An easy way to stop the spreading of internet worms by SnakeByte [ SnakeByte@kryptocrew.de ] http://www.kryptocrew.de/snakebyte/ With worms like Code Red and Ramen digging their way through the internet there is a need for a good countermeasure, able to stop the fast spreading of such malicious code. Sure, fast patching of the vulnerabilities is one such countermeasure, but taking into consideration, that such worms might also use 0-day exploits, for which no patch is available at the time the worm gets into the wild, this will not always work. It will take around one or two days until the patch is available to the public, this is enough time for a worm to spread around and causing havoc ( especially when you take a look at the flash worm theory ). Scanners for worms are also much too slow, because they need to be updated, the worm has to be fully disassembled, so the scanner knows what to search for, to avoid disinfection, and to detect all parts of the worm. In my mind a simple solution to stop the spreading of such worms would be a good old firewall, configured in the right way, wich forbids everything which is not allowed. Where would such a firewall stop a worm during its process in spreading ? The service the worm exploits ( IIS, Mail daemon... ) will not be blocked by the firewall, to the buffer overflow can be succesfully executed. In the next step the worm has to transfer its own code to the target host and execute it. This can be done in three ways, the first one is with the overflow shellcode, but I don't think we will see this somewhen, because the longer the shellcode is, the bigger are the chances that it will not work. The second method is to make the target open a port and send the worm to this port, from which it gets dropped to disk and executed. Here would a firewall stop the worm, because a firewall just lets you open a connection to the ports you allow. The third method is to make the target connect to a server ( the infected one or a static ), and get the worm from there. And again would a firewall block this, because a server should just be allowed to make connections to the hosts ( or the ports ) we need it to, maybe a mailserver. But assume we still did not block the worm, if the worm uses TCP-full-connect or half open scanning techniques, our firewall would still forbid the connection, because the server is just allowed to connect to some few hosts ( or ports ). So the worm would not find any targets and the infection would stop. If the worm still found a target, because the admin was too lazy to forbid outgoing connection attempts to all servers, and the worm tries to send its code over by opening a port on the attacking machine and forces the target to connect to the port, a firewall would block the connection attempt to this port making the overflow useless. As we see by configuring a firewall in the right way, we raise the chance of not getting infected, we also help to raise the chance for others not to get infected even if we are. So go to your firewall and add some lines to its config file: /sbin/ipchains -A input -p tcp -i $ServerDev -d $ServerWeAllow --dport $Port -y -j ACCEPT /sbin/ipchains -A input -p tcp -i $ServerDev -y -j DENY Where $ServerDev is the network device the own server is attached to, $ServerWeAllow a Server we allow our server to open connections to and $Port the port the connection goes to. This way the Server can't connect to unwanted hosts and by adding /sbin/ipchains -A input -p tcp -i $IDev -d $Server --dport $Port -y -j ACCEPT /sbin/ipchains -A input -p tcp -i $IDev -d $Server -y -j DENY we can forbid others to connect to ports besides $Port. Set $IDev to the device the connections come from ( Internet ) and $Server to the IP of your server.