Update Protections against Recent Malware Threats (30-Apr-08)

Overview
Details
Protection

Check Point Reference:	CPAI-2008-067
Date Published:
Severity:
Source:	http://www.emsisoft.com/en/malware/?Adware.Win32.MusicOfFaith http://spywarefiles.prevx.com/spywarefiles.asp?FXC=DJFC24641892 http://spywaresignatures.com/details.php?spyware=mxs.toolbar
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 NG with Application Intelligence R55 VSX NGX NGX R65 InterSpect NGX Connectra NGX R62 NGX R61
Who is Vulnerable? Microsoft Windows clients
Vulnerability Description Malware is a software designed to infiltrate or damage a computer system without the owner's informed consent. It is a general name for a variety of forms of hostile, intrusive, or annoying programs like Viruses, worms, Adware, Trojans, and spyware that exploit unprotected clients, using network access to intrude upon organizations, destroying or stealing data. Spyware is computer software that is installed without the user's informed consent on a personal computer to intercept or take partial control over the user's interaction with the computer. Spyware programs can collect various types of personal information, install additional software, redirect Web browser activity, or divert advertising revenue to a third party. Adware is an advertising-supported software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. A Trojan horse is a program that installs malicious software while under the guise of doing something else. Trojans are known for installing backdoor programs which allow unauthorized non permissible remote access to the victim's machine by unwanted parties with malicious intentions.

Vulnerability Details
The update includes new protections against 3 recent malware threats:

Toolbar: Music of Faith - Music of Faith toolbar hijacks the search engine and the address bar. It may track user's online activities and display advertising within the application itself.

Toolbar: SearchNine - SearchNine toolbar hijacks the address bar and redirect all search traffic to Searchnine engine which is an affilate of Baidu. The toolbar is usually bundled with other malware.

Toolbar: MXS - MXS toolbar hijacks the address bar and redirects search queries and error pages to its own server. It tracks browsing and search queries.

Protection Overview
The update enables the Header Rejection protection and the HTTP Worm Catcher to detect and block the malware based on pre-defined header names and worm signatures.

In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65 & R62

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > HTTP Protocol Inspection > Header Rejection.
2. In the Header Rejection configuration pane, under Settings > Mode, check Active.
3. Enable the following protections:

Toolbar: Music of Faith
Toolbar: SearchNine 1
Toolbar: SearchNine 2
Toolbar: MXS

4. In the SmartDefense tab, click Web Intelligence > Malicious Code > General HTTP Worm Catcher.
5. In the General HTTP Worm Catcher configuration pane, under Settings > Mode, check Active.
6. Enable the following protection:

Toolbar: Music of Faith 1

7. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: Toolbar: Music of Faith 1