Using Firewalls to Block Spyware?

MartinMotor asks: "I'm a Network Administrator for a company with approximately 200 users, and we just installed a shiny new PIX. Being the resourceful network geek type, I immediately started adding deny statements to kill off access to places where people can download evil cursed programs like HOTBAR. Is there anywhere out there where people like me are maintaining a list of IPs for spammers, spyware progs, and pop-uppers to add to our firewalls? I can't be the first person to have this idea."

spybot search and destroy

[joFFeman]

comes with a HOSTS.TXT that you can extract the data from.

http://security.kolla.de/

Re:spybot search and destroy

[Zocalo]

I was going to suggest the "hosts.txt" that comes with KaZaA Lite, which is also pretty extensive (and available seperately). Your best bet is probably to "cat * | sort | uniq" to get the combined list, but it's going to be pretty extensive...

Firewall policy

[Krandor3]

A firewall should be configured to deny everything and only allow through what is needed. Only open ports that you need to open. Stuff like pop-ups that run on port 80 (which you need to open for at least your squid proxy) are a different matter As for blocking pop-ups and stuff like that, those are best done on the proxy server. On my proxy, I block all ad related sites (doubleclick, etc) and it is real easy to do with squid. The downside is that on some sites (like cnn) you get java errors on some of their java code. Just tell the users to say "no" to the "do you want to execute more java code from this page" and it is fine. That is the configuration I use and it works fine.

Maybe these?

[Gryftir]

Spy Sites
As a side note, if you can't find a big enough list, you can always load the spyware on a test machine.

Gryftir
Death to all Fanatics!

10 domains will kill 90%

[mattsouthworth]

I asked myself the same question a few months ago - creating a blacklist for squid - and couldn't find a good resource. I grabbed the hostfile that came with spybot and started with that - I found that about 10 domain names account for 90% of the spyware out there.

The list itself is at the office, but maybe I'll reply to myself tomorrow.

Re:10 domains will kill 90%

[mattsouthworth]

Wow, I can't cut or copy out of the reporting client. Anyway, a list of domains to block should include what I have below. I haven't modified this for a couple months, so I'm sure there are new offenders.

Ideally, you don't do this on your PIX, but on your web proxy (you don't allow unauthenticated unproxied web browsing do you?) - a lot of DNS lookups could seriously impair your firewall. Also, I got better performance by noting and including all the subdomains below (like http://hotbar.com and http://www.hotbar.com) BEFORE anything with a wildcard. If it matches on an explicited domain and doesn't drop down to one of the wildcards you save processor work.

*.clicktilluwin.com
*.brilliantdigital.com
*.l op.com
unitedstates.rub.to
xupiter.com
www.xupi ter.com
*.firstlook.com
*.passthison.com
*.ezcy bersearch.com
*.bonzi.com
*.gator.com
*.cometsy stems.com
*.xupiter.com
*.hotbar.com
*.livecurs ors.com
*.mycometcursor.com
*.purityscan.com
*. smartpops.com
*xww.de
*.new.net
*.cometsystems. *

Re:Time wasters...

[muonzoo]

In case you can't figure it out; it's funny.

Welcome to Darwin!
bash-2.05a$ host 66.35.250.150
150.250.35.66.IN-ADDR.ARPA is a nickname for 150.0/24.250.35.66.IN-ADDR.ARPA
150.0/24.250.35.6 6.IN-ADDR.ARPA domain name pointer slashdot.org

hosts file works well

[infonography]

Here is a copy of mine in Text format.

Shutting the barn door

[Demona]

after the horse has left, but for what it's worth, there's Peer Guardian, which uses a constantly updated list of IP addresses which have been declared "bad".

Blocking the Permissioned Media "trojan"

[questionlp]

After having a couple of calls regarding the Permissioned Media "trojan" from users at work (which will still install even if you decline the Software Install prompt at the warning), I decided to look around the Net for ways to block it. I stumbled across Symantec's listing of the "trojan", which provided a list of IP addresses.

So I setup outbound deny rules on the firewall for those IP addresses and DNS servers related to Permissioned Media. That stopped the problem until they started to host the download off of other IP addresses and servers... so I went back to SARC document and added the new IP addresses to the block list. For two weeks, I checked the page twice a day to see if the list changed. Since then, the problem stopped.

As far as HotBar is concerned, I setup the internal DNS caching server to be authoritative for the hotbar.com zone and pointed it to a non-active IP in the local subnet. That fixed much of the problem of people installing it... :)

The easiest way to do this..

[Zeddicus_Z]

The easiest way to acheive what you want is to change your network security policy, and enforcing it by way of ACL's on the INSIDE interface of your PIX. By this, I mean:

Go from your current "Internal users can access anything they want" (default allow), to "Internal users can ONLY access what we allow" (default deny). The beauty of this is that you *don't* waste time tracking down various ports for each and every application you want to block. Nor do you have to worry about keeping up with the latest spyware-ridden P2P client crap to be released. The only thing it *won't* cover is applications using protocols you allow (such as using port 80 for data xfers in $P2PappName). You can cover this with more specific ACL's on a per-shittyFsckingMakeMyNetworkAdminLifeMiserableP2 PApp basis. But i digress.

The PIX makes this very easy - matter of fact, we do this exact same thing at work.

First thing you need to do is take a list of all network applications (or protocols) that your users require to do their jobs. Things like FTP, WWW, SSH and the like. Next, you formulate your ACL list to be applied to the inside interface (or whatever name you gave to the interface your users sit on. It defaults to INSIDE with a security level of 100). Do this in a text file, and check it for sanity BEFORE you apply it to your PIX (otherwise you have irate users calling you 100 at a time, screaming that you broke $nameOfAppINeedToDoMyJob).

Once you have this list and you think it's complete, add a default deny rule to the bottom. Now before you go pointing out that PIX already has default-deny, you should STILL add this because the PIX won't log packets that hit its default deny - only packets that match an explicitly defined Default Deny ACL.

Very basic example ACL list:

access-list PERMIT_OUT permit tcp any any eq 80
access-list PERMIT_OUT permit tcp any any eq 21
access-list PERMIT_OUT deny any any (denys all other traffic from any source to any destiation on any port, and logs it)

The above will allow FTP and HTTP outbound for your users (you need to use protocol fixup on the FTP), and deny ALL other traffic! Problem solved, and it only takes about 10 minutes to do.