Update Protections against Recent Malware Threats (18-Dec-07)

Vulnerability
Protection

Check Point Reference:	CPAI-2007-138
Date Published:
Severity:
Source:	http://www.spywareremove.com/removeSideFind.html http://www.spywareguide.com/product_show.php?id=481 http://www.spywareguide.com/spydet_2594_gralicwrap.html http://www.spywareguide.com/spydet_3785_personal_web.html http://www.spywareguide.com/spydet_1253_browseracclerator.html http://www.spywareguide.com/spydet_2535_sexyvideoscreensaver.html http://research.sunbelt-software.com/threatdisplay.aspx?name=Trojan-Downloader.Delf.AMB&threatid=123651
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 NG with Application Intelligence R55 VSX NGX InterSpect NGX Connectra NGX R62 NGX R61
Who is Vulnerable? Microsoft Windows clients
Vulnerability Description Malware is a software designed to infiltrate or damage a computer system without the owner's informed consent. It is a general name for a variety of forms of hostile, intrusive, or annoying programs like Viruses, worms, Adware, Trojans, and spyware that exploit unprotected clients, using network access to intrude upon organizations, destroying or stealing data. Spyware is computer software that is installed without the user's informed consent on a personal computer to intercept or take partial control over the user's interaction with the computer. Spyware programs can collect various types of personal information, install additional software, redirect Web browser activity, or divert advertising revenue to a third party. Adware is an advertising-supported software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. A Trojan horse is a program that installs malicious software while under the guise of doing something else. Trojans are known for installing backdoor programs which allow unauthorized non permissible remote access to the victim's machine by unwanted parties with malicious intentions.

Vulnerability Details
The update includes new protections against 7 recent malware threats:

Adware: Hotbar - Hotbar is a browser hijacker toolbar and adware application that alters the Internet Explorer search settings. It hijacks the browser's autosearch and search assistant functions, and tracks the user's web activity, passing information to its controlling server and pops up advertisements.

Adware: PersonalWeb - PersonalWeb is a browser hijacking and tracking application. It alters the browser settings, tracks the user's web activity and passes the information to its servers without the user's consent.

Spyware: Side Find - Side Find is a website search engine with specialized search functions. It can also be downloaded as an Internet Explorer toolbar. It may change the browser settings without user permission, changing the user's homepage and redirect to error pages on its own server.

Spyware: GralicWrap - GralicWrap is an Application that alters the Internet Explorer settings and monitors a user's web activity. Every website that the user visits is verified against a centralized database. It can potentially slow down the user's system since all internet activity has to be transmitted to the GralicWrap servers.

Spyware: SexyVideoScreenSaver - SexyVideoScreenSaver is a browser hijacking application. It changes the browser settings without user permission, changing the user's homepage to www.icoonet.net.

Spyware: Browser Accelerator - Browser Accelerator is a toolbar plug-in that adds third party utility bar to the web browser such as search function and search results for paid advertisers. It is a tracking application that collects personal information and can associate it with the user's browsing and searching habits.

Spyware: Trojan Downloader Delf - Trojan Downloader Delf downloads malicious code without the user's consent. It may also pop-up fake alerts, replaces Google's feed and displays fake entries while returning search results.

Protection Overview
The update enables the Header Rejection protection and the HTTP Worm Catcher to detect and block the malware based on pre-defined header names and worm signatures.

In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Additional Information
The update released on December 18, 2007 includes the following protections:

FLAC Project libFLAC Picture Buffer Vulnerability (CPAI-2007-136)
Apple QuickTime Crafted RTSP Response Buffer Overflow Vulnerability (CPAI-2007-137)
Recent Malware Threats (18-Dec-07) CPAI-2007-138
Microsoft Windows Message Queuing Code Execution Vulnerability (MS07-065) CPAI-2007-139
Microsoft AVI File Parsing Code Execution Vulnerability (MS07-064) CPAI-2007-140

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > Header Rejection.
2. In the Header Rejection configuration pane, under Settings > Mode, check Active.
3. Enable the following protections:

Adware: Hotbar
Adware: PersonalWeb 1
Adware: PersonalWeb 2
Spyware: Side Find
Spyware: SexyVideoScreenSaver
Spyware: Browser Accelerator
Spyware: Trojan Downloader Delf

4. In the SmartDefense tab, click Web Intelligence > Malicious Code > General HTTP Worm Catcher.
5. In the General HTTP Worm Catcher configuration pane, under Settings > Mode, check Active.
6. Enable the following protections:

Adware: Hotbar
Spyware: GralicWrap1
Spyware: GralicWrap2

7. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries: