Check Point Advisories

Security Best Practice: Familiarize Yourself with the General CIFS Worm Catcher

Check Point Reference:	SBP-2008-29
Date Published:	15 Aug 2008
Severity:	High
Last Updated:	Tuesday 01 January, 2008
Source:	CERT Advisory CA-2001-26: Nimda Worm
Protection Provided by:
Who is Vulnerable?	Microsoft Windows Useres Samba Clients
Vulnerability Description	A worm is a self-replicating malware (malicious software) that propagates by actively sending itself to new machines. CIFS, The Common Internet File System (sometimes called SMB) is a protocol for sharing files and printers. The protocol is implemented and widely used by Microsoft operating systems, as well as by Samba clients. Many worms, once they have infected a host, use CIFS as their means of propagation.
Vulnerability Details	Patterns are matched against file names (including file paths but excluding the disk share name) that the client is trying to read or write from the server. These patterns can also be used to block certain CIFS services (like the remote registry service) that utilize the IPC$ pseudo share. If IPS matches the pattern in a file name to one of its list of worm patterns, the packet is dropped.