Slashdot Mirror

← Back to Stories (view on slashdot.org)

Curing a Corporate Virus Infection

Posted by michael on from the lift-off-and-nuke-the-site-from-orbit dept.

museumpeace writes "Over at Internet Storm Center Deb Hale's 'In search of the bot net' entry for September 25 recounts a grueling hunt for all the .exe's, reg entries and sources for a bot infection of a 60 server corporate network. What a nightmare! The story ends with an indictment of careless users and a suspicion that Ares, one of the sloppier Pirate2Pirate filesharing tools was the original souce of the extensive corruption that eventually even crippled the AV tools. How typical is this sort of grief? [More more frequent than reported, I would expect: the corporate victim demanded anonymity for the story to be told]."

4 of 346 comments (clear)

  1. Protected Ports by Anonymous Coward · · Score: 5, Informative

    If you can use the 'protected port' option on e.g. cisco switches, TURN IT ON.

    Essentially, it prevents the indicated ports on the switch from communicating with other ports that also have that protection set. Unless you have sloppy shared directories or some reason for the actual PC's to talk directly to eachother, it won't harm anything and will prevent the viruses from spreading pc-to-pc once (not when) they get in.

  2. Re:It's easy to blame the users... by superpulpsicle · · Score: 5, Informative

    Just go back to the classic-server rule of thumb.

    1.) Desktop machines can use windows

    2.) Servers must be unix based.

    The user can corrupt the hell out of their hard disk, and they have only themselves to blame.

  3. Re:It's easy to blame the users... by Spoing · · Score: 5, Informative
    1. We've had a number of keylogger viruses and such pop up on local machines, even from machines with restricted permissions (i.e. can't even write to C:). I don't know what's wrong with XP, but this looks to be a pretty big flaw.

    If the service that the viruses are using aren't enabled, they can't be exploited.

    Here's one way to deal with this...

    Isolate the client; vlan/router or yank the system and put it in an isolated environment (test lab, 2 system LAN, ...). Turn off the client XP firewall (if any), run Nessus on another system and point it at the client, go back to the client system and disable all services that Nessus reports -- even the ones that are not considered problems! Do any security hardening Nessus suggests. If you really need the detected services, write down what you would loose by disabling the service, what it would take to secure the service, and if there are any automated tools that can be run client side to clean up or better block hostile attacks.

    Document what you needed to do, do the same to a few more systems, and then automate the process (registry files, boot scripts, policies, ...).

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  4. Ahh, blame the users for Admins screwup by AnswerIs42 · · Score: 4, Informative
    Come on.. this is an example of a VERY poorly managed network.

    At work we have 20K users in the US alone. We actualy don't have that bad of a time dealing with viruses and worms and the like.

    Why? Because 98% of the users get pushed their virus updates and their OS updates. This includes the clueless people.

    We also run network scans and know WHEN computers were updated. If the computer is connnected to the network, we know what updates it has or doesn't have. The only hard part is FINDING the unpatched computers.

    We also have a firewall that prevets P2P connections, FTP and anything else non web browser related (gets anoying at times).

    In reading this story.. I can only assign 1% of the blame on the users and 99% of the blame on the admins for not doing a proper job.