AppShield
Nimda opens any and all files on your hard drive including internal directories
and root files (root.exe) exposing all your mission critical information.
This is recognized by AppShield as forceful browsing or a backdoor/debug
vulnerability and therefore unauthorized behavior. AppShield will block
this behavior from occurring and therefore prevent any manipulation of the
business logic on your hard drive as a result of this attack.
Similarly, Nimda also tries to execute commands via the web server
(Stealth Commanding), and AppShield will stop this malicious behavior as well
before your server corrupts others in the line of fire. AppShield automatically
blocks all attacks against unpatched IIS systems. AppShield blocks requests for
pages that were not requested by a valid authorized web page.
Therefore any request for the following pages would be disallowed as none
of these are valid pages that would be called directly by another web page.
get_mem_bin vti_bin owssvr.dll Root.exe CMD.EXE ../ (Unicode)
Getadmin.dll Default.IDA /Msoffice/ cltreq.asp
Finally, AppShield blocks all requests containing non-safe characters.
For instance, all high-bit Unicode characters are by default non-safe.
AppScan
The worm is injected through the use of known IIS vulnerabilities.
AppScan can scan for those vulnerabilities and provide the detailed
application risk assessment required to alert users to the severity
of their application vulnerability with a link to the patch or coding
technique required to avoid further destruction
Contacts:
Izhar Bar-Gad
Sanctum, Inc.
Phone: (408) 352-2000
EMail: [email protected]
Additional Information:
|