Using ISA Server 2004 Firewalls to Protect Against Ject

by [Published on 2 July 2004 / Last Updated on 21 May 2013]

Use your ISA 2004 firewall to whack the Ject virus! Check out this article for full step by step details and a link to Jim Harrison's one of a kind, best of breed Block Ject script for ISA firewalls.

Using ISA Server 2004 Firewalls to Protect Against Ject

by Thomas W Shinder MD, MVP

Got questions? Discuss this article over at
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000105

Ject traffic is carried in a standard HTTP response header, and uses TCP port 80 (the default HTTP port) for its attack vector. Because everyone needs access to HTTP, you can’t just block this port, so your PIX firewall isn’t going to help you. However, if you have a stateful filtering and stateful application layer inspection firewall like ISA Server 2004, you’ll be able to protect yourself against Ject.

Get the New Book!

Internal hosts are vulnerable to Ject if:

  1. The internal host does not have the MS04-013 (http://www.microsoft.com/technet/security/bulletin/MS04-013.mspx) patch applied
  2. ISA Server 2004 is not configured to block Ject-formatted HTTP response headers

The default configuration of ISA Server 2004 do not include the an HTTP Security Filter definition required to block Ject. However, you can create your own to get the required protection.

To help prevent Ject traffic through ISA Server 2004:

  • First, backup of your current Firewall Policies before making changes to your firewall policy. This will allow you to restore your current configuration just in case you run into problems related to the configuration used to protect against Ject.
  • Create an HTTP Security Filter Signature that includes definitions described below for each access rule using the HTTP protocol.

You also need to protect the ISA Server 2004 firewall itself from the Ject worm. A computer with ISA Server 2004 installed is vulnerable to internal attack by the Ject worm if it has not had the MS04-013 patch applied.

  • Warning:
    Because the ISA 2004 firewall itself makes use of System Policy for Internet access and System policies cannot use HTTP Filters, you cannot apply the same filter settings to system rules. For this reason, and many more, you should never browse the Internet from the firewall.

If you are using an "all open" outbound access policy, you only need to apply the HTTP Security Filter changes to your "Allow all" rule. If you have multiple rules controlling HTTP access, then you will need to apply the HTTP Filter settings to any Access Rule that includes the ISA firewall’s built in HTTP protocol definition.

You may also obtain a script from www.isatools.org that will automate the following steps. You can download it at http://isatools.org/block_ject.vbs. This script creates the same policy rule changes as described below and will also create a backup of your current firewall policies.

  • Note:
    You should only add HTTP Filter settings to rules that:

1. Are Access Rules (not Web Publishing Rules)

2. Are Allow Rules

3. Have HTTP included in the Protocols column

Also, you should be aware that Deny rules, even those that specify All Except HTTP, cannot use HTTP Security Filter settings (the HTTP filter automatically denies connections meeting the parameters included in the HTTP Security Filter).

To block Ject response traffic:

  1. In Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name in the left pane of the console and click the Firewall Policy node.
  2. Click on the first rule that represents an Allow rule that includes the HTTP protocol.
  3. Right-click the Access Rule and click the Configure HTTP command.
  4. In the Configure HTTP policy for rule dialog box, click on the Signatures tab and click Add.

  1. In the Signature dialog box, enter Download.Ject In the Name text box.
  2. In the Description text box, enter Blocks Malicious Location headers that attempt to exploit MS04-013.
  3. In the Search In drop-down list, select the Response headers option.
  4. In the HTTP Header text box, enter Location.
  5. In the Signature field, enter C:\ then click OK.

  1. Click Apply and then click OK in the Configure HTTP policy for rule dialog box.

  1. Repeat steps 3 through 10 for each Access Rule representing an Allow rule that includes the HTTP protocol in it
  2. Click Apply in the Microsoft Internet Security and Acceleration Server 2004 management console to save the changes to the firewall policy
  3. Click OK in the Apply New Configuration dialog box

Get the New Book!

For More Information

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=25;t=000105 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.

Advertisement

Featured Links