Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Security Best Practice: Get Yourself Familiar with the General HTTP Worm Catcher

Overview
Details
Protection

Check Point Reference:	SBP-2008-03
Date Published:
Severity:
Source:	SmartDefense Research Center
Protection Provided by:	VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 NG with Application Intelligence R55 VSX NGX NGX R65 InterSpect NGX Connectra NGX R62 NGX R61
Who is Vulnerable? HTTP Servers & Clients
Vulnerability Description A worm is a self-replicating malware, which propagates by actively sending itself to new machines. There are worms that propagate by using security vulnerabilities in HTTP servers or clients. Some worms are able to open back doors, launch Trojans, stop security applications and destroy computer systems. Web Intelligence can provide protection against many HTTP threats, including preventing attacks that run malicious code on web servers or clients. SmartDefense allows Administrators to configure worm signatures that will be detected and blocked by Gateways. The SmartDefense subscription service regularly updates signature patterns for common worms. In addition, an Administrator can define custom worm patterns.

Vulnerability Details
The Web Intelligences General HTTP Worm Catcher can:

Detect worm encoding variants.
Detect cross-protocol worms which propagate through different methods, including file sharing over HTTP.
Be updated for new worm patterns and classes, manually or automatically (through the SmartDefense subscription service).

Protection Overview
The General HTTP Worm Catcher is able to detect and block vulnerabilities based on pre-defined worm signatures.

To configure the defense, select your product from the list below and follow the related protection steps.

VPN-1 NGX R65, R62 & VPN-1 VSX NGX R65

How Can I Protect My Network?
1. In the SmartDefense tab, click Web Intelligence > Malicious Code > General HTTP Worm Catcher.

2. In the General HTTP Worm Catcher configuration pane, under Settings > Mode, check Active.
3. Under Block HTTP Worms, enable the protections of your choice.
4. Under the Protection Scope you can either choose to apply the protections to all HTTP traffic or only to selected web servers.

5. Install policy on all modules.

How to define a custom worm pattern:
1. In the General HTTP Worm Catcher configuration pane, under Worm Patterns, click on Edit.

2. The HTTP General Worm Patterns Definitions pane opens. Click on Add.
3. The Edit Patten pane opens. Give the pattern a name. This name will be part of the log that the SmartView tracker will display, in case it will detect the pattern over HTTP traffic.
4. Under Pattern string, write the regular expression you want to block or detect. Click OK. The new defined pattern will now appear in the Block HTTP Worms list.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: The Worm's Name

VPN-1 NGX R61 & R60

How Can I Protect My Network?
1. In the Web Intelligence tree , click Malicious Code > General HTTP Worm Catcher.

2. In the General HTTP Worm Catcher configuration pane, under Worm Patterns, enable the protections of your choice.
3. Under the Protection Scope you can either choose to apply the protections to all HTTP traffic or only to selected web servers.

4. Install policy on all modules.

How to define a custom worm pattern:
1. In the General HTTP Worm Catcher configuration pane, under Worm Patterns, click on Add.
2. The Worm Pattern Settings pane opens. Give the pattern a name. This name will be part of the log that the SmartView tracker will display, in case it will detect the pattern over HTTP traffic.
3. Under Pattern string, write the regular expression you want to block or detect. Click OK. The new defined pattern will now appear in the Worm Patterns list.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: The Worm's Name

VPN-1 NG with Application Intelligence R55 & VPN-1 VSX NGX

How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Web and enable General HTTP Worm Catcher.

2. In the General HTTP Worm Catcher configuration pane, under Worm Patterns, enable the protections of your choice.
3. Install policy on all modules.

How to define a custom worm pattern:
1. In the General HTTP Worm Catcher configuration pane, under Worm Patterns, click on Add.
2. The Worm Pattern Settings pane opens. Give the pattern a name. This name will be part of the log that the SmartView tracker will display, in case it will detect the pattern over HTTP traffic.
3. Under Pattern string, write the regular expression you want to block or detect. Click OK. The new defined pattern will now appear in the Worm Patterns list.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: The Worm's Name

InterSpect NGX

How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the Web Intelligence page of the profile.
2. In the Web Intelligence tree, click Malicious Code > General HTTP Worm Catcher.

3. In the General HTTP Worm Catcher configuration pane, under Worm Patterns, enable the protections of your choice.
4. Under the Protection Scope you can either choose to apply the protections to all HTTP traffic or only to selected web servers.
5. Install policy on all modules.

How to define a custom worm pattern:
1. In the General HTTP Worm Catcher configuration pane, under Worm Patterns, click on Pattern Definitions.
2. The HTTP Worm Pattern Definitions pane opens. Click on Add. Give the pattern a name. This name will be part of the log that the SmartView tracker will display, in case it will detect the pattern over HTTP traffic.
3. Under Pattern string, write the regular expression you want to block or detect. Click OK. The new defined pattern will now appear in the Worm Patterns list.
4. Install policy on all modules.

How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:

Attack Name: HTTP Worm Catcher
Attack Information: The Worm's Name

Connectra NGX R62 & R61

How Can I Protect My Network?
1. In the navigation tree, click Security > Web Intelligence. In the Malicious Code Protection pane click General HTTP Worm Catcher.
2. Under Worm Patterns, enable the protections of your choice.
3. Install policy on all modules.

How to define a custom worm pattern:
1. In the Malicious Code Protection pane, under Worm Patterns, click on New.
2. The Add Worm Pattern pane opens.

3. Give the pattern a name. This name will be part of the log that will be displayed, in case of an attack.
4. Enter a Pattern String: write the regular expression you want to block. Click OK. The new defined pattern will now appear in the Worm Patterns list.
5. Install policy on all modules.

How Do I Know if My Network is Under Attack?
Upon attack, the following entries will be logged:

Attack Name: HTTP Worm Catcher
Attack Information: The Worm's Name

Legal Notice for SmartDefense Advisories

©2003-2008 Check Point Software Technologies Ltd. All rights reserved.