Slashdot Mirror


Curing a Corporate Virus Infection

museumpeace writes "Over at Internet Storm Center Deb Hale's 'In search of the bot net' entry for September 25 recounts a grueling hunt for all the .exe's, reg entries and sources for a bot infection of a 60 server corporate network. What a nightmare! The story ends with an indictment of careless users and a suspicion that Ares, one of the sloppier Pirate2Pirate filesharing tools was the original souce of the extensive corruption that eventually even crippled the AV tools. How typical is this sort of grief? [More more frequent than reported, I would expect: the corporate victim demanded anonymity for the story to be told]."

20 of 346 comments (clear)

  1. Pirate to Pirate? by Anonymous Coward · · Score: 5, Insightful

    Only slightly biased. I understand the annoyance of the admins over this screwup, but take deep breaths and count to 10 before you badmouth all P2P networks.

    1. Re:Pirate to Pirate? by Anonymous Coward · · Score: 4, Insightful

      It still is mostly a pirate to pirate network.

      It still is mostly used as a pirate to pirate network.

      Blame the users, not the network.

    2. Re:Pirate to Pirate? by glockenspieler · · Score: 5, Insightful

      That's because you don't make your living off creating original IP. Music, Movies, Games, Books, Etc.
      br> I'm a scientist. I create what you refer to as IP every day.

      Please. Please take the time to understand the issue from the point of view of the artists. And please be mature enough to realize that not all artists are rich spoiled musicians.

      I never said nor thought that they were all "rich spoiled musicians". Indeed, I would argue that small indendent creators have more to gain from a system of distribution that bypasses the typical middle men such as publishers and record labels. I have many friends that have had book or recording contracts. I think that I would have a hard time telling these individuals whose market is likely to be small for their output that they are better off with these publishers/labels than developing alternative distribution methods. P2P is one possible distribution method and one that does not obviously equate to taking the food from the mouth of creators children.

      Do you believe that anything that is not a solid object should be freely copied whenever someone wants?

      Nice attempt to distort my original point. No, of course I do not. Do you believe that the only and best way that creators can make a living is by allowing a small number of media companies control distribution and use of media?

      Have you really spent the time to think about what that would really mean?

      Yes. Have you?

    3. Re:Pirate to Pirate? by Calamormine · · Score: 5, Insightful

      Allow me to interject. I am a professional musician (no, you haven't heard of me) and when I write a song, or a piece of music, I am thrilled to see it end up on a P2P network. Frankly, I think it's a shame that it is so hard to be a musician without having to sign with a soulless record company who only wants the rights to your intellectual property. It would be nice if selling music were more like selling your house. If you don't want to use a gigantic record corp., you put the music out yourself! Now, how would you put the music out yourself? P2P? Brilliant! It's so easy to assume the moral high ground in jumping down P2P users throats, but it's actually a very useful thing to upcoming musicians. If people don't know you they can't like you, and most people are not going to go out and buy stacks of CDs from people they know nothing about. But people are going to do genre searches, and if they come across your stuff, they are going to be able to like it, and then if they like it, they will support it.

    4. Re:Pirate to Pirate? by Quarters · · Score: 5, Insightful
      So should I be saying "FU!" to the people that steal the games I work on or should I be saying "FU!" to myself for being such a whore that I want to have a house for myself and my wife, food on our table, clothes in our closet, and money with which to enjoy our lives?

      According to you I'm a horrible horrible person for not working my life away to let you have all the fun you want while I live in squalor. Gee, thanks. I don't understand how I completely misunderstood my place in life all these years! You, the one with no talents but a freely available file sharing program get everything while I, the educated, hard working person with a great idea and the means to produce it must be resigned to a life of crap.

      Do you enjoy going through live being a complete and total self-centered, cheap ass bastard?

  2. It's easy to blame the users... by Pig+Hogger · · Score: 4, Insightful
    It's easy to blame the users, but the ultimate responsibility always is the IT department, because it is responsible for security.

    And security always includes usage policies.

    1. Re:It's easy to blame the users... by SlamMan · · Score: 5, Insightful

      Plenty of don't have that option. When management says "no, of course users should be able to install software on the machines they use," the IT shop has a bit more of an added challenge.

      --
      Mod point free since 2001
    2. Re:It's easy to blame the users... by Spoing · · Score: 3, Insightful
      1. So you think it is an exploit in some service that XP is running that allows it to wedge the DLL in there?

      It has to be some service, otherwise there would be no way to have the files inserted on the machine.^ Put it this way; the trojan/malware/virus/... can't inject itself onto another computer. It needs to request that the target machine do something -- allowing the program/library/registry entry/... to be installed.

      (The service being exploited might even be the admin drive share, though it's more likely some of the other less obvious ones.)

      Bring up the services list to get a general idea of what is running or can be run (on demand). Keep in mind that the list is incomplete and disabling a service there might not really turn it off; verify that it is really off by running nmap and nessus against the target system.

      Caution: Disabling a service does not mean your systems are more secure. Many services are only local and are not exposed to the rest of the network at all. While I suggest turning most of these off, the urgency is not as high and some of them are really necessary. Most of them are crap, though. This will be a lot of work, so take notes and look for things that break.

      Another gotcha: When installing updates, the services you turned off before may be turned on again without warning. (Bet on it!)

      1. ^. OK, it could be an application exploit (IE/Outlook/...) though for the the network wide plauges these are not as effective since they nearly always require people to do something to cause the exploit to be active. Only 1 machine with the exploit loaded needs to be on a network with access to others with the service enabled; no human interaction needed.
      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  3. Point the finger at yourself by Anonymous Coward · · Score: 5, Insightful

    Blame your own policies, not your users. Users are not IT experts and will not be even with extensive training.

    Restrict privileges. Don't allow anything that is not necessary...

    1. Re:Point the finger at yourself by Blakey+Rat · · Score: 4, Insightful

      Where I work we have 2 employees coping with 180 Windows desktops, 20 IBM Infoprint 21, 5 Infoprint 1120 printers, about 13 servers, and 2 OS/400 running Midranges. Oh yeah, and we're a medical facility so we are subject to HIPAA and our servers must be up 24/7 or it impacts patient-care.

      We don't have the manpower to create policies on all our desktops. I know that everyone on Slashdot is going to declare that I'm incompetent, but I have no training on policies in Active Directory (I came here after managing Novell networks), and every time I start to read up on the subject, there's an emergency... someone's printer died, one of the servers is acting up, etc.

      The place can't afford to hire anyone with sufficient Active Directory experience-- hell, they can barely afford to pay me. The Bonds and Levies run in this district have failed for almost the last decade.

      What is your recommendation? What do I *do*?

      I mean, saying that's the solution is one thing, but implementing it is another. We have some computers that need to be entirely locked-down (patient rooms), some that need to be almost entirely open (marketting and administrative), and tons that are somewhere in the middle.

  4. Wrong approach by cperciva · · Score: 5, Insightful

    ...a grueling hunt for all the .exe's, reg entries and sources for a bot infection...

    Wrong answer. If you have a compromised system, trying to clean it is (a) likely to be really difficult, and (b) not secure.

    Wipe the system, reinstall, and recover from backups. (You do keep good backups, right?) It sounds pessimistic, but in most cases an attempt to "clean" a system is going to end up with you pulling out the OS reinstall disks anyway.

  5. Modding by StevenHenderson · · Score: 5, Insightful
    one of the sloppier Pirate2Pirate

    There are really times when I wish you could mod a submission as "Flamebait."

  6. Pirate to Pirate?-Piss to pot. by Anonymous Coward · · Score: 3, Insightful

    "Only slightly biased. I understand the annoyance of the admins over this screwup, but take deep breaths and count to 10 before you badmouth all P2P networks."

    YEAH! Let's badmouth only the ones used to transport "pirated" material.

  7. Is it just me... by DeepHurtn! · · Score: 4, Insightful

    ...or does this guy come across as a total ass? "Pirate2Pirate"? Blaming the users? I mean, isn't *he* paid to enable *them* to do their jobs, not the other way around? (Of course, the actual article is /.ed, so maybe it's just the summary that gives me that impression.)

    1. Re:Is it just me... by Dark+Lord+Seth · · Score: 4, Insightful

      If I drive a car over a bridge, start swerving around for fun, then crash through the side guards and park said car next to a fresh-water lobster, would the goverment be responsible for failing to create a bridge that is capable of withstanding my driving?

      If I install Kazaa, Comet Cursor, Internet Optimizer and surf porn all day long, would the IT department be responsible for the shit I create on the corporate network?

  8. Re:It's easy to blame the users...Cake talk. by mefus · · Score: 4, Insightful

    Funny how it's IT fault for not getting people to follow the rules (whatever happened to self-discipline?).

    Self-Discipline can be overwhelmed by rules. If you tack on all the Computer Rules to all the other rules (on Harassment, on Job-Requirements, etc) you rely on someone to remember a long list of do's and don'ts.

    But a healthy admin policy will restrict the user without requiring her to remember what's acceptable and what's not acceptable, and why, and all that.

    Who gives diddly what you think about your screensaver. That doesn't help you do your work.

    --
    mefus
    In Open Society, GPL Software frees YOU!
  9. Re:vlans and other isolation tools are your friend by Spoing · · Score: 3, Insightful
    1. It's simple enough to say - but what about when you are responsible for a corporate network of 400 users, and a remote WAN of over 30 sites, and 1000 users? And your Network operations department is comprised of you and a monkey sitting under your desk?

    It's even more important. Do you want to chase problems every 5 minutes and waste your weekend? I don't!

    1. With the massive number of companies 'downsizing' lately, I find it hilarious how so many of you recommend doing all this rearchitecture, when most of us in the Ops/IT field are already spending 70+ hours a week fighting fires.

    Exactly my point!

    Take one thing at a time, starting with your most troublesome group or servers. Don't grab the 300 client system nightmare first; look one server and see what it depends on. Are there 10 applications running on it? Is there a way to move one or a set of them of them off and isolated that?

    If you're getting pecked to death by ducks, start by killing one duck at a time! (Or find a smaller group of ducks to kill at a new job.)

    Don't let upper management know that you suceeding, though. They may want to get rid of the monkey.

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  10. Analogies... by MunchMunch · · Score: 4, Insightful
    Yeah, except a network admin should be able to set privileges to disallow the installation of 3rd party software, and so on. And also, this is a private entity, so the public good part also fails. So your analogy should be more like:

    "In a world where a private corporation could create a private bridge and set strict rules of usage for that bridge, would that private corporation be responsible for its own damages if its manager of Bridge Upkeep failed to set the readily available measures to prevent paid employees to swerve around for fun, crash through side guards and park said car next to a fresh-water lobster?"

    Sounds more like this guy was just looking for an excuse to submit a story and use the term "pirate2pirate."

  11. VLANs and Port to Port Security by HermanAB · · Score: 4, Insightful

    Geez, any self respecting switch has some of those features - people should learn to use them to partition the network. On a Windoze office network, very few users need to talk to each other - most only need to talk to a server.

    --
    Oh well, what the hell...
  12. Re:It's easy to blame the users...Cake talk. by BVis · · Score: 3, Insightful

    Yes it is IT's fault. They let users have privilages[sic] sufficient to install programs, leading to viruses.

    Ok, then whose fault is this:

    IT: We need to implement $securityrule.
    CEO: No.
    IT: But it will prevent $securityproblem.
    CEO: No.
    IT: ...

    Or this:

    IT: $User violated a security rule. They should be reprimanded.
    CEO: No, we don't want to piss them off.
    IT: But it was in the employee handbook, and they signed a statement saying they'd follow the rule.
    CEO: Get back to work, shouldn't you have a microchip to renoberate or something?

    If it were a buffer overflow in a JPEG I wouldn't blame IT.

    You're in a very small minority of people who actually have a working knowledge of network security. Everyone else blames IT for everything from global warming to their coffee getting cold. The mantra is "Don't understand it? It's not important. Blame IT."

    --
    Never underestimate the power of stupid people in large groups.