Sober resurface

[Curt Shaffer]

All,

I am working on a plan to try and help minimize the effect of the possible
sober resurfacing on Jan. 5/6th. After reading the security focus article
that this worm relies on NTP to know when to release, I am wondering on the
feasibility of blocking NTP out to the internet that week except for the
certain devices that need it. Does anyone have input on this?

Thanks

Curt

 

[karl levinson, mvp]

All,

I am working on a plan to try and help minimize the effect of the possible
sober resurfacing on Jan. 5/6th. After reading the security focus article
that this worm relies on NTP to know when to release, I am wondering on
the
feasibility of blocking NTP out to the internet that week except for the
certain devices that need it. Does anyone have input on this?

It's in your best interest to configure your firewall to only allow in or
out those protocols you are specifically using, to and from only those
systems on your network that need those protocols.

However, I'm not sure that is going to stop Sober specifically. It seems
reasonable to assume Sober would keep spreading even if NTP was
unsuccessful.

 

[karl levinson, mvp]

All,

I am working on a plan to try and help minimize the effect of the possible
sober resurfacing on Jan. 5/6th. After reading the security focus article
that this worm relies on NTP to know when to release, I am wondering on
the
feasibility of blocking NTP out to the internet that week except for the
certain devices that need it. Does anyone have input on this?

It's much more common and effective to implement an antivirus scanner on
your SMTP gateway and/or internal email servers to scan all email for
viruses and block known bad attachments.