Learn How To Configure Your ISA Server 2004 To Block Ibiza Traffic

The first course of action taken against Ibiza must be protecting and patching all affected computers. Ibiza exploits the vulnerability that was addressed by Microsoft Security Bulletin MS04-013.

Ibiza is similar to Download.Ject in that it exploits the MS04-013 vulnerability, but Ibiza uses a link in a hidden "IFrame" element, where Ject uses a "Location" response header. The end result is the same in either case; malicious code is downloaded and executed at the victim computer.

The following information explains how to use Microsoft Internet Security and Acceleration (ISA) Server 2004 to block malicious traffic created by malicious Web servers and to possibly prevent computers on internal networks from additional infection.

By default, ISA Server 2000 is not capable of blocking this traffic without a special plug-in. For examples of these, see ISA Server 2000 Partners.

The first section of this article contains technical details about Ibiza:

In addition, this article discusses the scenario where ISA Server can mitigate an Ibiza response:

This article also discusses:

Microsoft makes no warranties about this information. Microsoft will not be liable for any damages arising out of or with the use or spread of this information. Use of this information is at the user's own risk.

Ibiza traffic is carried in a standard HTTP response header, and thus uses port 80 for its attack vector. It is impractical to close this port as doing so will block all Web site traffic.

# Port Number IP Protocol Known to Be Used by Ibiza





Internal hosts are vulnerable to this attack if:

  1. The internal host does not have the MS04-013 patch applied.
  2. ISA Server 2004 is not configured to block Ibiza links.

Default installations of ISA Server 2004 do not include the filter definition required to block Ibiza.

To help prevent Ibiza traffic through ISA Server 2004:

  • Create a backup of your current Firewall Policies before making the recommended changes. This will allow you to revert to your previous configuration should adverse behavior occur as a result of them.
  • Create an HTTP Filter "Signatures" setting that includes the definitions as described below for each access rule that uses the HTTP protocol.

A computer that has ISA Server 2004 installed is vulnerable to internal attack by the Ibiza worm if the MS04-013 patch has not been applied.

Because the ISA Server itself makes use of System policies for Internet access and System policies cannot use HTTP Filters, you cannot apply the same filter settings to system rules. For this reason, it is advised that you not use the ISA Server itself for Web browsing.

If you are using an "allow all" policy for outbound traffic, you only need to apply the HTTP Filter changes to your "Allow all" rule. Otherwise, you will need to apply the HTTP Filter settings to any "Allow" Access Rule that includes the ISA Server-defined HTTP protocol.

You should only add HTTP Filter settings to rules that are:

  1. Array Rules
  2. Access Rules
  3. Allow Rules
  4. HTTP is included in the Protocols column

Deny rules, even those that specify All Except HTTP cannot use HTTP Filter settings.

To block Ibiza response traffic:

You may obtain a script from ISATools.org that will automate the following steps http://www.isatools.org/tools/block_ms04-013.vbs. This script will create the same policy rule changes as described below and will also create a backup of your current policies before changing them.
  1. In ISA Management, expand <ISA Server name> and then select Firewall Policy.
  2. Select the first rule that meets the rules requirements.
  3. Right-click the rule and then click Configure HTTP.
  4. Select the Signatures tab and then click Add.
  5. In the Name field, enter Ibiza.
  6. In the Description field, enter "Blocks Malicious Location headers that attempt to exploit MS04-013".
  7. In the Search In drop-down list, select Response body.
  8. In the HTTP Header field, enter Location.
  9. In the Signature field, enter C:\
  10. Click OK, click Apply, and then click OK.
  11. Repeat steps 3 through 10 for each rule that meets the rules requirements.
  12. Click Apply in the ISA Management MMC immediately above the rules list.
  13. When the Apply New Configuration dialog box appears, click OK to "Changes to the configuration were successfully applied."
Verify that your existing policies still perform as they did before you added the Ibiza HTTP Filter changes.