prevent traffic on known Sasser ports:

  1. In the left pane, expand Access Policy.
  2. Right-click Protocol Rules, point to New, and then click Rule.
  3. Type Block W32.Sasser in the Protocol Rule Definition Name dialog box and then click Next.
  4. Select Deny from the Response to client requests to use this protocol option.
  5. Select Selected protocols from the Apply this rule drop-down list.
  6. In Protocols, check the boxes for the newly created protocol definitions in Steps 1-9.
  7. Click Next.
  8. Select Always from the Use this schedule drop-down list and then click Next.

The malicious Sasser processes known at this time are avserve and avserve2. A Firewall Client rule must be created for each process.

Note

Since the Sasser worm variants also execute as randomly-named processes, the following process is not completely effective.

To disable the Firewall Client for malicious Sasser processes:

  1. In ISA Management, expand Servers and Arrays, <ISA Server name>.
  2. Click Client Configuration.
  3. In the right pane, right-click Firewall Client and then click Properties.
  4. Click the Application Settings tab.
  5. Click New.
  6. Type avserve in the Application dialog box.
  7. Select Disable from the Key drop-down list.
  8. Select 1 from the Value drop-down list.
  9. Repeat Steps 6-8, replacing avserve with avserve2.
  10. Click OK.
  11. Click OK.

Disabling the Firewall Client for Avserve.exe and Avserve2.exe only prevents the malicious processes on an infected LAT host from acting as a Firewall Client. If the host is also configured as a SecureNAT client, then this setting may have no effect. (To prevent SecureNAT client access across ISA Server, make sure that there are no anonymous site and content or protocol rules.)

For More Information