Update Protection against Recent Malware Threats (21-Jul-09)

Vulnerability
Protection

Check Point Reference:	CPAI-2009-135
Date Published:
Severity:
Source:	Rogue-Software: ANG AntiVirus 09 Rogue-Software: CoreGuard Antivirus 2009 Rogue-Software: PerfectDefender2009 Rogue-Software: System Security 2009 Rogue-Software: Antivirus 2010 Trickler: Downloader.Banload.AKBB Trickler: Infostealer.Gampass Trickler: Trojan-Downloader.Win32.Agent.bjkd Trickler: Trojan-Downloader.Win32.Agent.biiw Trickler: Trojan-Downloader.Win32.FraudLoad.dyl Trickler: Trojan.Win32.Banload.HH Trickler: Trojan.Win32.Ertfor.A Trickler: Win32.Mudrop.lj Trojan: Backdoor.Win32.GGDoor.22 Trojan: Trojan-Downloader.Win32.Small.jog Trojan: Trojan.Win32.Small.bwj Trojan: Worm.Win32.Deecee.a Worm: Trojan.Win32.Nebuler.D Worm: Worm.Win32.AutoRun.aczu Worm: Worm.Win32.Bagle.gen.C Worm: Brontok.C
Protection Provided by:	Security Gateway R70 VPN-1 NGX R65 VSX NGX R65
Who is Vulnerable? Microsoft Windows clients
Vulnerability Description The update includes new protections against 21 recent malware threats: Rogue-Software: ANG AntiVirus 09 Rogue-Software: CoreGuard Antivirus 2009 Rogue-Software: PerfectDefender2009 Rogue-Software: System Security 2009 Rogue-Software: Antivirus 2010 Trickler: Downloader.Banload.AKBB Trickler: Infostealer.Gampass Trickler: Trojan-Downloader.Win32.Agent.bjkd Trickler: Trojan-Downloader.Win32.Agent.biiw Trickler: Trojan-Downloader.Win32.FraudLoad.dyl Trickler: Trojan.Win32.Banload.HH Trickler: Trojan.Win32.Ertfor.A Trickler: Win32.Mudrop.lj Trojan: Backdoor.Win32.GGDoor.22 Trojan: Trojan-Downloader.Win32.Small.jog Trojan: Trojan.Win32.Small.bwj Trojan: Worm.Win32.Deecee.a Worm: Trojan.Win32.Nebuler.D Worm: Worm.Win32.AutoRun.aczu Worm: Worm.Win32.Bagle.gen.C Worm: Brontok.C

Vulnerability Details
Malware is a software designed to infiltrate or damage a computer system without the owner's informed consent. It is a general name for a variety of forms of hostile, intrusive, or annoying programs like Viruses, worms, Adware, Trojans, and spyware that exploit unprotected clients, using network access to intrude upon organizations, destroying or stealing data.

Rogue Software is a software that uses Malware or malicious tools to advertise or install itself or to force computer users to pay for removal of nonexistent malware. Rogue software will often install a trojan horse to download a trial version, or it will execute other unwanted actions.

Tricklers are software designed to download and install malicious applications by running silently in the background to be less noticeable. Tricklers are typically used to install a spyware programs onto the victim's machine.

A Trojan horse is a program that installs malicious software while under the guise of doing something else. Trojans are known for installing backdoor programs which allow unauthorized non permissible remote access to the victim's machine by unwanted parties with malicious intentions.

Worms are malicious programs that spread themselves without any user intervention and have a self-replicating behavior. A Worm may consume a large amount of system resources and cause the machine to become unreliable. Moreover, some Worms may be used to compromise infected machines and download additional malicious software.

Protection Overview
The update enables the Header Rejection protection and the HTTP Worm Catcher to detect and block the malware based on pre-defined header names and worm signatures.

In order for the protection to be activated, update your Security Gateway/VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > HTTP Protocol Inspection.
2. In the right pane, double-click the Header Rejection protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect).
4. Under Additional Settings > Header Rejection, enable the following protections:

Rogue-Software: ANG AntiVirus 09
Rogue-Software: CoreGuard Antivirus 2009
Rogue-Software: PerfectDefender2009
Rogue-Software: System Security 2009
Trickler: Downloader.Banload.AKBB
Trickler: Infostealer.Gampass
Trickler: Trojan-Downloader.Win32.Agent.bjkd 1
Trickler: Trojan-Downloader.Win32.Agent.bjkd 2
Trickler: Trojan-Downloader.Win32.Agent.bjkd 3
Trickler: Trojan-Downloader.Win32.Agent.biiw
Trickler: Trojan-Downloader.Win32.FraudLoad.dyl
Trickler: Trojan.Win32.Banload.HH 1
Trickler: Trojan.Win32.Banload.HH 2
Trickler: Trojan.Win32.Ertfor.A 1
Trickler: Trojan.Win32.Ertfor.A 2
Trickler: Win32.Mudrop.lj
Trojan: Backdoor.Win32.GGDoor.22
Trojan: Trojan-Downloader.Win32.Small.jog
Trojan: Trojan.Win32.Small.bwj
Trojan: Worm.Win32.Deecee.a
Worm: Trojan.Win32.Nebuler.D 1
Worm: Trojan.Win32.Nebuler.D 2
Worm: Trojan.Win32.Nebuler.D 3
Worm: Worm.Win32.AutoRun.aczu
Worm: Worm.Win32.Bagle.gen.C

5. In the IPS tab, click Protections > By Protocol > Web Intelligence > Malicious Code.
6. In the right pane, double-click the General HTTP Worm Catcher protection.
7. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect).
8. Under Additional Settings > Block HTTP Worms, enable the following protections:

Rogue-Software: ANG AntiVirus 09 1
Rogue-Software: Antivirus 2010
Trickler: Trojan-Downloader.Win32.Agent.bjkd
Trojan: Backdoor.Win32.GGDoor.22 1
Worm: Brontok.C

9. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: Header Rejection
Attack Information:
Rogue-Software: ANG AntiVirus 09
Rogue-Software: CoreGuard Antivirus 2009
Rogue-Software: PerfectDefender2009
Rogue-Software: System Security 2009
Trickler: Downloader.Banload.AKBB
Trickler: Infostealer.Gampass
Trickler: Trojan-Downloader.Win32.Agent.bjkd 1
Trickler: Trojan-Downloader.Win32.Agent.bjkd 2
Trickler: Trojan-Downloader.Win32.Agent.bjkd 3
Trickler: Trojan-Downloader.Win32.Agent.biiw
Trickler: Trojan-Downloader.Win32.FraudLoad.dyl
Trickler: Trojan.Win32.Banload.HH 1
Trickler: Trojan.Win32.Banload.HH 2
Trickler: Trojan.Win32.Ertfor.A 1
Trickler: Trojan.Win32.Ertfor.A 2
Trickler: Win32.Mudrop.lj
Trojan: Backdoor.Win32.GGDoor.22
Trojan: Trojan-Downloader.Win32.Small.jog
Trojan: Trojan.Win32.Small.bwj
Trojan: Worm.Win32.Deecee.a
Worm: Trojan.Win32.Nebuler.D 1
Worm: Trojan.Win32.Nebuler.D 2
Worm: Trojan.Win32.Nebuler.D 3
Worm: Worm.Win32.AutoRun.aczu
Worm: Worm.Win32.Bagle.gen.C

Attack Name: HTTP Worm Catcher
Attack Information:
Rogue-Software: ANG AntiVirus 09 1
Rogue-Software: Antivirus 2010
Trickler: Trojan-Downloader.Win32.Agent.bjkd
Trojan: Backdoor.Win32.GGDoor.22 1
Worm: Brontok.C

VPN-1 NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > Header Rejection.
2. In the Header Rejection configuration pane, under Header Rejection Settings > Mode, check Active.
3. Enable the following protections:

Rogue-Software: ANG AntiVirus 09
Rogue-Software: CoreGuard Antivirus 2009
Rogue-Software: PerfectDefender2009
Rogue-Software: System Security 2009
Trickler: Downloader.Banload.AKBB
Trickler: Infostealer.Gampass
Trickler: Trojan-Downloader.Win32.Agent.bjkd 1
Trickler: Trojan-Downloader.Win32.Agent.bjkd 2
Trickler: Trojan-Downloader.Win32.Agent.bjkd 3
Trickler: Trojan-Downloader.Win32.Agent.biiw
Trickler: Trojan-Downloader.Win32.FraudLoad.dyl
Trickler: Trojan.Win32.Banload.HH 1
Trickler: Trojan.Win32.Banload.HH 2
Trickler: Trojan.Win32.Ertfor.A 1
Trickler: Trojan.Win32.Ertfor.A 2
Trickler: Win32.Mudrop.lj
Trojan: Backdoor.Win32.GGDoor.22
Trojan: Trojan-Downloader.Win32.Small.jog
Trojan: Trojan.Win32.Small.bwj
Trojan: Worm.Win32.Deecee.a
Worm: Trojan.Win32.Nebuler.D 1
Worm: Trojan.Win32.Nebuler.D 2
Worm: Trojan.Win32.Nebuler.D 3
Worm: Worm.Win32.AutoRun.aczu
Worm: Worm.Win32.Bagle.gen.C

4. In the SmartDefense tab, click Web Intelligence > Malicious Code > General HTTP Worm Catcher.
5. In the General HTTP Worm Catcher configuration pane, under Settings > Mode, check Active.
6. Enable the following protections:

Rogue-Software: ANG AntiVirus 09 1
Rogue-Software: Antivirus 2010
Trickler: Trojan-Downloader.Win32.Agent.bjkd
Trojan: Backdoor.Win32.GGDoor.22 1
Worm: Brontok.C

7. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

VPN-1 VSX NGX R65

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Legal Notice for Threat Center Advisories