Worms are a major threat to services in the cloud. Worms exploit server vulnerabilities to spread over networks and carry out malicious operations on compromised servers. Worm attacks pose serious threats to the assets and business of users. Cloud Firewall provides layered defense against the attack chains of worms and can detect and intercept a variety of worms and worm variants. Cloud Firewall also dynamically updates and expands its capabilities to detect and intercept new worms based on threat intelligence from the cloud.

Impact of worms

The following issues may occur due to worm attacks:

  • Service interruption: Worms may carry out malicious operations, such as modifying configurations or terminating services, on compromised servers. This may cause risks, such as server breakdown or service interruption.
  • Information theft: Worms that aim to steal information compress data on compromised servers and send the compressed data to attackers. This may cause data breaches and resource abuse.
  • Regulatory control: When worms spread, worms send a large number of packets. This may trigger regulatory control on IP addresses, which results in service interruption. For example, IP addresses may be blocked.
  • Economic or data loss: Ransomware worms encrypt files on compromised servers for ransom, which causes economic or data loss.

Solution provided by Cloud Firewall

Cloud Firewall provides layered defense against the attack chains of worms and can detect and intercept a variety of worms and worm variants. Cloud Firewall also dynamically updates and expands its capabilities to detect and intercept new worms based on threat intelligence from the cloud.

The following list describes some typical worms:

  • DDG: spreads by exploiting Redis vulnerabilities and by launching brute-force attacks and uses the computing resources on compromised servers to mine cryptocurrency.
  • WannaCry: spreads by exploiting Windows system vulnerabilities and compromises servers for ransom.
  • BillGates: spreads by exploiting application vulnerabilities and by launching brute-force attacks, and builds a botnet of compromised servers to launch DDoS attacks.

Case: DDG worm

DDG is an active worm that spreads by exploiting Redis vulnerabilities and by launching brute-force attacks. Compromised servers are added to a botnet to mine cryptocurrency.

Impact scope of DDG

  • Servers that use weak SSH passwords
  • Redis or other database servers that have vulnerabilities

Major impact of DDG

  • Service interruption: DDG mines cryptocurrency on compromised servers, during which a large number of computing resources on the servers are occupied. This may affect service availability or cause service interruption.
  • Regulatory control: When DDG spreads, DDG sends a large number of packets. This may trigger regulatory control on IP addresses, which results in service interruption. For example, IP addresses may be blocked.

Defense against the DDG attack chain

Cloud Firewall detects and defends against the DDG attack chain in real time. This way, worms are blocked and are prevented from spreading.

Cloud Firewall provides the following intrusion prevention features:

  • Whitelist: Cloud Firewall trusts the source and destination IP addresses that you specify in the whitelist and does not block the traffic of these IP addresses.
  • Threat intelligence: Cloud Firewall scans your servers for threat intelligence and blocks malicious behavior from C&C servers based on the threat intelligence.
  • Basic protection: Cloud Firewall detects malware and intercepts communication with C&C servers or backdoors.
  • Virtual patching: Cloud Firewall provides virtual patches to defend your business against popular high-risk application vulnerabilities in real time.

Procedure

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Intrusion Prevention > Prevention Configuration.
  3. In the Threat Engine Mode section of the Prevention Configuration page, select Loose for Block Mode. Threat Engine Mode
  4. In the Advanced Settings section, click Whitelist. In the dialog box that appears, add trusted source IP addresses, destination IP addresses, or address books of both inbound and outbound traffic to a specific whitelist. Whitelist
  5. In the Threat Intelligence section, turn on Threat Intelligence. Threat Intelligence
  6. In the Basic Protection section, turn on Basic Policies. 基础防御
  7. In the Virtual Patches section, turn on Patches. virtual

For more information about how to configure intrusion prevention features, see Prevention configuration.