Who needs .info/.biz, anyway?

To quote the people from Sans.org:

Who needs .info/.biz, anyway?

I have blocked access to the *.info and *.biz TLD's at my watchguard firewall 4 months ago. I had to add 5 *.info domains to a whitelist but I got so much in return.

In my blog about the 0-day wmf exploit I recommend the blocking of beehappyy.biz. Guess what showed up in my log's as being block by the 'block all *.biz websites' rule?
That's right beehappyy.biz.
I am glad I did not have to clean that mess up :o)

Also want to block the *.biz and *.info TLD's?

Go to the 'URL Path' function of your HTTP-Proxy and add '*.biz' and '*.info' as pattern matches. You can first set the rules to allow and log, to see if this will work for your network.

I also block the *.ru TLD but I am not going to recommend that because I think that is personal taste.

MS06-002 prevention (updated)

As part of there regular patch cycle, Microsoft has release 2 security patches. MS06-002 describes a vulnerability in Embedded Web Fonts. These files can be blocked by your watchguard firewall.

What can you do to protect your network:

1. Go to the 'URL Path' function of your HTTP-Proxy and add '*.eot' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.

UPDATE:

My 'Body Content Types' rule does not work because off a problem with the '?' wildcard. So I removed the rule.

WMF - The story continues

Another WMF exploit has been release:

http://isc.sans.org/diary.php?storyid=992
http://www.frsirt.com/exploits/20051231.ie_xp_pfv_metafile.pm.php

US-CERT (http://www.kb.cert.org/vuls/id/181038) is recommending to block the following byte sequences:

01000900
02000900
D7CDC69A

Go to the 'Body Content Types' function of your HTTP-Proxy and add '%0x01000900%*', '%0x02000900%*' and '%0xD7CDC69A%*' as a pattern match with the 'Rule action' set to Deny, Alarm and Log.
While your at it you also might want to block 'application/x-msMetafile' with the Content-Type function of your HTTP-Proxy.