RE: sober resurfacing



That should already be your firewall policy: block
everything by default except for that which you
explicitly need / permit. That includes outbound
connections as well, and not just NTP but everything.
[This isn't mandatory, but do realize that not doing
so provides less security and is advisable if you want
more security.]

If you're worried about breaking things, the usual
scenario is to set up a "permit but log" rule, and
check the log a few days later. Whether or not you
decide to block NTP, it's probably a good idea to keep
logging NTP traffic and checking the logs periodically
for signs of compromise, as long as you have the
resources to do so.

Having said that, don't assume that if the virus can't
make an NTP connection, it won't go ahead and try
downloading anyways. Blocking NTP may not block this
virus or future variants, depending.

The thing to note about these recent Sober articles is
that this has been going on for two years now. One
Sober.X activation date already came and gone, and
dozens of previous variants acted in the same way.
This is nothing new, except that the AV companies have
released more details this time, and the media is
making a bigger deal of it for some reason this time.

If you only block the list of URLs given, you'll
remain vulnerable when the next Sober variant comes
out and the AV companies decide not to publish a list
of the URLs.

- karl levinson


> -----Original Message-----
> From: Curt Shaffer [mailto:cshaffer@xxxxxxxxx]
> Sent: Thursday, December 15, 2005 11:50 AM
> To: focus-ms@xxxxxxxxxxxxxxxxx
> Subject: sober resurfacing
>
>
> All,
>
> I am working on a plan to try and help minimize the
effect of
> the possible
> sober resurfacing on Jan. 5/6th. After reading the
security
> focus article
> that this worm relies on NTP to know when to
release, I am
> wondering on the
> feasibility of blocking NTP out to the internet that
week
> except for the
> certain devices that need it. Does anyone have input
on this?


__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

---------------------------------------------------------------------------
---------------------------------------------------------------------------