Using Firewalls to Block Spyware?

MartinMotor asks: "I'm a Network Administrator for a company with approximately 200 users, and we just installed a shiny new PIX. Being the resourceful network geek type, I immediately started adding deny statements to kill off access to places where people can download evil cursed programs like HOTBAR. Is there anywhere out there where people like me are maintaining a list of IPs for spammers, spyware progs, and pop-uppers to add to our firewalls? I can't be the first person to have this idea."

spybot search and destroy

[joFFeman]

comes with a HOSTS.TXT that you can extract the data from.

http://security.kolla.de/

Re:spybot search and destroy

[Zocalo]

I was going to suggest the "hosts.txt" that comes with KaZaA Lite, which is also pretty extensive (and available seperately). Your best bet is probably to "cat * | sort | uniq" to get the combined list, but it's going to be pretty extensive...

Firewall policy

[Krandor3]

A firewall should be configured to deny everything and only allow through what is needed. Only open ports that you need to open. Stuff like pop-ups that run on port 80 (which you need to open for at least your squid proxy) are a different matter As for blocking pop-ups and stuff like that, those are best done on the proxy server. On my proxy, I block all ad related sites (doubleclick, etc) and it is real easy to do with squid. The downside is that on some sites (like cnn) you get java errors on some of their java code. Just tell the users to say "no" to the "do you want to execute more java code from this page" and it is fine. That is the configuration I use and it works fine.

Re:Firewall policy

Huh? Either this is a troll, or you just don't get it.

Any half-wit administrator should be filtering all outbound traffic, to just the ports NEEDED for the business to function (in many cases, that means the internal equipment must use the proxy for everything, or they can forget about connecting to the net). Everything else should run through a proxy/caching server, or an internal SMTP relay server. I've yet to come across any application that I've permitted my users to install, which was unable to work with a proxy server.

Not only does a proxy/caching/relay server greatly speed up overall internet access, but it allows for the company to fully log where an employee goes online, and better control their use of the net. In the event of any legal issues, the company can use those logs for either defense or prosecution.

Effective egress filtering also prevents employees (or even a virus or trojan) from using your internet connection to send spam, attack others, and anything else that the business does not need the employee to do.

If there's something wrong with your proxy server - that's likely the admin's fault, or a POS proxy server. I don't know what you use, but the squid proxy/caching server is one that I've used extensively in many environments, and it has performed without issue for quite some time.

Are you aware that most IM sessions are not encrypted, all chat messages are passed through servers that you do not and cannot control, and therefore are not secure by any stretch of the imagination. You open that barn door, and I guarantee you your users will quickly forget whatever you told them about the insecurity, and starting sending confidential and/or proprietary information via the chat tools.

A specific list of websites - well, we actually do. Mozilla/Netscape can go anywhere on the net, but IE is restricted to just a few business related sites. This works very well to curtail user's access to potentially hazardous sites, without impacting their ablity to function.

pix spam blocking

[Digita1Prophet]

Try the CAUCE, Osiris Relay, ORBS, and other spam clearing house websites. I was able to pull down spam domains and ip addresses to route to a non-existent port on my firewall.

And don't forget those weather news download sites and gotomypc.com!!!!

If you need some starter lists drop me a note.

Maybe these?

[Gryftir]

Spy Sites
As a side note, if you can't find a big enough list, you can always load the spyware on a test machine.

Gryftir
Death to all Fanatics!

10 domains will kill 90%

[mattsouthworth]

I asked myself the same question a few months ago - creating a blacklist for squid - and couldn't find a good resource. I grabbed the hostfile that came with spybot and started with that - I found that about 10 domain names account for 90% of the spyware out there.

The list itself is at the office, but maybe I'll reply to myself tomorrow.

Re:10 domains will kill 90%

[mattsouthworth]

Wow, I can't cut or copy out of the reporting client. Anyway, a list of domains to block should include what I have below. I haven't modified this for a couple months, so I'm sure there are new offenders.

Ideally, you don't do this on your PIX, but on your web proxy (you don't allow unauthenticated unproxied web browsing do you?) - a lot of DNS lookups could seriously impair your firewall. Also, I got better performance by noting and including all the subdomains below (like http://hotbar.com and http://www.hotbar.com) BEFORE anything with a wildcard. If it matches on an explicited domain and doesn't drop down to one of the wildcards you save processor work.

*.clicktilluwin.com
*.brilliantdigital.com
*.l op.com
unitedstates.rub.to
xupiter.com
www.xupi ter.com
*.firstlook.com
*.passthison.com
*.ezcy bersearch.com
*.bonzi.com
*.gator.com
*.cometsy stems.com
*.xupiter.com
*.hotbar.com
*.livecurs ors.com
*.mycometcursor.com
*.purityscan.com
*. smartpops.com
*xww.de
*.new.net
*.cometsystems. *

Firewalls + a good policy

[rogueMonkey]

Our site denies software installations of any type through Windows policies for anyone but power users (ie.: programmers and not even all of them). Sure there were complaints and groaning... But they weren't for crashing computers anymore. You'd be surprised of the kind of sh*t some cute screen savers (TM) install. DLL messups, preferences mangling! So while firewalling might prevent some of the symptoms of spyware (ie.: call homes) good policies both technically enforced and "socially" enforced go a long way.

Time wasters...

[(H)elix1]

I don't have a complete list, but you may want to add 66.35.250.150 to your IP blocks banned. I've seen way to much time lost to that one...

Re:Time wasters...

[muonzoo]

In case you can't figure it out; it's funny.

Welcome to Darwin!
bash-2.05a$ host 66.35.250.150
150.250.35.66.IN-ADDR.ARPA is a nickname for 150.0/24.250.35.66.IN-ADDR.ARPA
150.0/24.250.35.6 6.IN-ADDR.ARPA domain name pointer slashdot.org

Some spyware modifies firewalls to get through!

[StandardCell]

I can't remember which spyware apps did this, but they will actually go into the ZoneAlarm config and get through that way. It's scary, but it happens. IIRC I even read about it on /. (imagine that...).

The other way firewalls get bypassed is if the spyware uses something already given permission to tunnel out on a system, like a web browser spyware plug-in would. In that case, what chance do you have of stopping it but to remove it?

Re:Some spyware modifies firewalls to get through!

[Technician]

Zone alarm on a users machine is not a replacement for a corporate firewall. Nothing on a users machine should be able to mess with the corprorate firewall. Some of your blocked ports should be blocked at your router/firewall, not by a users software package.

hosts file works well

[infonography]

Here is a copy of mine in Text format.

Shutting the barn door

[Demona]

after the horse has left, but for what it's worth, there's Peer Guardian, which uses a constantly updated list of IP addresses which have been declared "bad".

Blocking the Permissioned Media "trojan"

[questionlp]

After having a couple of calls regarding the Permissioned Media "trojan" from users at work (which will still install even if you decline the Software Install prompt at the warning), I decided to look around the Net for ways to block it. I stumbled across Symantec's listing of the "trojan", which provided a list of IP addresses.

So I setup outbound deny rules on the firewall for those IP addresses and DNS servers related to Permissioned Media. That stopped the problem until they started to host the download off of other IP addresses and servers... so I went back to SARC document and added the new IP addresses to the block list. For two weeks, I checked the page twice a day to see if the list changed. Since then, the problem stopped.

As far as HotBar is concerned, I setup the internal DNS caching server to be authoritative for the hotbar.com zone and pointed it to a non-active IP in the local subnet. That fixed much of the problem of people installing it... :)

Add to your ban list:

[lateralus_1024]

http://www.slashdot.org

The easiest way to do this..

[Zeddicus_Z]

The easiest way to acheive what you want is to change your network security policy, and enforcing it by way of ACL's on the INSIDE interface of your PIX. By this, I mean:

Go from your current "Internal users can access anything they want" (default allow), to "Internal users can ONLY access what we allow" (default deny). The beauty of this is that you *don't* waste time tracking down various ports for each and every application you want to block. Nor do you have to worry about keeping up with the latest spyware-ridden P2P client crap to be released. The only thing it *won't* cover is applications using protocols you allow (such as using port 80 for data xfers in $P2PappName). You can cover this with more specific ACL's on a per-shittyFsckingMakeMyNetworkAdminLifeMiserableP2 PApp basis. But i digress.

The PIX makes this very easy - matter of fact, we do this exact same thing at work.

First thing you need to do is take a list of all network applications (or protocols) that your users require to do their jobs. Things like FTP, WWW, SSH and the like. Next, you formulate your ACL list to be applied to the inside interface (or whatever name you gave to the interface your users sit on. It defaults to INSIDE with a security level of 100). Do this in a text file, and check it for sanity BEFORE you apply it to your PIX (otherwise you have irate users calling you 100 at a time, screaming that you broke $nameOfAppINeedToDoMyJob).

Once you have this list and you think it's complete, add a default deny rule to the bottom. Now before you go pointing out that PIX already has default-deny, you should STILL add this because the PIX won't log packets that hit its default deny - only packets that match an explicitly defined Default Deny ACL.

Very basic example ACL list:

access-list PERMIT_OUT permit tcp any any eq 80
access-list PERMIT_OUT permit tcp any any eq 21
access-list PERMIT_OUT deny any any (denys all other traffic from any source to any destiation on any port, and logs it)

The above will allow FTP and HTTP outbound for your users (you need to use protocol fixup on the FTP), and deny ALL other traffic! Problem solved, and it only takes about 10 minutes to do.

Off topic: Using sort(1) portably

[Xenophon+Fenderson,]

The "-u" flag to sort(1) only works on systems that implement the XPG4 standard. If you want to write portable shell scripts, you'll need to call uniq(1). Unfortunately for us script writers, not all the world uses GNU textutils.

HTH. HAND.

Re:Yes and No.

[Istealmymusic]

Okay, I'll bite.

Why doesn't DirectX v7 (presumably you are referring to the DirectPlay NetCode) NAT properly? I found some answers on DXport, which claims to be able to force DX7 and 8 games to work with NATs. Seems the protocol isn't that broken with regards to NATing.

Why must certain types of ICMP be allowed? Is "port unreachable" really necessary, or can connections to unreachable ports simply time out? Echo certainly isn't necessary. As for FTP, passive mode is preferred as it allows connections to be initiated by the client rather than the server (or maybe the other way around, I'm tired, and its late), so I fail to see how its relevant.

But I'm willing to be enlightened.