Curing a Corporate Virus Infection
museumpeace writes "Over at Internet Storm Center Deb Hale's 'In search of the bot net' entry for September 25 recounts a grueling hunt for all the .exe's, reg entries and sources for a bot infection of a 60 server corporate network. What a nightmare! The story ends with an indictment of careless users and a suspicion that Ares, one of the sloppier Pirate2Pirate filesharing tools was the original souce of the extensive corruption that eventually even crippled the AV tools. How typical is this sort of grief? [More more frequent than reported, I would expect: the corporate victim demanded anonymity for the story to be told]."
Only slightly biased. I understand the annoyance of the admins over this screwup, but take deep breaths and count to 10 before you badmouth all P2P networks.
And security always includes usage policies.
Blame your own policies, not your users. Users are not IT experts and will not be even with extensive training.
Restrict privileges. Don't allow anything that is not necessary...
...a grueling hunt for all the .exe's, reg entries and sources for a bot infection...
Wrong answer. If you have a compromised system, trying to clean it is (a) likely to be really difficult, and (b) not secure.
Wipe the system, reinstall, and recover from backups. (You do keep good backups, right?) It sounds pessimistic, but in most cases an attempt to "clean" a system is going to end up with you pulling out the OS reinstall disks anyway.
Tarsnap: Online backups for the truly paranoid
There are really times when I wish you could mod a submission as "Flamebait."
"Only slightly biased. I understand the annoyance of the admins over this screwup, but take deep breaths and count to 10 before you badmouth all P2P networks."
YEAH! Let's badmouth only the ones used to transport "pirated" material.
...or does this guy come across as a total ass? "Pirate2Pirate"? Blaming the users? I mean, isn't *he* paid to enable *them* to do their jobs, not the other way around? (Of course, the actual article is /.ed, so maybe it's just the summary that gives me that impression.)
Funny how it's IT fault for not getting people to follow the rules (whatever happened to self-discipline?).
Self-Discipline can be overwhelmed by rules. If you tack on all the Computer Rules to all the other rules (on Harassment, on Job-Requirements, etc) you rely on someone to remember a long list of do's and don'ts.
But a healthy admin policy will restrict the user without requiring her to remember what's acceptable and what's not acceptable, and why, and all that.
Who gives diddly what you think about your screensaver. That doesn't help you do your work.
mefus
In Open Society, GPL Software frees YOU!
It's even more important. Do you want to chase problems every 5 minutes and waste your weekend? I don't!
Exactly my point!
Take one thing at a time, starting with your most troublesome group or servers. Don't grab the 300 client system nightmare first; look one server and see what it depends on. Are there 10 applications running on it? Is there a way to move one or a set of them of them off and isolated that?
If you're getting pecked to death by ducks, start by killing one duck at a time! (Or find a smaller group of ducks to kill at a new job.)
Don't let upper management know that you suceeding, though. They may want to get rid of the monkey.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
"In a world where a private corporation could create a private bridge and set strict rules of usage for that bridge, would that private corporation be responsible for its own damages if its manager of Bridge Upkeep failed to set the readily available measures to prevent paid employees to swerve around for fun, crash through side guards and park said car next to a fresh-water lobster?"
Sounds more like this guy was just looking for an excuse to submit a story and use the term "pirate2pirate."
Geez, any self respecting switch has some of those features - people should learn to use them to partition the network. On a Windoze office network, very few users need to talk to each other - most only need to talk to a server.
Oh well, what the hell...
Yes it is IT's fault. They let users have privilages[sic] sufficient to install programs, leading to viruses.
...
Ok, then whose fault is this:
IT: We need to implement $securityrule.
CEO: No.
IT: But it will prevent $securityproblem.
CEO: No.
IT:
Or this:
IT: $User violated a security rule. They should be reprimanded.
CEO: No, we don't want to piss them off.
IT: But it was in the employee handbook, and they signed a statement saying they'd follow the rule.
CEO: Get back to work, shouldn't you have a microchip to renoberate or something?
If it were a buffer overflow in a JPEG I wouldn't blame IT.
You're in a very small minority of people who actually have a working knowledge of network security. Everyone else blames IT for everything from global warming to their coffee getting cold. The mantra is "Don't understand it? It's not important. Blame IT."
Never underestimate the power of stupid people in large groups.