Update Protections against Recent Malware Threats (22-Mar-09)

Vulnerability
Protection

Check Point Reference:	CPAI-2009-042
Date Published:
Severity:
Source:	iWonBar Trojan-Downloader.Win32.Delf.phh
Protection Provided by:	Security Gateway R70 VPN-1 NGX R65 NGX R62 NGX R61 NGX R60 VSX NGX R65 InterSpect NGX
Who is Vulnerable? Microsoft Windows clients
Vulnerability Description The update includes new protections against 2 recent malware threats: iWonBar - iWonBar is a toolbar the hijacks the browser. It alters the Internet Explorer settings unexpectedly, tracks the user web activities and hijacks the user searches to its controlling server. Trojan-Downloader.Win32.Delf.phh - Trojan-Downloader.Win32.Delf.phh is an application that requests and downloads files and malware binaries to the user's computer. It also creates start-up registry entries on the victim's host.

Vulnerability Details
Malware is a software designed to infiltrate or damage a computer system without the owner's informed consent. It is a general name for a variety of forms of hostile, intrusive, or annoying programs like Viruses, worms, Adware, Trojans, and spyware that exploit unprotected clients, using network access to intrude upon organizations, destroying or stealing data.

Spyware is computer software that is installed without the user's informed consent on a personal computer to intercept or take partial control over the user's interaction with the computer. Spyware programs can collect various types of personal information, install additional software, redirect Web browser activity, or divert advertising revenue to a third party.

Adware is an advertising-supported software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used.

A Trojan horse is a program that installs malicious software while under the guise of doing something else. Trojans are known for installing backdoor programs which allow unauthorized non permissible remote access to the victim's machine by unwanted parties with malicious intentions.

Protection Overview
The update enables the Header Rejection protection and the HTTP Worm Catcher to detect and block the malware based on pre-defined header names and worm signatures.

In order for the protection to be activated, update your Security Gateway/VPN-1/InterSpect product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.

To configure the defense, select your product from the list below and follow the related protection steps.

Security Gateway R70

How Can I Protect My Network?
1. In the IPS tab, click Protections > By Protocol > Web Intelligence > HTTP Protocol Inspection.
2. In the right pane, double-click the Header Rejection protection.
3. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect).
4. Under Additional Settings > Header Rejection, enable the following protections:

iWonBar 1
Trojan-Downloader: Win32.Delf.phh

5. In the IPS tab, click Protections > By Protocol > Web Intelligence > Malicious Code.
6. In the right pane, double-click the General HTTP Worm Catcher protection.
7. In the Protection Details window, click on Edit. Choose the protection's Action (Override IPS Policy with: Prevent/Detect).
8. Under Additional Settings > Block HTTP Worms, enable the following protections:

iWonBar
Trojan-Downloader: Win32.Delf.phh 1
Trojan-Downloader: Win32.Delf.phh 2
Trojan-Downloader: Win32.Delf.phh 3
Trojan-Downloader: Win32.Delf.phh 4

9. Install policy on all modules.