Here a post in the worm forum: Time for net admins to do a little blocking 08-22-2003 1:45:54 PM CST -- from the folks at Sophos Sophos experts have advised network and system administrators that they can take immediate action to prevent the W32/Sobig-F worm from downloading a potentially malicious update from the internet. The worm contains a list of encrypted IP addresses inside its code, which the Sobig-F infected computers use to signal their availabilty for an update. Infected computers will communicate with the IP addresses on UDP port 8998. They will also be listening on UDP ports 995-999 - perhaps in readiness for the updates to arrive. Sophos analysts have decrypted the list of IP addresses and have reproduced it below: 12.158.102.205 12.232.104.221 24.33.66.38 24.197.143.132 24.202.91.43 24.206.75.137 24.210.182.156 61.38.187.59 63.250.82.87 65.92.80.218 65.92.186.145 65.95.193.138 65.93.81.59 65.177.240.194 66.131.207.81 67.9.241.67 67.73.21.6 68.38.159.161 68.50.208.96 218.147.164.29 Sophos has attempted to contact the owners of the IP addresses, and some of the administrators have already taken action to block infected computers from communicating with them. Sophos advises companies, major ISPs and internet backbone providers to consider blocking all access to the above list of IP addresses, as this will protect infected users on their network from receiving updates to W32/Sobig-F. Another approach would be for network and system administrators to consider blocking NTP requests (except to trusted servers) so their infected computers do not know it is time to try and find the malicious update. Administrators should also consider eliminating or restricting outbound use of UDP port 8998. This is probably the best thing released so far about SoBig Now some Network Admins can start taking action to put a choke on this puppy...! http://www.securitynewsportal.com/cgi-bin/cgi-script/csNews/csNews.cgi?database=JanBB%2edb&command=viewone&id=75&op=t
The existing rule in your enhanced ruleset: block any other udp packets will take care of this as the only udp packets authorized are those you specifically authorized prior to that rule. However, if you use programs such as netmeeting, then you better specifically block that port 8998 as Netmeeting already authorizes UDP ports 1024 to 65535 while active ( reason why i also don't like using p2p programs )
Hey tosbsas By Default “UDP : Allow” is deactivated, and asking the question whether it’s necessary tells me you know very little about that rule and that tells me you shouldn’t activated it until you do…
Hey my friend - I am growing into it --)) Not as fast as I like but surely I will rise to the goal --)) No seriously I don't know why but I had that one activated (even when we did our tests) so you say deactivate it Ruben