Re: Novarg - Stopping .Zip Files

From: Ivan Coric (ivan.coric_at_workcoverqld.com.au)
Date: 01/29/04

  • Next message: Duston Sickler: "RE: Novarg"
    Date: Thu, 29 Jan 2004 14:43:38 +1000
    To: <milliner@gdar.org>, <incidents@securityfocus.com>, <tom.milliner@verizon.net>, <beleguese@yahoo.com>
    
    

    Tom,
    Far enough, but IMHO I would run my own email GW.

    Anyway, check out Symantic and Toplayer products, they might do what your looking for.
    http://www.toplayer.com
    http://enterprisesecurity.symantec.com/content/productlink.cfm

    Cheers
    Ivan

    Ivan Coric, CISSP
    IT Technical Security Officer
    Information Technology
    WorkCover Queensland
    Ph: (07) 30066414 Fax: (07) 30066424
    Email: ivan.coric@workcoverqld.com.au

    >>> "Tom Milliner" <tom.milliner@verizon.net> 01/29/04 02:14pm >>>
    We don't have an email gateway. With only 30 employees, it seemed to
    make sense to have our ISP provide POP3 email service. The ISP provides
    spam and virus filtering. For example, if the ISP provides the service for
    $60 a month (possibly bundled with web hosting and/or a T1 connection),
    the cost is $720 a year with little admin time involved. That compares
    favorably to the cost of hardware/software and administering an email server.

    We are looking at IDS/IPS solutions anyway, and I am hoping there are
    possibilities which could be affordable and easily administered (we already
    run Windows 2003 in a single active directory domain with SQL and IIS;
    there are four single person remote offices, and a PC classroom with 21
    PC's). I would like an IDS/IPS solution which can be either remotely
    managed/updated or easily administered by me...for instance, the Microsoft
    solution, ISA Server, can do a lot, but I would need more time than I have
    available right now to master its possibilities.

    Sentinel and Netscreen are the two IDS/IPS solutions which I know about
    now. I don't know if they could have been set to drop POP3 .zip file
    attachments for the 24 hours between the beginning of MyDoom and
    McAfee's virus updates.

    Tom Milliner, CPA, MCSE, CNE
    2404 Summer Place Dr.
    Irving, TX 75062
    (972) 255-6308
    tom.milliner@verizon.net

    ----- Original Message -----
    From: "Ivan Coric" <ivan.coric@workcoverqld.com.au>
    To: <milliner@gdar.org>; <incidents@securityfocus.com>; <beleguese@yahoo.com>
    Sent: Wednesday, January 28, 2004 5:24 PM
    Subject: RE: Novarg - Stopping .Zip Files

    Tom,
    Do you have a email gateway? Is so why don't you block .zip, .pif, .scr, etc
    there?

    Kind Regards
    Ivan

    Ivan Coric, CISSP
    IT Technical Security Officer
    Information Technology
    WorkCover Queensland
    Ph: (07) 30066414 Fax: (07) 30066424
    Email: ivan.coric@workcoverqld.com.au

    >>> "Tom Milliner" <milliner@gdar.org> 01/29/04 02:53am >>>

    Could someone tell me if there is an IPS solution
    which could be quickly programmed to stop .zip
    files? I wish we could have stopped .zip files long
    enough for our anti-virus program to get its updates.

    Tom Milliner, CPA, MCSE
    Director of Information Services
    Greater Dallas Assc of Realtors
    8201 N. Stemmons Frwy
    Dallas, TX 75247
    www.gdar.org
    mail to: milliner@gdar.org
    (214) 540-2741

    -----Original Message-----
    From: sloppy seconds [mailto:beleguese@yahoo.com]
    Sent: Tuesday, January 27, 2004 10:32 PM
    To: incidents@securityfocus.com
    Subject: Novarg

    To all,

    Yes as many of you have noticed Novarg is spreading
    fast. I work for a large international corporation and
    we have seen extensive infiltration. However, this
    worm has not proved to be as "damaging" as some may
    claim. The scary part is that our investment in AV
    solutions (Trend, Symantec, et al...) has not
    protected us. We are now reconsidering our stance on
    allowing .ZIP files in Email.

    We engineered our own cleaning utility hours before
    our AV vendors even had signatures. Infecting lab
    clients and using diff tools...etc

    >From a network perspective we are watching for the
    supposed DOS against SCO.

    We have had the outbreak under control just a few
    hours after it's inception.

    Anyone care to contribute their experience?

    Thanks,
    Beleguese

    __________________________________
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free web site building tool. Try it!
    http://webhosting.yahoo.com/ps/sb/

    ------------------------------------------------------------------------

    ---
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    ***************************************************************************
    Messages included in this e-mail and any of its attachments are those
    of the author unless specifically stated to represent WorkCover Queensland. The
    contents of this message are to be used for the intended purpose only and are to
    be kept confidential at all times.
    This message may contain privileged information directed only to the intended
    addressee/s. Accidental receipt of this information should be deleted promptly
    and the sender notified.
    This e-mail has been scanned by Sophos for known viruses.
    However, no warranty nor liability is implied in this respect.
    **********************************************************************
    ***************************************************************************
    Messages included in this e-mail and any of its attachments are those
    of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times.
    This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified.
    This e-mail has been scanned by Sophos for known viruses.
    However, no warranty nor liability is implied in this respect.
    **********************************************************************
    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------
    

  • Next message: Duston Sickler: "RE: Novarg"