August 12, 2003

Deepnines announces that Sleuth9 immediately stops the MSBlast attack on networks running Microsoft Operating Systems

DALLAS, TEXAS - DeepNines Technologies, a leading enterprise network security company, today announced its Sleuth9 Security System instantly stops the latest worm, named MSBlast, that exploits Windows RPC vulnerabilities. MSBlast (also known as LovSAN, see CERT advisory CA-2003-20 W32-Blaster worm) is designed to launch a denial-of-service attack, specifically a SYN Flood, against Microsoft's Windowsupdate.com Web site on August 16, 2003. This latest attack exploits a buffer overflow vulnerability that exists in Microsoft's Remote Procedure Call (RPC) implementation. A hacker can exploit this vulnerability to execute arbitrary code or cause a denial of service attack on a network.

Sleuth9 stops MSBlast at the edge of the network, in front of the router, using its patent-pending network protection technology. The attack begins with a buffer overflow that allows a small amount of code into the network that then tries to access a copy of the MSBlast executable via TFTP. Once the file is retrieved, the compromised system launches the executable and begins scanning for other vulnerable systems to compromise even more computers. Once a significant number of machines are infected, the attack on the Microsoft Web site can begin.

Sleuth9, in its default configuration, inspects all ports and protocols and provides a four-tier protection from the MSBlast attack. At the first level, the attack targets port 135 (the DCOM listening port) and other ports reserved for Microsoft file and print sharing. The prudent network administrator denies access to these ports from the edge of network and, by default, Sleuth9 blocks external access to the ports on which the buffer overflow is initiated.

On the second tier, if the buffer overflow does penetrate the network, the resulting code snippet uses Trivial FTP over port 69 to retrieve the MSBlast executable. By default, The Sleuth9 Security System blocks outbound TFTP. Once the MSBlast executable enters the network, it sets up a listener on port 4444. That's when the third tier of protection within Sleuth9 kicks in and the default configuration setting blocks access to port 4444.

Finally, as the fourth tier of defense, Sleuth9 utilizes Adaptive Rate Control using byte, packet and connection rate limits set by the network administrator and by heuristics that throttle bad traffic behavior. The connection rate feature prevents SYN attacks originating from infected networks. The unique DoS-prevention technology and Adaptive Rate Control functionality would also prevent the SYN flood from causing any disruption to the Microsoft site. Networks protected by DeepNines will not experience the costly impact of an MSBlast attack.

"This is just another example of how a perimeter intrusion prevention solution is better equipped to stop DoS, DDoS and other cyber attacks from penetrating the network," said Dan Jackson, DeepNines' president and COO. "Sleuth9 was design to stop complex, blended attacks, at the edge of the network, utilizing a Multi-Method Inspection process that sits inline and is invisible to network hackers. With Sleuth9, DeepNines is arming companies with a new layer of perimeter security."

The Sleuth9 Security System is a proactive, intelligent, intrusion prevention and anti-virus solution specifically designed to stop complex, blended threats. Sleuth9 sits invisible, in front of the router and evaluates all network traffic, both ingress and egress, at the packet level, to determine what is valid and what is malicious. Sleuth9 detects and automatically prevents cyber attacks from entering or leaving a network by forming a new perimeter of defense against DoS, DDoS, port scans, Trojan horses, self-propagating attacks, worms and viruses as well as other attacks launched from infected internal or external computers. Sleuth9 can be deployed at the perimeter of the network or in front of other likely targets such as web servers, mail servers, application servers, etc.

About Deep Nines Inc. DeepNines offers a scalable security platform for Global 2000 companies with a vertical market focus in education, government, telecommunications, energy and financial services. The DeepNines Security Edge PlatformT integrates intelligent firewall, intrusion prevention, best-of-breed secure content management, forensics and reporting. It operates outside the network infrastructure, improving organizations' security "deep into the nines." DeepNines' Security Edge Platform, the company's patent-pending security system, is a fully automated signature and behavior-based, intrusion prevention and traffic management system preventing known and unknown attacks from entering an organization's network. The Security Edge Platform runs on Solaris and Linux platforms from Sun Microsystems. To learn more about Deep Nines visit www.deepnines.com.