Slashdot Mirror
Curing a Corporate Virus Infection
museumpeace writes "Over at Internet Storm Center Deb Hale's 'In search of the bot net' entry for September 25 recounts a grueling hunt for all the .exe's, reg entries and sources for a bot infection of a 60 server corporate network. What a nightmare! The story ends with an indictment of careless users and a suspicion that Ares, one of the sloppier Pirate2Pirate filesharing tools was the original souce of the extensive corruption that eventually even crippled the AV tools. How typical is this sort of grief? [More more frequent than reported, I would expect: the corporate victim demanded anonymity for the story to be told]."
If you can use the 'protected port' option on e.g. cisco switches, TURN IT ON.
Essentially, it prevents the indicated ports on the switch from communicating with other ports that also have that protection set. Unless you have sloppy shared directories or some reason for the actual PC's to talk directly to eachother, it won't harm anything and will prevent the viruses from spreading pc-to-pc once (not when) they get in.
You needn't treat them like a threat to their face, that is just rude. Most people are "too busy" or don't care enough to learn about computer security. So nod and just listen to *their* problems and lock down their system against the big threat.
... so we set out to prevent user folly. In so doing we created the IT tech's dream.
We had to deal with this more often than not
First off you start at the network layer, and make sure via firewalls that people can't get anywhere or use any application that will cause you grief.(p2p/streaming etc.) Then you transparently proxy all your traffic so that the guy who checks out classic-cars.com all day for backgrounds can do his thing and not screw everyone else.
Then you take every user system and you lock them down. You start out by moving all their dynamic data (that you wanna keep) to a file server. Mapping the winblows appdata/my documents gives you a wannabe roaming profile without all the garbage.
After you make all that effort you either impliment a mandatory PXE re-imaging overnight (too much of a headache for us) or you use something like Deep Freeze and lock down the system entirely. Due to Deep Freeze even the most zealous surfer can only horribly damage their system once a day.
Now you have an ideal environment. All changes on a system that need a reboot *must* involve a contact to the IT department, and those you think are savvy enough not to need a frozen system can do 90% of their own support.
Ok sure so your level of responsibility goes up. The pristine environment means you have plenty of opportunity to script away your work. Not to mention silly things like virus outbreaks are really limited because a frozen system need only reboot to remove the virus.
Think *pro-active.*
Just go back to the classic-server rule of thumb.
1.) Desktop machines can use windows
2.) Servers must be unix based.
The user can corrupt the hell out of their hard disk, and they have only themselves to blame.
"Over at Internet Storm Center Deb Hale's 'In search of the bot net' entry for September 25 recounts a grueling hunt for all the .exe's, reg entries and sources for a bot infection of a 60 server corporate network. What a nightmare!" ...Apple Macs and Assorted Linucen, curing .exe, registry and bot infections for 5 years and counting!
No reference at microsoft site about using a machine in limited mode to stop viruses/trojans.
I think linux users don't run exim or apache with uid 0...for a reason.
Here is an idea that seems to slip past many...
C-O-R-P-O-R-A-T-E F-I-R-E-W-A-L-L
We used to have botnet probs in our corporate network... once we installed a Zonelabs Integrity server and were able to control what programs had access to the internet and which ones did not, it was pretty easy to fix.
Forgot to mention- that first rule does NOT guarantee you are protected. If the 'nasty' program initiates a connection of its own, then it WILL BE ACCEPTED because of the second rule. I'm just saying that someone can't initiate contact with it from the outside.
If the service that the viruses are using aren't enabled, they can't be exploited.
Here's one way to deal with this...
Isolate the client; vlan/router or yank the system and put it in an isolated environment (test lab, 2 system LAN, ...). Turn off the client XP firewall (if any), run Nessus on another system and point it at the client, go back to the client system and disable all services that Nessus reports -- even the ones that are not considered problems! Do any security hardening Nessus suggests. If you really need the detected services, write down what you would loose by disabling the service, what it would take to secure the service, and if there are any automated tools that can be run client side to clean up or better block hostile attacks.
Document what you needed to do, do the same to a few more systems, and then automate the process (registry files, boot scripts, policies, ...).
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
At work we have 20K users in the US alone. We actualy don't have that bad of a time dealing with viruses and worms and the like.
Why? Because 98% of the users get pushed their virus updates and their OS updates. This includes the clueless people.
We also run network scans and know WHEN computers were updated. If the computer is connnected to the network, we know what updates it has or doesn't have. The only hard part is FINDING the unpatched computers.
We also have a firewall that prevets P2P connections, FTP and anything else non web browser related (gets anoying at times).
In reading this story.. I can only assign 1% of the blame on the users and 99% of the blame on the admins for not doing a proper job.
I think that the dangers outweigh the advantages of using P2P for that. Some guy has been advertising this site http://www.foundonp2p.com/[foundonp2p.com] that shows private data that can be found on p2p networks.
For moving stuff back and forth from home, I'd think that you'd be better off having IT set up a secure FTP site than P2P.
A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
I think that the dangers outweigh the advantages of using P2P for that. Some guy has been advertising this site http://www.foundonp2p.com/[foundonp2p.com] that shows private data that can be found on p2p networks.
We have an application that automatically encrypts the files we might want to transport using 3DES, and PGP e-mails the SHA1, randomised filename and key to the potential recipients before putting the file into a gnutella public directory. This seems secure to me.
I agree, if you don't know what you're doing with it, a P2P network can be dangerous.
For moving stuff back and forth from home, I'd think that you'd be better off having IT set up a secure FTP site than P2P.
That'd be useful, but the cost of upgrading our internet access to a static IP address is more than we can justify. We'd also have to upgrade our firewall to support it. P2P seemed the easiest solution to us. We tried rewritable CDs, but they quickly became a source of annoyance. Not to mention people not realising what they needed before they needed it.
The Mona Lisa is art. It has a very high value tied to it, but the artist never saw any of htat value. He created it because of his love of the creation of it, not because he was going to make big money for it.
He certainly was paid big money for it. Da Vinci worked on commission, and for specific people most of his life, including the Pope, the Duke Of Milan and others.
Learn some history.
Coming soon - pyrogyra
When I need to delete a system, readonly or hidden file at the commandline I first use attrib to clear the appropriate file attributes first.