Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How To Avoid a Botnet Infection?

CmdrTaco posted more than 4 years ago | from the yeah-good-luck-with-that dept.

Botnet 396

Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.

cancel ×

396 comments

Yeah... (5, Insightful)

Pojut (1027544) | more than 4 years ago | (#31565866)

...I'm going to go ahead and guess the general answer most people around here are going to give.

Linux or OSX.

AmIright?

No (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31565902)

Stop letting users use your computers or just accept that shit happens was my suggestion. Windows, OS X, or linux. If users touch it, they'll fuck it up.

Re:No (1, Funny)

sopssa (1498795) | more than 4 years ago | (#31566240)

Stop letting users use your computers

Yes! While we're on it, lets fire all the people in the company! They just bring expenses and fuck things up!

The new meme "Terry Childs approach" (5, Insightful)

way2trivial (601132) | more than 4 years ago | (#31566530)

the only way to secure the system- is don't let anyone into the system

Re:Yeah... (1, Funny)

sirrunsalot (1575073) | more than 4 years ago | (#31565908)

Yup.

Re:Yeah... (0)

Anonymous Coward | more than 4 years ago | (#31565924)

VMS

Re:Yeah... (0)

Anonymous Coward | more than 4 years ago | (#31566706)

VMS

What does Voice Messaging Service have to do with anything?

Re:Yeah... (2, Insightful)

Magorak (85788) | more than 4 years ago | (#31565932)

Unfortunately you are probably right.

Re:Yeah... (1)

Bromskloss (750445) | more than 4 years ago | (#31566964)

Unfortunately you are probably right.

Unfortunately?

Re:Yeah... (2, Funny)

euyis (1521257) | more than 4 years ago | (#31565962)

Competent users maybe?

Re:Yeah... (4, Insightful)

jimicus (737525) | more than 4 years ago | (#31566388)

We've been hoping for competent users (and trying to educate people into competence) for decades. Hasn't happened yet - probably because the usual result of your computer getting a virus which wasn't automatically blocked is you have a legitimate excuse to do no work until such time as someone can clean up the mess.

Re:Yeah... (2, Interesting)

miffo.swe (547642) | more than 4 years ago | (#31565974)

If you really want to be sure you avoid being part of a botnet, then yes, Windows is not one of the choices you have. It cant be secured, its like going down the rapids in a colander while trying to plug the holes with cabbage.

If you want to mitigate the problem you can add all sorts of defences but you will be owned eventually if you stay on Windows. The question is, is it worth all the money? One thing is sure, its damn expensive to fix Windows up to half-bad.

Re:Yeah... (0)

Anonymous Coward | more than 4 years ago | (#31566118)

I'd hate to have an incompetent like you as my network admin.

Re:Yeah... (-1, Flamebait)

sopssa (1498795) | more than 4 years ago | (#31566380)

He is either stupid or just trolling. Newer Windows are just as secure as Linux/BSD. It's the users who are dumb and as a mainstream OS and the one that everyone uses, there's going to be idiots.

To see how clueless people actually are, see comments on this article [readwriteweb.com] . People were googling for "facebook login" and suddenly that page jumped on top of results.

Re:Yeah... (1)

CheeseTroll (696413) | more than 4 years ago | (#31566730)

Those comments are incredible, and a good reminder of how many people actually use the web.

Re:Yeah... (1)

miffo.swe (547642) | more than 4 years ago | (#31566690)

Id hate to work for someone like you. I have more important things to do than run around fighting fires. Like, tending to business interests instead of dealing with technological shortcomings of one specific vendor.

Re:Yeah... (2, Insightful)

lordandmaker (960504) | more than 4 years ago | (#31566374)

If you really want to be sure you avoid being part of a botnet, then yes, Windows is not one of the choices you have. It cant be secured, its like going down the rapids in a colander while trying to plug the holes with cabbage.

Thing is, though, *everyone* running Windows treats it as holey, exploitable and generally unsafe. So they apply every security mechanism they can, they bother to audit things, and generally treat it as a dangerous thing that needs attention.

Too many Linux/OSX users sit there thinking "I use Unix. I have no need for security software". Especially the ones who were sold the idea on the grounds that 'there are no viruses for this'.

Re:Yeah... (-1, Redundant)

sopssa (1498795) | more than 4 years ago | (#31566476)

Too many Linux/OSX users sit there thinking "I use Unix. I have no need for security software". Especially the ones who were sold the idea on the grounds that 'there are no viruses for this'.

And this will lead to serious problems in future. "Yeah I'm safe from viruses, Apple told me so!". There are already malware for Mac OS X, and if Linux ever catches up with Windows/Mac market share, there will be a lot more malware for Linuxes too. In fact, malware on Linux precedeses Windows. But of course new users are just sold the idea that "linux is safe" and will believe so to the end.

Re:Yeah... (0, Flamebait)

Runaway1956 (1322357) | more than 4 years ago | (#31566702)

That old "Market share" lie again. I'd ask for proof, but how do you prove a negative? Phhht. I'd love to slap the first person who pulled that sorry excuse out of their ass. That turd doesn't stop stinking with time, either.

Re:Yeah... (4, Interesting)

gandhi_2 (1108023) | more than 4 years ago | (#31566150)

No. [networkworld.com] That's not sufficient. [lwn.net]

Disallowing USB drives helped the military cut down on infections, though.

How about: users run restricted. Using GPO's: mandatory win updates daily with reboot. Automate patching of commonly-used helpers like flash, shockwave, adobereader, firefox, java. And MS security essentials.

Some rigorous port filters on EVERY machine and iptables rules on routers and l3 switches...a whitelist approach.

Re:Yeah... (0)

Anonymous Coward | more than 4 years ago | (#31566780)

I would also add: all web browsing possible within a dedicated VM appliance. The appliance has a read only drive, and no worries about infection. That will stop quite a bit of the attack surface of Windows. Not having user as Administrator though does so much.

Re:Yeah... (5, Insightful)

beh (4759) | more than 4 years ago | (#31566170)

Yep, most people will say that - even though I had one of my machines broken into years ago - even though it was a linux machine... Even though it *should* have been secure, but I had been somewhat lax in keeping it updated, and hence might have left a potential door open for an attacker due to that, simply by believing linux would have been secure enough.

But, yes, that would never stand in the way of most people saying 'linux would solve this'. I think more proactive monitoring and regular application of security fixes, etc. would help.
Another thing that might help, is IF you need to leave users with a web-browser, try and install them in a way that the browsers are properly sandboxed. (yeah, yeah, yeah - I know 'firefox'/'chrome'/'my-other-non-IE-browsers' are safe... Sorry, I've gone past believing that...)

I don't think there is an inherently secure OS / OS distro - at least, not beyond the moment it gets any kind of software that goes beyond its default installation...

Re:Yeah... (5, Interesting)

ByOhTek (1181381) | more than 4 years ago | (#31566218)

Yes, that's the general answer. Probably not the correct one.

*NOTHING* short of educating a user, or massively restricting their privileges on a computer can protect from this kind of problem. I worked at a place where we used Windows, and locked everything *really* tight, using a lot of sysinternals software (regmon/diskmon) to figure out where to allow nonprived users to write so that poorly written windows software would work for them. It's easier on Linux and MacOS, but it is still a problem.

Remember - even if it is only the user's account, and not the whole computer that is infected, it can still cause trouble (cleanup is easier though).

I've seen windows boxes go uncracked for years, and I've seen Linux and MacOS boxes cracked within weeks of being set up. With the proper security precautions, security flaws are mostly user based.

That being said, in a networked environment, once one computer behind a firewall gets cracked, the floodgates have been opened, whoever did the cracking just got a firewall bypass.

Re:Yeah... (1)

zappepcs (820751) | more than 4 years ago | (#31566492)

There is reason to believe that network topology contributes to the damage done by viruses and malware. If malware gets into the network for marketing and you make it just as difficult for it to get from marketing to the customer service network as it was to get into the marketing network, you have added extra levels of security. There are too many networks that are designed so that once it gets to one machine it has carte blanche to go to any of them. Yes, the Titanic still sank, but compartmentalization was an idea with merit. You still have to do the edge network security too. This adds complexity to the network for certain, but the idea is to stop one infection from running rampant over the entire corporate IT infrastructure. If marketing is infected, shut it off, minimize damage.

Re:Yeah... (4, Insightful)

Lorien_the_first_one (1178397) | more than 4 years ago | (#31566506)

Amiga.

Re:Yeah... (3, Funny)

L4t3r4lu5 (1216702) | more than 4 years ago | (#31566552)

AmIright?

Urnotrong.

Re:Yeah... (2, Insightful)

Runaway1956 (1322357) | more than 4 years ago | (#31566632)

Mod parent to at least +50 insightful. Despite all the bragging that Microsoft and MS fanbois do, the botnets are still constructed with Windows. When that changes, then we can discuss that little issue again.

Meanwhile, migrate to a more secure operating system.

OnLY r3AL wAi (0)

Anonymous Coward | more than 4 years ago | (#31565912)

To be 100% protected against all forms of computer infection is to unplug all of your network cables and wireless connections and work off-line. Even then you will still have to contend with possibly infected removal media such as USB drives and CD-Roms from untrusted sources.

CENTOS? (0)

NukeDoggie (943265) | more than 4 years ago | (#31565916)

Linux seems to be less vulnerable. Using as few windows boxes as possible helps. Using blacklists in the host files of bad servers (Spybot's list is good). May Bluecoat device, we have one here and it's helped a LOT. Email vectors are still huge, and the user error 1D107...

Re:CENTOS? (-1, Offtopic)

NukeDoggie (943265) | more than 4 years ago | (#31565946)

My First First Post! I'm such a proud Pappa!!! Cigars?

Re:CENTOS? (1)

Chrisq (894406) | more than 4 years ago | (#31566026)

My First First Post! I'm such a proud Pappa!!! Cigars?

It appears that the news of the delivery was premature

Re:CENTOS? (1)

Zaphodox (1751752) | more than 4 years ago | (#31566054)

/. tends to react to such comments in much the same was as a gastropoda reacts to a bath of sodium chloride.

GMER (0)

Anonymous Coward | more than 4 years ago | (#31565934)

is gmer still up to date in detecting rootkits?

Users (3, Interesting)

oojah (113006) | more than 4 years ago | (#31565948)

You'll probably find that most of your problems will go away if you get rid of your users :)

What gets around Firewalls and AVS? (3, Interesting)

Drethon (1445051) | more than 4 years ago | (#31565954)

I'm a coder not IT so my knowledge of security pretty much stops at installing anti-virus and setting up a firewall. I have not found any problems on my computers but it is quite possible I've missed active bots with such simple protections.

So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?

Re:What gets around Firewalls and AVS? (3, Insightful)

Chrisq (894406) | more than 4 years ago | (#31566082)

Well, a firewall is usually configured to let some things in; if you give your users internet access then you are at risk of them downloading a virus form the internet, similarly emails may tempt people to open executable attachments.

Virus writers are constantly trying to find ways to circumvent antivirus programs. Regularly applying updates helps, but you could still be one of the first people hit by a new virus. Once infected some viruses interfere with AV programs so that they can't be removed even by later versions.

Re:What gets around Firewalls and AVS? (1)

Drethon (1445051) | more than 4 years ago | (#31566326)

Sounds like a lot of what I've heard then. My AVS is up to date and includes spyware checking and I avoid free porn, screen savers and other such downloads and avoid accepting any wierd pop-ups.

My distributed operating systems course did mention how the biggest security issues are social engineering and I guess this is the case here as well.

Re:What gets around Firewalls and AVS? (1)

noname101 (1481803) | more than 4 years ago | (#31566698)

You also have to remember that there have been a number of legitimate sites that have been hacked and used to deliver Malware. AVS only protects against known threats. That is the main flaw of current AVS.

Re:What gets around Firewalls and AVS? (3, Informative)

MasterOfMagic (151058) | more than 4 years ago | (#31566134)

Think of anti-virus as a vaccination. When you receive a vaccination, it protects you against the specific threat that the vaccination is designed to protect you from. The same holds true for anti-virus software. There is no magical "this program will destroy your computer or steal your personal information" opcode in software, so anti-virus software is designed to detect things it knows to be suspicious. If something is unknown (either because it is new and there aren't virus definition files for it or if your virus definition files are out of date because your 30-day trial has expired or you're not connected to the Internet or the software fails to automatically update or your anti-virus software has been compromised or switched off), your anti-virus software has a very slim chance of picking something malicious.

That is why an anti-virus package wouldn't stop threats newer than its definition files.

Re:What gets around Firewalls and AVS? (0)

Anonymous Coward | more than 4 years ago | (#31566148)

I'm a coder not IT so my knowledge of security pretty much stops at installing anti-virus and setting up a firewall. I have not found any problems on my computers but it is quite possible I've missed active bots with such simple protections.

So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?

I'm likewise a coder, and not a Windows user, so this is the blind leading the blind. But my guess is that the source of these infections is the user installing something nasty.

Aside from "Don't run Windows, haha" the suggestion I would make would be, restrict user privileges so that they can't install anything. But I hear many Windows apps have problems running with anything short of God-mode permissions, so...don't run Windows, haha.

Re:What gets around Firewalls and AVS? (1)

Drethon (1445051) | more than 4 years ago | (#31566370)

Pretty similar to what the guy above posted and my response there.

My home network consists of myself an my wife. I'd put her on linux but much wrangling with the wireless card in her computer proved fruitless. As a result her windows account is not admin which has pretty much eliminated issues.

This is nothing against my wife. She knows not to click on popups but these days its hard for a non-expert to know how to close some of the fancier attack popups...

Re:What gets around Firewalls and AVS? (0)

Anonymous Coward | more than 4 years ago | (#31566630)

how is a coder NOT IT ??

you write the code that processes the INFORMATION using TECHNOLOGY.

when did the phrase IT ( Information technology ) become synonymous with "desktop support" ??

Re:What gets around Firewalls and AVS? (1)

Drethon (1445051) | more than 4 years ago | (#31566930)

If you want IT to cover helpdesk, network management, sotware engineering and everything else with information and technology then what would you like to call the people who maintain the network and computer infrastructure in the companies so the coders can focus on developing earned value applications?

Re:What gets around Firewalls and AVS? (1)

Runaway1956 (1322357) | more than 4 years ago | (#31566942)

I enjoy bashing Microsoft - but I have been led to believe that they have fixed that little problem. In the days of Win98, my kid asked me to install a game for him. Soon after installing it, he told me that he needed admin privileges just to run the stupid game.

I can't really verify it, but I've been told repeatedly that doesn't happen in Vista and Win7. I do know that while I was testing Win7, everything that I installed ran fine in limited user accounts.

Re:What gets around Firewalls and AVS? (4, Interesting)

jimicus (737525) | more than 4 years ago | (#31566516)

So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?

No they're not. Trojans are becoming much more adept at avoiding antivirus (mainly because most antivirus is essentially a glorified "grep for this sequence of bytes", which doesn't work very well with polymorphic infectors) and much better at remaining hidden once installed.

A few years ago it was fairly obvious because an infected computer had all the speed and grace of a slug break-dancing in black treacle and most AV vendors' websites magically stopped working (though actually your browser was being screwed around with) - today that doesn't happen so much.

Short of the major AV vendors drastically upping their game in very short order (difficult - heuristics scanning is the obvious thing to look at but it's tantamount to the halting problem), I can't really see this situation improving much.

Re:What gets around Firewalls and AVS? (0)

Anonymous Coward | more than 4 years ago | (#31566572)

I'm a coder not IT so my knowledge of security pretty much stops at installing anti-virus and setting up a firewall. I have not found any problems on my computers but it is quite possible I've missed active bots with such simple protections.

So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?

Please forgive the bluntness of my answer.

Stupid users.

If someone is an admin on a computer, which most windows users are, there is little you can do to protect against bone headed actions the users.

Re:What gets around Firewalls and AVS? (1)

stiggle (649614) | more than 4 years ago | (#31566678)

First of all they need a firewall which doesn't block everything.

A decent firewall blocks everything, then allows specific stuff through.
So you block everything - then allow ports 80 & 443 out through a caching proxy, you allow SMTP & IMAP - but only to your own mailservers, etc.

Incoming connections are either redirected to the company servers or completely blocked.

Re:What gets around Firewalls and AVS? (0)

Anonymous Coward | more than 4 years ago | (#31566694)

Users.

Re:What gets around Firewalls and AVS? (0)

Anonymous Coward | more than 4 years ago | (#31566888)

A coder with no knowledge of security? Isn't that how we end up with such problems in the first place?

Re:What gets around Firewalls and AVS? (1)

L4t3r4lu5 (1216702) | more than 4 years ago | (#31566934)

Easy: Excel Hell [thewebsiteisdown.com]

whitelist (3, Interesting)

deusmetallum (1607059) | more than 4 years ago | (#31566010)

Run a program that only allows whitelisted applications, and block all removable media. It's the only way you can be absolutely certain there is nothing running on your network that shouldn't be there. http://en.wikipedia.org/wiki/Whitelist#Application_whitelists [wikipedia.org]

Re:whitelist (2, Interesting)

jaroslaw.fedewicz (1539623) | more than 4 years ago | (#31566426)

Run a program that only allows whitelisted applications, and block all removable media.

Now how do you handle that: the Boss sends a PDF memo. PDF is not an executable, alright, the user opens it with the whitelisted Adobe® Reader(TM), and some bad code gets executed via some kind of a buffer overflow Adobe was so generous to include as its bonus package. The problem being, of course, "how dare you restrict the Boss' access to the 'Net? I'm gonna fire you! (The 'Net here means, of course, some clown fetish porn sites and the like, but that's none of your business)"

Okay, ditch that PDF, send a JPEG. A convenient hole in Microsoft® Outlook(TM), and here go zombies, ready for master's commands, not even having to click anything, just skim through the message.

Re:whitelist (2, Interesting)

Anonymous Coward | more than 4 years ago | (#31566624)

Except most viruses/botnets also start up their own processes, rather then run in a user process (like outlook or Adobe), so with a white list program will stop those processes from running

Better switch to telnet (0)

Anonymous Coward | more than 4 years ago | (#31566018)

"Detected running a web browser"
There's your source of the problems.
Web browsers are /the/ vector for virus infections, other than ridiculously insecure OS's, so simply uninstall all browsers and use a telnet BBS for any serious internet work.

It's not all about prevention. (1)

VinylPusher (856712) | more than 4 years ago | (#31566020)

Perhaps somewhat obvious, but you will never achieve 100% protection against malware unless you unhook the internet connections, block the USB ports, optical drive, floppy drive, multi-media card reader etc.

The worth of any IT support company comes not from the level of prevention they can provide against outages, it's how quickly and effectively they respond to bring systems back in line after a problem occurs.

Assuming you cannot prevent a botnet infestation, you minimally need a documented procedure on how you're going to deal with the cleanup.

In a more direct answer to your question though... put systems in place that are supported by big companies, e.g. Checkpoint firewalls at boundaries, Symantec/F-Secure/ESET AV throughout (with solidly applied policies and installed by a certified provider).

educate (3, Insightful)

orange47 (1519059) | more than 4 years ago | (#31566024)

teach all the workers about security. disable autorun on all machines. dont let them run as admins. use noscript and adblock and foxit (or similar). update windows and AV regularly...

Re:educate (2, Informative)

Scutter (18425) | more than 4 years ago | (#31566228)

teach all the workers about security. disable autorun on all machines. dont let them run as admins. use noscript and adblock and foxit (or similar). update windows and AV regularly...

Education is a red herring. It doesn't work. Non-technical people know how to turn their computer on and do their day's work, and that's about it. If you change a single menu item they are completely lost, even a day after formal training. Constant remedial training costs more and is more time consuming than recovering from an outbreak.

Many (poorly written) enterprise applications won't run properly without admin rights to the PC, so restricting admin access is often not possible. Keeping Windows up-to-date is a must, but AV is almost useless these days as the primary attack vector is via spyware, not viruses. There is no good on-access anti-spyware software out there. Even the "best" is only about 80% effective, which is as good as useless.

Re:educate (1)

orange47 (1519059) | more than 4 years ago | (#31566566)

well it sure is hard securing modern computer because its so complex. heh, there aren't (m)any viruses for ZX/C64.. Here is what else I would do: make sure all workers have identical windows version, and have the same autoruns.exe output (list of all things that start on boot). Then make offline md5 sums of all system files using liveusb and check them periodically. sandbox those browsers; try making executable files unmodifiable by anything hostile.

Re:educate (1)

K-tWizel (1724182) | more than 4 years ago | (#31566268)

your infection vector is your users. Kind of ironic that those that are needed to keep your company are the ones that could sink it. Education is the best mitigation for this risk! Teach the users proper computing security. Have tracked annual training (15 pg PPT is sufficient). It also protects you the admin/company if something does happen and legal action is required. Folks need to know the 'rules of the road'. Compare the cost of a usage program to lost productivity. These bad habits are reinforced by use at home too so presentation should include protecting the users at home. Stronger network/system security will help but the biggest risk to a network is the users.

block some email attachments and facebook (4, Insightful)

alen (225700) | more than 4 years ago | (#31566048)

where i work we've been blocking a long list of email attachments like exe's and others. few years ago we also started blocking facebook.

  i set it up years ago and don't remember myself. we're all windows and have never been zombified. you can buy all the firewalls you want, but in the end it's still idiots clicking on everything in every email and every link they get sent over facebook and twitter

Re:block some email attachments and facebook (3, Interesting)

magamiako1 (1026318) | more than 4 years ago | (#31566332)

A properly implemented firewall solution would guard against all of these things, as a properly implemented solution will also filter layer 7.

Re:block some email attachments and facebook (0)

Anonymous Coward | more than 4 years ago | (#31566348)

No need to block Facebook, it's restrictive enough about its HTML that it shouldn't be able to infect anyone's machine unless someone clicks on a rogue link that someone posts, but that can happen anywhere. May as well block the whole web.

Virus-scanning of email attachments along with aggressive blocking of email attachments (we are instructed to rename .zip files to another extension, and tell the recipient to rename it back - it prevents people from auto-clicking something accidentally, they MUST save it and rename it to open it.) will help a lot.

Also, to the OP - were these local-machine firewalls, or a firewall at the edge of the company's network? Lots of malware explicitly targets local-machine firewalls and attacks them first. Attacking a firewall at the network edge on a remote machine is a LOT harder.

Blocking port 80 is silly. Too many people use that for legitimate work nowadays. Blocking SMTP, on the other hand, is VERY smart. In fact, you may want to explicitly set up your firewall at the network edge to block EVERYTHING, and force all clients to use a proxy server to access the outside world. (Actually, this is effectively blocking port 80 while still allowing people to access the web.) You can then potentially configure the proxy to block "known dangerous" sites. Where I work we have a system that has three high-level classifications:
1) Blocked due to being dangerous, porn, etc.
2) Categorized and known to be safe
3) Uncategorized and unknown - blocked with an option to manually override by the user using an RSA SecurID fob. (i.e. no bot is ever going to authenticate for the override, even if it is smart enough to try.)

XP (5, Interesting)

Anonymous Coward | more than 4 years ago | (#31566062)

Let me guess, all the computers are using xp. I work at a computer repair depot and i see alot of this on XP computers and rarely on vista/Windows 7 with uac turned on *sure its a pain but once everything is installed the user should never even see uac pop up. But i would guess if anything the computers are out of date for their OS patchs

In an ideal world... (5, Interesting)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31566084)

You'd be running a lot fewer XP boxes, and much, much meaner firewall rules. In practice, of course, users crying about how they "need" to "get their work done" generally prevents this.

That being so, there are a few things to do: At present, our good buddies at Adobe are among the most popular and exciting vectors for infection. Where possible, ensure that neither Flash, nor shockwave, nor Acrobat are installed. Where not possible, make sure that they are kept up to date. Yes, this means updating all the bloody time and WSUS won't help(useful tip, with some poking around, you can find a utility from adobe, an .exe that, when run, removes all versions of flash, they hide it; but it lurks in the bowels of their site somewhere. You can also find .msi flash installers. Set up a network share, readable by all your administered machines, writeable only by admins, containing that utility, and the .msi for the latest flash player. Every time adobe updates, download the newer .msi, and run a script on all your administered PCs that runs the flash remover, and then msiexecs the newest flash MSI. It's a pain in the ass; but it will save you from some flash exploits). Updates for all other plugins you are using, plus OS components, should of course be adhered to with the same regularity.

Assuming that user pushback isn't excessive, stripping executables and .zips from emails will also save you from some common vectors of stupidity.

Re:In an ideal world... (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31566386)

Oh, one more thing. Assuming you are running windows and AD(which is pretty much the plausible assumption when "company" "networks" and "zombified" show up in the same sentence), there is something of a nuclear option...

Software Restriction Policies.

The details are quite complex, Microsoft will have to tell you more [microsoft.com] ; but you can substantially ruin joe script kiddie's day(as well as pissing off users, and making life miserable for your IT minions, which is why so many people don't use them). In a nutshell, you can restrict the locations from which executables will be run, you can restrict which executables will be run(in a number of ways: either SHA hashes of specific binaries, RSA keys of specific trusted vendors that allow all software signed by them to be run, some combination of the above. If you are a real hardass(which can be advisable, given the crazy hijacks that get pulled against browsers, particularly IE) you can enforce the policies against all scripts, .dlls, and BHOs, as well as executables. Your users Will. Fucking. Hate. the fact that your software restriction policy has to be evaluated 350 times just to log in and open an IE window; but their odds of picking up a malicious BHO will drop substantially. Your IT flunkies Will. Fucking. Hate. having to get all their little diagnostics tools and utilities, and any new programs that are being added, cryptographically signed and enrolled into your restriction policy; but such is life.

They will increase your workload, reduce performance, and make your flunkies into sad pandas; but SRPs are pretty much your best bet, in Windows land, to go from reactively attempting to enumerate badness to proactively enumerating goodness. Welcome to hell.

Re:In an ideal world... (0)

Anonymous Coward | more than 4 years ago | (#31566522)

We have to take a step back and understand what the various piece of technology do in the environment. Firewalls traditionally protect layers 3-4 and antivirus usually protect layer 6/7. That leaves a gap of 5-6 that is unprotected. You also factor in the user aspect of it and you have a big hole in your security. There are products out there that try to fill the gaps like firewalls that try to cover layers 3-6 (Forinet and Palo Alto) and niche technology solutions the cover layer 5-7 (Juniper UAC, MS UAC, Cisco CSA or NAC) but the bottom line is that there is no one silver bullet that will do it all and guarantee complete coverage. There needs to be a concerted effort on the part of the IT organization and buy in from management to implement the restrictions and safeguards necessary to secure the environment. Users won't like it for the short turn but that will easily be made up in the log term as downtime is reduced.

Install Proto Balance Mail - anti-botnet solution (1)

AbbeyRoad (198852) | more than 4 years ago | (#31566090)

This stops mailware:

      http://protobalance.com/ [protobalance.com]

-paul

Is it really necessary to ask? (5, Insightful)

magamiako1 (1026318) | more than 4 years ago | (#31566146)

It really depends on the size of the companies and the resources they're willing to spend on proper security. You should do a cost analysis of the downtime, not to mention the IT time required to fix the ecosystem. You can do it in waves, and some changes will be more well received than others.

#1. Don't allow users to be Admins of their own machines. I know in this day and age it's harder to push this one on people, but the ultimate reality is that if the user can't infect the system then they aren't going to get very far.

#2. Managed, host-based firewalls on each of the machines that have rules for incoming and outgoing. This can be any number of centrally managed tools. if you're on XP, your best solution is likely something from say Symantec, Mcafee, or whichever company you want to use. I know with SEP you can manage the firewall portions and prevent worms from auto spreading.

#3. Transparent, Layer 7 filtering at the network edge. Whether you want to use a proxy or a firewall for this is up to you. Juniper makes some pretty nice layer 7 devices for this purpose.

#4. NAC/NAP. Again, useful technologies--prevent systems from communicating on the network that don't register as having proper updates or AV settings.

These are just some basics, there's probably something entirely different based on the specific method these worms are using to spread. Perhaps a centrally managed website policy that locks systems down a bit more is all that's needed? Maybe keeping things more up-to-date, such as rolling out Windows 7 desktops with IE8?

Re:Is it really necessary to ask? (2, Interesting)

obarthelemy (160321) | more than 4 years ago | (#31566664)

I second that, with some additions.

1- You can't trust users to be honest, nor working, nor knowledgeable. That means educating them is probably a waste. You need to remove admin rights, block all non-controlled data sources. That means USB, CD, FD, Bluetooth, Wifi, card readers....

2- In some cases, you may be able/have to use disk images or remote desktops. You can configure those so the users cannot write anything to the disk image, thus ensuring that the OS and Apps are always clean at boot.

Time to bust out a proxy server.. (1)

mindmaster064 (690036) | more than 4 years ago | (#31566188)

Depending on your network topology you might be able to solve this by just adding one proxy/caching server to the mix. Proxy allows port 80 html traffic but doesn't allow other programs to bootleg themselves as something running on 80 to connect as there generally is application protocol checking. Firewalls do not remove the need for an application/proxy server in this mess and do not replace it as without that function you still have machines directly connecting to remote hosts and are still vulnerable. Firewall all traffic off both ways at the firewall and only allow traffic originating from the proxy to transverse the screen. Bot programs already on hosts thus have lost access to anything, and you are pushing your proxy list down via group policies to the client machines. And no, you don't need Linux to do this despite what I see other people commenting. Linux is more secure in most cases due to obscurity, but it is not the same thing as Windows and expecting your user base to use it is like cutting off one of their arms and asking them to do the same work. Properly implementing your windows security is all that is required and it probably would be easier to add one machine to fix all of your problems than to wipe all the machines in your office and load Linux wouldn't it?

Re:Time to bust out a proxy server.. (1)

TheMidget (512188) | more than 4 years ago | (#31566920)

And no, you don't need Linux to do this despite what I see other people commenting.

Without Linux, malware might be smart enough to also connect through the proxy, using the credentials "helpfully" shared by Internet Explorer.

In Linux, if you enter a proxy password into your browser, only that browser has access to it, not anything else which might also be running on the same PC.

Suggestions (4, Informative)

Z34107 (925136) | more than 4 years ago | (#31566210)

A few suggestions from my experience as a technician:

  • Keep vulnerable programs off of your base image. We saw infections go down dramatically after removing Java and replacing Adobe Acrobat Reader with something else.
  • Uninstall Internet Explorer if you can. Unless you're running Window 7, the easiest way to "uninstall" it is change the permissions on iexplore.exe to Deny for the Everyone account.
  • Lock down computers as much as you can with Group Policy, especially if you have a Windows Server infrastructure.
  • If you can, deploy Windows Steady State if you're using XP or purchase Faronics DeepFreeze. They're both ways of preventing permanent changes to your base image (installation of programs, modification of files) by users. If a Frozen machine gets infected, reboot it.
  • Don't license McAfee. It's worthless.

Re:Suggestions (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31566812)

DeepFreeze rocks. I can't imagine running a public lab (I have a few) without it. But for corporate machines, it seems like overkill.

Re:Suggestions (1)

Z34107 (925136) | more than 4 years ago | (#31566938)

Very overkill, unless you have roaming profiles. I've found most people like to be able to save their documents.

But, as you say, it does rock.

Different browser, restrictive configuration (0)

Anonymous Coward | more than 4 years ago | (#31566224)

Block ads as much as you can: Ad networks are an attack vector. Disable scripting if you can or whitelist the scripts you can't do without. No Flash, Quicktime, or Acrobat plugins. Use an alternative PDF viewer for downloaded PDFs. Disable scripting in the PDF viewer as well. Filter active email content on the server, use a local email client other than Outlook, disable all scripting and network access except to your local email server. Keep your systems and applications (!) updated, disable unnecessary services, especially those which open network sockets. Don't do stupid things.

Identify the people responsible, sack and sue them (1)

Rogerborg (306625) | more than 4 years ago | (#31566282)

It might be the CEO. It might be you. But the fault is always with a person, and they should be help responsible for their actions, including recovering costs.

Re:Identify the people responsible, sack and sue t (1)

troll8901 (1397145) | more than 4 years ago | (#31566670)

Identify the people responsible, sack and sue them

That's a nice suggestion. However, the machine could well be infected due to an infected legitimate website that the person visited in the course of his/her duties.

Re:Identify the people responsible, sack and sue t (1)

Rogerborg (306625) | more than 4 years ago | (#31566828)

As I said, it could be the BOFH's fault for having inadequate firewalling, filtering and virus checking. But someone ballsed up, and they need to go.

Re:Identify the people responsible, sack and sue t (0)

Anonymous Coward | more than 4 years ago | (#31566884)

Seriously? Litigation is the best solution you can think of?

Anti-virus and firewall (1)

Enderandrew (866215) | more than 4 years ago | (#31566306)

That's precisely the problem, is that enterprise environments often assume using anti-virus and firewall solutions mean they no longer have to be concerned with information security.

It is all too easy to bypass anti-virus detection, and anti-virus products often only protect against known threats. There will always be unknown threats it doesn't protect against.

What you really need is proper sandboxing, but that is a hassle that most people just don't want to deal with.

I hope Taco doesn't work in IT (1, Insightful)

Blakey Rat (99501) | more than 4 years ago | (#31566312)

I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.

Do you mean web *server*?

The vast, vast, vast majority of companies are going to need port 80 (and 443) opened. I don't know the last time you stepped into a corporate environment, Taco, but that's how you do your timecard, put your vacation time on the calendar, sometimes how you answer email even.

Re:I hope Taco doesn't work in IT (0)

Anonymous Coward | more than 4 years ago | (#31566432)

Agreed, turn off web browsing ?? hilarious. The entire IT staff would be drawn and quartered within an hour.

Re:I hope Taco doesn't work in IT (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31566546)

You missed the vast, vast, vast majority of the joke.

Re:I hope Taco doesn't work in IT (1)

IBBoard (1128019) | more than 4 years ago | (#31566560)

Made sense to me - although I'm not sure how it'd be done. If a computer runs a web browser then 99%+ of the time it won't need to run a web server, so blocking inbound requests on port 80 would stop it being used as a server. I assume that's important and that it is indicative of zombies, but I could be trusting Taco too much there!

Re:I hope Taco doesn't work in IT (1)

TheMidget (512188) | more than 4 years ago | (#31566810)

Most zombies run as clients (periodically connecting to a "command-and-control" server), or else they wouldn't work behind a NAT (which is quite common in most home networks which have a DSL- or cable- router, rather than a modem)

Re:I hope Taco doesn't work in IT (1)

flyingfsck (986395) | more than 4 years ago | (#31566742)

Fortunately with a combination of cntlm, corkscrew and ssh, I can tunnel anything through port 80.

Re:I hope Taco doesn't work in IT (1)

TheMidget (512188) | more than 4 years ago | (#31566750)

The vast, vast, vast majority of companies are going to need port 80 (and 443) opened.

Never heard of a Squid proxy? Port 3128 is all your workers need.

Admin permissions (1)

laron (102608) | more than 4 years ago | (#31566340)

If we are talking about XP machines, consider to take away admin permissions from ordinary users. Maybe set up a local admin, that the users know the password for, but let them do their daily work as restricted users.

Re:Admin permissions (2, Funny)

jimbobborg (128330) | more than 4 years ago | (#31566518)

Funny looking at this post and then seeing your signature

One article where I am glad there are no links.... (0)

Anonymous Coward | more than 4 years ago | (#31566472)

Btw thanks harrymcc/timothy re the posting of the "Russian ASCII Art Animated Cat From 1968" article.... my local library really appreciated the pissoff.exe malware on their machine.... that article should be renamed to "In soviet Russia BESM-4 GOST 10859-64 ASCIISKI Art Animated Kitty Porn From 1968 with blessing of Russian malware from 2010 - now all IE bases belong to Boris Grishenko" !

Simple (4, Interesting)

rindeee (530084) | more than 4 years ago | (#31566488)

I am over Cyber Security for a 36k seat enterprise. We've had no infections...period (and yes, we do have monitoring in place to catch behavioral anomalies that indicate zero-day, etc.). Here are the "must do's": 1. Block social networking sites. Need convincing? Here. http://google.com/safebrowsing/diagnostic?site=facebook.com/ [google.com] or http://google.com/safebrowsing/diagnostic?site=myspace.com/ [google.com] or http://google.com/safebrowsing/diagnostic?site=twitter.com/ [google.com] 2. Block porn sites. All of them. Use keywords, IP/FQDN blacklists, adaptive/reputation blocking (Trusted Source type technology) 3. Use a managed AV/AM/HIPS solution such as McAfee ePO/AVE/HIPS/etc. if you can afford it. A good HIPS that does both network and application blocking is essential. 4. Exhaustively scan e-mail for content, attachments and (most of all) embedded URLs. 5. Finally, have a good dashboard. We rolled our own using Cacti, Nagios, Drupal and some simple Java, CSS and PHP. You need to be able to visualize things in as close to real time as is possible. Once you've established 'normal', you can spot 'abnormal' visually long before many automated analysis engines will alert you. This allows you to catch the things that may otherwise slip through the cracks. This doesn't have to be expensive (well, except for #3, it's expensive). You can scale a Linux based solution with entirely open source tools large enough to cover thousands of concurent users.

Re:Simple (4, Funny)

IBBoard (1128019) | more than 4 years ago | (#31566770)

Looks like you need to block Google as well! http://google.com/safebrowsing/diagnostic?site=google.com [google.com]

Re:Simple (1)

rindeee (530084) | more than 4 years ago | (#31566908)

No, but you do need to block their syndicated ads, Blogs, etc. Web-mail, too, if you don't have the ability to scan it specifically.

Filtering (3, Interesting)

lord_rotorooter (1482955) | more than 4 years ago | (#31566568)

If you have a Cisco ASA 5510 or higher you can purchase the botnet filter for roughly $320 a year. Then enable the filter on your internal interface to block any outbound traffic going to the known botnet IP ranges. I would also recommend blocking unnecessary outbound ports and limiting necessary ports to specific machines (ex. Port 25 mail server only outbound). I would also look at setting up a proxy server such as SQUID proxy. I would do mime filtering on untrusted web traffic and perhaps using dansguardian for prebuilt whitelist/blacklisting. At my workplace I am fortunate enough to be allowed to do a default deny on the entire internet, only white-listing work related sites (of course I work at a bank). Antivirus should be considered a secondary defense in this day and age. You really need to look at getting an IPS device for your network and then perhaps an aggregated log server if you haven't already. These last two recommendations will cost some money. So short term I would focus on outbound firewall filtering and a proxy server.

dancing with dinosaurs episode postponed.... (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31566582)

due to increased levels of seismic/volcanic activity. if one of those things fell on/off the 'stage' or something....

never a better time to consult with/trust in your creators, of who, it has been said, leave nothing to chance.

block (0)

Anonymous Coward | more than 4 years ago | (#31566648)

myspace and facebook and disable autorun on all drives like usb and cdrom.

all you have to do is ... (0)

Anonymous Coward | more than 4 years ago | (#31566772)

install gentoo

Sandboxing and VM's in our future ? (3, Interesting)

zuki (845560) | more than 4 years ago | (#31566816)

This is more of a question than anything, as I find this to be a fascinating topic, but have little experience in managing corporate networks.

At what point does it make sense to have your users having to run all that they do on a virtual machine, which if anything gets compromised can just be rolled back without too much fuss?

Also, does it make sense to move a lot of what people do to some sort of hosted app infrastructure (private cloud for example) where the lockdown can occur in an easier and more granular manner as all of the apps are managed by IT only, or is this just a pipe dream that's at least another 10 years away?

Still, in the end it all has to do with your users not practicing safe browsing, double-clicking on attachments that they did not expect, and the likes.

I do like fuzzyfuzzyfungus, magamiako1 and Z34107's suggestions very much, seems fairly practical yet transparent to the users. (wish I had mod points for you guys, but not today!)

But regardless, I guess in some sense any of these solutions seem like they are going to be quite costly and labor-intensive, from a business owner's perspective should those long-term costs not be taken into account when comparing them to deploying a network of machines running Linux or OS-X (and Windows apps inside a VM on those)? Does this all have to do with many corporate apps only working in a Windows network, and with legacy code not being able to be migrated away from a Microsoft-centric platform?

Sorry for sounding naive, but this is not my area of expertise...

Security Policy and People. (0)

Anonymous Coward | more than 4 years ago | (#31566866)

What antivirus system and what firewall rules? What security policys? And more the important, how the people were trainend. If you ask someone to type the root/admin password, probaly they will.

Anti-virus, try a good one, not necessarely a free one.
Firewall must be configured by application and user, not by port.
Group Policys must be used, users must not be authorized to run any software out of the whitelist.
People must be trained. Culture takes time to change. You will not solve this with software and appliances only.
(Block China and Russia IPs if possble)

English not your first language? (1)

YourExperiment (1081089) | more than 4 years ago | (#31566956)

How To Avoid the Infection of Botnet?

By using the common of sense?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...