I was reading the ISC handlers diary today and saw a post entitled “Be on the Alert”

The email comes with an attachment.. either a .zip or a .html file. If this is a truly new virus, antivirus will not detect it yet. Here’s what I’ve done to protect my network.

1) Through the use of MailScanner and MimeDefang, I’ve blocked all incoming .zip files and .html files. I have had this rule in place for years as rarely does anything legitimate come through email with a .zip or .html attachment.
2) In the post, it makes mention of the IP address being used to download the exploiter. The IP address is 173.204.119.122. Adding a simple rule to your gateway will prevent the exploiter from being downloaded and infecting a machine on the network. Here’s what I did:

# iptables -t nat -A PREROUTING -d 173.204.119.122 -j DROP

Then, on one of my other boxes:

$ wget http://173.204.119.122
--18:55:45--  http://173.204.119.122/
           => `index.html'
Connecting to 173.204.119.122:80...

Just sits there and times out. To verify that my rule worked:

# iptables -L -v -n -t nat|grep 173.204.119.122
    0     0 DROP       all  --  *      *       173.204.119.122      0.0.0.0/0
   26  1560 DROP       all  --  *      *       0.0.0.0/0            173.204.119.122

Prior to just willy-nilly firewalling this IP, I checked to see if any other legitimate websites were being hosted on that server using bing-ip2hosts. Nothing was reported.

Related posts:

1. Synflooding and iptables
2. Top 10 Ways To Protect Yourself Online
3. Firewall fun with Scapy
4. Corporate Information Discovery [Part 2]
5. Botnet Command and Control Methods