Curing a Corporate Virus Infection

museumpeace writes "Over at Internet Storm Center Deb Hale's 'In search of the bot net' entry for September 25 recounts a grueling hunt for all the .exe's, reg entries and sources for a bot infection of a 60 server corporate network. What a nightmare! The story ends with an indictment of careless users and a suspicion that Ares, one of the sloppier Pirate2Pirate filesharing tools was the original souce of the extensive corruption that eventually even crippled the AV tools. How typical is this sort of grief? [More more frequent than reported, I would expect: the corporate victim demanded anonymity for the story to be told]."

Ah, so the best p2p client for getting music

also happens to be the one most prone to viruses, eh?

Hmmmmmm.....

Pirate to Pirate?

Only slightly biased. I understand the annoyance of the admins over this screwup, but take deep breaths and count to 10 before you badmouth all P2P networks.

Re:Pirate to Pirate?

It still is mostly a pirate to pirate network.

It still is mostly used as a pirate to pirate network.

Blame the users, not the network.

Re:Pirate to Pirate?

[mefus]

Any "legitimate" use (which is dubious, at best)

Your analysis is not only faulty, it is unsubstantiated opinion. There have been numerous examples in the trade, on the Internet, and brought forth in recent civil suits that say with one voice: "You are wrong. There are many uses for p2p. It's very success speaks to that."

not justify the rampant sharing of unathorised copies of private works.

The legitimate uses don't have to "justify" those activities. The legitimate uses stand on their own, justify themselves, and justify the use of p2p tools. Your "rampant sharing of unauthorised copies" is justified by outdated distribution models, unreasonable pricing structures, legal attacks against new technologies, and cartels hostile to their customer base.

The *AA is wrong to blame the networks, they should be focused on security problems in the OS they've spread all over their lans, and on the insecure mailreaders installed on those.

Re:Pirate to Pirate?

[glockenspieler]

That's because you don't make your living off creating original IP. Music, Movies, Games, Books, Etc.
br> I'm a scientist. I create what you refer to as IP every day.

Please. Please take the time to understand the issue from the point of view of the artists. And please be mature enough to realize that not all artists are rich spoiled musicians.

I never said nor thought that they were all "rich spoiled musicians". Indeed, I would argue that small indendent creators have more to gain from a system of distribution that bypasses the typical middle men such as publishers and record labels. I have many friends that have had book or recording contracts. I think that I would have a hard time telling these individuals whose market is likely to be small for their output that they are better off with these publishers/labels than developing alternative distribution methods. P2P is one possible distribution method and one that does not obviously equate to taking the food from the mouth of creators children.

Do you believe that anything that is not a solid object should be freely copied whenever someone wants?

Nice attempt to distort my original point. No, of course I do not. Do you believe that the only and best way that creators can make a living is by allowing a small number of media companies control distribution and use of media?

Have you really spent the time to think about what that would really mean?

Yes. Have you?

Re:Pirate to Pirate?

[Calamormine]

Allow me to interject. I am a professional musician (no, you haven't heard of me) and when I write a song, or a piece of music, I am thrilled to see it end up on a P2P network. Frankly, I think it's a shame that it is so hard to be a musician without having to sign with a soulless record company who only wants the rights to your intellectual property. It would be nice if selling music were more like selling your house. If you don't want to use a gigantic record corp., you put the music out yourself! Now, how would you put the music out yourself? P2P? Brilliant! It's so easy to assume the moral high ground in jumping down P2P users throats, but it's actually a very useful thing to upcoming musicians. If people don't know you they can't like you, and most people are not going to go out and buy stacks of CDs from people they know nothing about. But people are going to do genre searches, and if they come across your stuff, they are going to be able to like it, and then if they like it, they will support it.

Re:Pirate to Pirate?

[Blakey+Rat]

Yes, but if that's true, then you shouldn't have any need to illegally download RIAA artists because, by your definition, they aren't "true artists" and therefore produce only crap.

Look, here's how the law works now: It's VERY simple, and all these arguments just gloss over the fact of it:

IF YOU CREATE THE MATERIAL, YOU CAN DO WHATEVER YOU WANT WITH IT. IF YOU DO NOT CREATE THE MATERIAL, YOU CAN DO ONLY WHAT CREATOR SAYS YOU CAN.

Lucas created Star Wars. You can whinge on and on about how he 'ruined' it, but the fact is that because he created it, he can do whatever he wants with it. And because he puts a little notice on it saying, "this work cannot be distributed without express permission from me" that means you can't do it. PERIOD. That's ALL THERE IS to copyright law. It's simple.

If you think it's wrong, fine, WORK TO CHANGE THE LAW, but don't break it! Use the Ghandi method to change the law, not the revolutionary method.

Re:Pirate to Pirate?

[Quarters]

So should I be saying "FU!" to the people that steal the games I work on or should I be saying "FU!" to myself for being such a whore that I want to have a house for myself and my wife, food on our table, clothes in our closet, and money with which to enjoy our lives?

According to you I'm a horrible horrible person for not working my life away to let you have all the fun you want while I live in squalor. Gee, thanks. I don't understand how I completely misunderstood my place in life all these years! You, the one with no talents but a freely available file sharing program get everything while I, the educated, hard working person with a great idea and the means to produce it must be resigned to a life of crap.

Do you enjoy going through live being a complete and total self-centered, cheap ass bastard?

Re:Pirate to Pirate?

[fsck!]

Find me one architect that objects to people photographing the buildings he or she designed.

Re:Pirate to Pirate?

Do you enjoy going through live being a complete and total self-centered, cheap ass bastard?

Yes.

Re:Pirate to Pirate?

[phillymacmike]

According to a paper I just googled,

Copyright provides architects, as authors of architectural works, protection for their designs, and grants to third parties the affirmative right to photograph publicly accessible buildings and to freely distribute and display those photographs. The free exchange of ideas, and the freedom to borrow and expand on those ideas, are integral to the design process; copyright protection tailored to the particular nature of architectural design benefits the public and advances cultural development.

In contrast, however, in trade mark law, architectural works are properly protected where the design is the "signature" style of the architect. Copyright law permits individuals to photograph architectural designs, but trade mark law preempts the right freely to use a trade marked architectural creation. Some buildings in the U.S.A. currently under trade mark include the Chrysler Building and Guggenheim Museum in New York, the Transamerica Pyramid in San Francisco, the Wrigley Building and Citicorp Center in Chicago, and The Rock and Roll Hall of Fame in Cleveland. Trade mark protection for buildings is limited, however, as it precludes another party from designing a building in the same shape.

So there are some IP protections available to real property developers. =)

Quotation from this Word file.

IIRC, the section of the Copyright Act that explicitly allows photography of publicly accessible buildings--120--was written in response to a lawsuit against a photographer by the Guggenheim in New York.

Re:Pirate to Pirate?

[drsmithy]

If I create something and people use it without compensating me for my hard work and talent, then that is wrong (assuming I am asking for something in return). Maybe it's not "stealing", but it is not fair and it is wrong.

Why do you think continually receiving remuneration for "hard work" you did once - up to and beyond the end of your life - is "right" ?

I mean, most people go out, do a days work, and get paid for it - why do you think "artists" should be paid for a days work over and over and over again ?

Do you believe that anything that is not a solid object should be freely copied whenever someone wants?

I don't think that copying anything should be disallowed purely because doing so has suddenly become extremely cheap.

Honestly? Have you really spent the time to think about what that would really mean?

Yes. Have you spent time trying to understand the logic that says storing a copy of something in your brain is fine, but doing it on a piece of paper, a cassette tape, a CD or a computer is wrong ?

What do you do for a living?

I work, and, much as I'd like to be paid for the rest of my life (and most of my children's lives) for each day I work, I don't think I have any moral right to be.

It's easy to blame the users...

[Pig+Hogger]

It's easy to blame the users, but the ultimate responsibility always is the IT department, because it is responsible for security.

And security always includes usage policies.

Re:It's easy to blame the users...

[SlamMan]

Plenty of don't have that option. When management says "no, of course users should be able to install software on the machines they use," the IT shop has a bit more of an added challenge.

Re:It's easy to blame the users...

[legirons]

From the article: "In spite of the Policies in place that prohibit download and installation of software, inspite of the policies in place that prohibit P2P applications"... etc., etc.

In response to articles like this by the network nazis selling lockdown software ["your employees are downloading programs - stop them now!"] , let's imagine that for some unknown reason I want to download and run a program from the internet. (Say for example, I've just discovered that our core business requires that I can decode a certain type of file, or that we've just discovered we need a WAV editor or a video converter or something...)

Imagine that it comes as a Windows .exe file.

Handler on Duty believes that downloading and running that program should be prohibited, with severe consequences if I were to download and run the program. I would be blamed if it were to be a virus, spyware, or adware. Even if it was a reputable GPL project, some companies would turn purple-faced and declare that it mustn't run on the company computers.

Exactly how much use is such a policy? It seems that if you were to allow a manager such as he into your organisation, you simply wouldn't be able to obtain software to do your work. Assuming that IT department won't provide virtual-machines to test with, won't test programs for you, and has no access to the source-code of any of these programs (and don't have the resources to audit them even if source were available), if the virus-scanners can't detect viruses less than a day old, and assuming it takes days if not months (years, at any university) for the IT dept to certify a program as "safe to run", the answer presumably, is to force people not to do their work, or to use inadequate tools. (how many people have you seen using powerpoint to edit a picture because they can't download a real program?)

Just seems quite odd, this "despite our warnings not to run programs from the internet" stuff. Exactly how are you supposed to know that Win2KSP4 is ok, realplayer isn't ok, XMLedit is okay but XMLeditor isn't, RSSfeed is okay but the plugin formerly known as claria isn't, that the barney toolbar will crap on your PC but the google toolbar won't?

Either you need a whole big IT department to test all these programs on isolated networks, or you need to show people how to run a program as an unpriviledged username other than their own (and give permissions on their PC to allow this). Telling people not to run EXEs from the internet just isn't any use to anybody.

Re:It's easy to blame the users...

[Spoing]

1. So you think it is an exploit in some service that XP is running that allows it to wedge the DLL in there?

It has to be some service, otherwise there would be no way to have the files inserted on the machine.^ Put it this way; the trojan/malware/virus/... can't inject itself onto another computer. It needs to request that the target machine do something -- allowing the program/library/registry entry/... to be installed.

(The service being exploited might even be the admin drive share, though it's more likely some of the other less obvious ones.)

Bring up the services list to get a general idea of what is running or can be run (on demand). Keep in mind that the list is incomplete and disabling a service there might not really turn it off; verify that it is really off by running nmap and nessus against the target system.

Caution: Disabling a service does not mean your systems are more secure. Many services are only local and are not exposed to the rest of the network at all. While I suggest turning most of these off, the urgency is not as high and some of them are really necessary. Most of them are crap, though. This will be a lot of work, so take notes and look for things that break.

Another gotcha: When installing updates, the services you turned off before may be turned on again without warning. (Bet on it!)

1. ^. OK, it could be an application exploit (IE/Outlook/...) though for the the network wide plauges these are not as effective since they nearly always require people to do something to cause the exploit to be active. Only 1 machine with the exploit loaded needs to be on a network with access to others with the service enabled; no human interaction needed.

Point the finger at yourself

Blame your own policies, not your users. Users are not IT experts and will not be even with extensive training.

Restrict privileges. Don't allow anything that is not necessary...

Re:Point the finger at yourself

[Blakey+Rat]

Where I work we have 2 employees coping with 180 Windows desktops, 20 IBM Infoprint 21, 5 Infoprint 1120 printers, about 13 servers, and 2 OS/400 running Midranges. Oh yeah, and we're a medical facility so we are subject to HIPAA and our servers must be up 24/7 or it impacts patient-care.

We don't have the manpower to create policies on all our desktops. I know that everyone on Slashdot is going to declare that I'm incompetent, but I have no training on policies in Active Directory (I came here after managing Novell networks), and every time I start to read up on the subject, there's an emergency... someone's printer died, one of the servers is acting up, etc.

The place can't afford to hire anyone with sufficient Active Directory experience-- hell, they can barely afford to pay me. The Bonds and Levies run in this district have failed for almost the last decade.

What is your recommendation? What do I *do*?

I mean, saying that's the solution is one thing, but implementing it is another. We have some computers that need to be entirely locked-down (patient rooms), some that need to be almost entirely open (marketting and administrative), and tons that are somewhere in the middle.

Wrong approach

[cperciva]

...a grueling hunt for all the .exe's, reg entries and sources for a bot infection...

Wrong answer. If you have a compromised system, trying to clean it is (a) likely to be really difficult, and (b) not secure.

Wipe the system, reinstall, and recover from backups. (You do keep good backups, right?) It sounds pessimistic, but in most cases an attempt to "clean" a system is going to end up with you pulling out the OS reinstall disks anyway.

Re:Wrong approach

[tylernt]

... and when each of your users requires a different piece of software to do their job, and you don't have licensing to make all that software a part of the image, your users are going to have to reinstall stuff every time.

Ok, I retract my earlier statements. Re-imaging CAN work SOMETIMES in certain situations. :)

Modding

[StevenHenderson]

one of the sloppier Pirate2Pirate

There are really times when I wish you could mod a submission as "Flamebait."

Pirate to Pirate?-Piss to pot.

"Only slightly biased. I understand the annoyance of the admins over this screwup, but take deep breaths and count to 10 before you badmouth all P2P networks."

YEAH! Let's badmouth only the ones used to transport "pirated" material.

Is it just me...

[DeepHurtn!]

...or does this guy come across as a total ass? "Pirate2Pirate"? Blaming the users? I mean, isn't *he* paid to enable *them* to do their jobs, not the other way around? (Of course, the actual article is /.ed, so maybe it's just the summary that gives me that impression.)

Re:Is it just me...

[base3]

Just a typical power-tripping Network Nazi given adminstrator access to desktops and a $30K/year salary and thinks he's Jesus Christ reborn.

Re:Is it just me...

[Dark+Lord+Seth]

If I drive a car over a bridge, start swerving around for fun, then crash through the side guards and park said car next to a fresh-water lobster, would the goverment be responsible for failing to create a bridge that is capable of withstanding my driving?

If I install Kazaa, Comet Cursor, Internet Optimizer and surf porn all day long, would the IT department be responsible for the shit I create on the corporate network?

Re:Confirms my unease with P2P

[pashdown]

Learn from history. Government legislation against spam has done squat.

Re:It's easy to blame the users...Cake talk.

[mefus]

Funny how it's IT fault for not getting people to follow the rules (whatever happened to self-discipline?).

Self-Discipline can be overwhelmed by rules. If you tack on all the Computer Rules to all the other rules (on Harassment, on Job-Requirements, etc) you rely on someone to remember a long list of do's and don'ts.

But a healthy admin policy will restrict the user without requiring her to remember what's acceptable and what's not acceptable, and why, and all that.

Who gives diddly what you think about your screensaver. That doesn't help you do your work.

Re:Treat naive users like threats - don't forget

[Graemee]

Excellent. But don't forget to keep administrative control from the users and limited to the a few users.

Run security audits to make sure only the chosen few have administrator rights. This is for local PCs. Domain rights should even be more tightly controlled.

Keep AV defs updated daily. Report the numbers daily to check compliance.

Remove the ability to disable AV.

Check AV logs daily. Any report should be dispatched to a tech to "fix" the PC or determine what happened to the AV and take action accordingly.

Use group policies to ban known software, P2P & Hack/hacked tools. ( Not perfect but keeps the stupid honest)

Scan all email in & Out with AV & Spam Killer.
Be perpared to shut mail off if required to protect systems. This means you will nee to provide some user with a safe external email.

Keep your PCs patched on a regular basis. After testing on several test groups for issues.

Document your system & processes.

Inform & educate your users.

Happy to report the last big virus we had hit was Melissa. It made us retool the whole AV/Patch process and take these measures and more.

Re:vlans and other isolation tools are your friend

[Spoing]

1. It's simple enough to say - but what about when you are responsible for a corporate network of 400 users, and a remote WAN of over 30 sites, and 1000 users? And your Network operations department is comprised of you and a monkey sitting under your desk?

It's even more important. Do you want to chase problems every 5 minutes and waste your weekend? I don't!

1. With the massive number of companies 'downsizing' lately, I find it hilarious how so many of you recommend doing all this rearchitecture, when most of us in the Ops/IT field are already spending 70+ hours a week fighting fires.

Exactly my point!

Take one thing at a time, starting with your most troublesome group or servers. Don't grab the 300 client system nightmare first; look one server and see what it depends on. Are there 10 applications running on it? Is there a way to move one or a set of them of them off and isolated that?

If you're getting pecked to death by ducks, start by killing one duck at a time! (Or find a smaller group of ducks to kill at a new job.)

Don't let upper management know that you suceeding, though. They may want to get rid of the monkey.

Analogies...

[MunchMunch]

Yeah, except a network admin should be able to set privileges to disallow the installation of 3rd party software, and so on. And also, this is a private entity, so the public good part also fails. So your analogy should be more like:

"In a world where a private corporation could create a private bridge and set strict rules of usage for that bridge, would that private corporation be responsible for its own damages if its manager of Bridge Upkeep failed to set the readily available measures to prevent paid employees to swerve around for fun, crash through side guards and park said car next to a fresh-water lobster?"

Sounds more like this guy was just looking for an excuse to submit a story and use the term "pirate2pirate."

VLANs and Port to Port Security

[HermanAB]

Geez, any self respecting switch has some of those features - people should learn to use them to partition the network. On a Windoze office network, very few users need to talk to each other - most only need to talk to a server.

Re:It's easy to blame the users...Cake talk.

[BVis]

Yes it is IT's fault. They let users have privilages[sic] sufficient to install programs, leading to viruses.

Ok, then whose fault is this:

IT: We need to implement $securityrule.
CEO: No.
IT: But it will prevent $securityproblem.
CEO: No.
IT: ...

Or this:

IT: $User violated a security rule. They should be reprimanded.
CEO: No, we don't want to piss them off.
IT: But it was in the employee handbook, and they signed a statement saying they'd follow the rule.
CEO: Get back to work, shouldn't you have a microchip to renoberate or something?

If it were a buffer overflow in a JPEG I wouldn't blame IT.

You're in a very small minority of people who actually have a working knowledge of network security. Everyone else blames IT for everything from global warming to their coffee getting cold. The mantra is "Don't understand it? It's not important. Blame IT."

Originality

[Detritus]

That's because you don't make your living off creating original IP.

How much of the work is truly original? Most artists draw heavily upon a shared cultural heritage and public domain to create new works. It's a bit hypocritical to make use of that heritage and then scream "It's mine! All mine! Nobody else can ever look at it or listen to it without paying me for the privilege."

Re:Control your network.

[mabhatter654]

yep...that's the REAL WORLD!

Engineers expect to buy shiny new manufacturing equipment and just plug-n-play with the company network. EVERYTHING runs windows now...and adding security software often is unsupported and voids the warranty of million dollar machinery!!! Heck it's hard enough just keeping vendors of systems compliant with the particulars of YOUR MS licensing agreement.

the real problem is that MS has sold business managers the promise of "commodity" PCs...they should just run to the store and buy a few and that's good enough to have a stable reliable business... Of course MS turns around and tells US in IT that we need MCSEs [for the psulrty sum of $60K in education!] just to set up a windows machine...or you're not doing it right...that's why it doesn't work...yeah...whatever.

SO that leaves IT in the middle of marketing versus reality. The trouble is that most IT managers spend so much time troublshooting windows problems [some real, most imagined by users] they honestly don't touch computers when they're at home! So there's no time to learn Linux or any of the other alternatives... they aren't perfect so it looks like more of the same as MS....so nobody feels like changing over to ANOTHER new system. After all, in a company setting it seems like there's at least 2 projects a year that FORCE a multi-month upgrade process...hell, even the MS upgrades take weeks of trial and error with the company's software library before you can let real users on the new machines...There's no way anybody would move a new entire OS network in... MS says it's just too hard.

Re:vlans and other isolation tools are your friend

[gujo-odori]

Don't let upper management know that you succeeding, though. They may want to get rid of the monkey.

Is that "Don't let (upper) management know you're succeeding" as in "Go around replacing the operating systems on your company's servers without permission?"

I don't know of many faster ways to get fired. I don't know how it is in the shop where you work (if you work in IT or ever have) but in the shops where I worked, I did not own the servers or any of the other equipment. Neither did my boss. Those things were the property of the company, and even in shops where we had incredible leeway over what we did and how we did it, going around and replacing OSes with other ones required at least approval from the CTO. That was in the liberal places. In the conservative places, approval for such things may be higher than that. When customers depend on your systems operating, stability is job one and they aren't going to allow you to take a potentially de-stabilizing action without approval. Even if you succeed in every way, you may still be fired for acting without authorization.

Now, about this time, some of you might be saying "Well, if it's stability they want, they should get *nix in and Windows out as fast as possible."

While I couldn't agree (in principle) with that sentiment more, and am glad that in my present position in email security (I miss being an admin, but I sure don't miss carrying a pager!) I am grateful that I have sufficient leeway over my tools that my workstation is one of the handful on our network that is not running Windows (Ubuntu, a Debian-based distro. Quite nice; but I digress). However, the fact remains that in any properly run shop (yes, properly run, as hard as that may be for anyone with little or no experience - especially in big operations - to accept, have controls in place is the proper way to do things), permission is required to go around re-architecting major systems and replacing OSes.

In smaller networks, the decision may go no higher than the CTO, and if further approval is formally required, whatever the CTO asks for is rubber-stamped.

In larger shops, such things will typically require a general management decision, requiring the COO, the CEO, and often the CFO (and maybe others) to sign off on it. Why the CFO? These things cost money directly, and if there are failures, those cost money too. Especially if you have SLAs with your customers.

So yes, we may know a better way (and we do run our hundreds of servers on Linux, thank you), it's not enough to know a better way. If you want to change to it, you have to make the business case, present it professionally, and get approval and support for it. If you go ahead without following these steps, in most shops you're onto a good way to find yourself unemployed.