Slashdot Mirror
Curing a Corporate Virus Infection
museumpeace writes "Over at Internet Storm Center Deb Hale's 'In search of the bot net' entry for September 25 recounts a grueling hunt for all the .exe's, reg entries and sources for a bot infection of a 60 server corporate network. What a nightmare! The story ends with an indictment of careless users and a suspicion that Ares, one of the sloppier Pirate2Pirate filesharing tools was the original souce of the extensive corruption that eventually even crippled the AV tools. How typical is this sort of grief? [More more frequent than reported, I would expect: the corporate victim demanded anonymity for the story to be told]."
$ su -
# uname
Linux
# iptables -P INPUT -j DENY
# iptables -A INPUT -m state --state=ESTABLISHED,RELATED -j ACCEPT
# exit
$
I want to delete my account but Slashdot doesn't allow it.
[disclaimer: i work for a major fortune 500 company with a large, 50+ distributed node WAN]
Everytime there's a big ass Windows vulnerabilty, there are security emails and IT manager emails basically saying "heads up, check your shit." But let's say somebody doesnt check his shit, and a site ends up infected. The WAN group watches the network, especially during times like this, and nodes are just dropped off routing from the rest of the network until they get their act back together.
I realize the article is talking more about the pains of these nasty new infections that mutilate machines, but the old saying works -- a good offense is a great defense. Assign local managers responsibility for the server boxen at their node, he/she should be keeping the machines patched, but when that fails, close the node off the network before it can damage anywhere else.
Of course the major server boxen have their own layer of network between them and the rest of the WAN, so they can be isolated if the worm is already rampant on the network. Doesn't hurt to access list transmission ports, either, icmp, tftp, foo...
Its easy for admins to blame users.
Users probably broke some internal rule about not installing external software and are certianly not blameless, but the ultimate job and responsibility of admins is to administrate. The admins let them have the right to install programs and seemingly didn't enforce/check logs to see what users had been installing.
--
Slashdot: Racism against Indians OK. China bad, USA good. Blue pill in water supply.
It took more than a week to fix. Basically IT took everything down and cleansed each individual computer before it was allowed to be back on the network ... except of course for the linux boxen and even they were affected by the lack of servers.
Since I have great respect for our IT guys (they are really scrupulous about permissions and patches), it was a sobering experience.
Good suggestion.
He also brings up the he coudln't find the file in dos.. guess he doesn't know dir/a. Sounds like the admin should have had all file sharing blocked, we know that will break some windows apps. And the firewall probably needs more ports blocked.
Something that was not brought up. Were all users part of power users or administrators. Did they have local admin rights? If you don't want users installing software do not give them access to.
Another thing. hummmmm trusted computer network. It was able to spread because it had one users ID and password, wonder what would have happened if it was changed. Of course all users should have to change their password now. They have been compromised.
Which brings me to my favorite quote as of late. I don't know who coined it.
"I rooted your girlfriends box and didn't use a trojan."
- Running Windows
- Not using total security throughout the network.
- Allowing Users to download any tool that they want
- I will bet that they allow CD/floppy downloads.
- Probably allow Outlook (and in an insecure fashion).
And the Blame goes to:p2p software??????
Our society really suffers from a lack of taking blame.
Anybody who runs MS should know that it takes a lot of effort and money to truely lock it down. As such they should do so. It is simply part of the total cost of running a Windows system.
I prefer the "u" in honour as it seems to be missing these days.
1)the network was created FOR the users
2)the network enables the piracy.
Any "legitimate" use (which is dubious, at best) that gnutella, is so low (i'd be surprised if it was above 5% of gnutella, etc traffic) as to not justify the rampant sharing of unathorised copies of private works.
The *AA is completely right in going after these networks; in fact they should be focused on that, instead of on changing our legal system to eliminate truly legitimate fair use.
Yes it is IT's fault. They let users have privilages sufficient to install programs, leading to viruses. If it were a buffer overflow in a JPEG I wouldn't blame IT.
Rules are clearly stated - enforce them or if you want to let users have more freedoms then keep and monitor detailed logs on what they do with these 'rights'.
You seem to demonstrate an immature attitude and lack of respect for users - if you are an admin you are employed because you are a specialist and it is better for you to be the single point of expertise for that task - just like you couldn't calculate the accounts for a company I doubt the finance staff would be so patronising as saying "waaa, the accountant says I can't have 3 21" LCDs, waaa, the CEO says I can't take 5 months paid leave a year".
--
Slashdot: Racism against Indians OK. China bad, USA good. Blue pill in water supply.
That depends on how you define best.
Most files available? Fastest downloading? Nicest looking interface?
Just because a p2p network is efficient and easy to use, and therefore insecure, doesn't mean it's the best
Limit access to the application/web server level at the router. Isolate workstations so that they can each see the file servers but not all other systems. If someone needs direct access to servers, they should have a real good reason (or it should be obvious; admins, developers.).
Keep in mind that I'm not suggesting that the limits be so strict that people are annoyed and attempt to break or ignore security. They should be well organized, though, and monitored. Reasonable exceptions should be made immediately, and unreasonable exceptions should be granted quickly with an eye to isolating the damage of that exception as much as possible.
A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
We actually lock down our Windows XP machines pretty hard, yet for some reason a virus is capable of installing DLLs into the system folder on a non-priveleged account.
We've had a number of keylogger viruses and such pop up on local machines, even from machines with restricted permissions (i.e. can't even write to C:). I don't know what's wrong with XP, but this looks to be a pretty big flaw.
Ok, I'm going to go off on a rant here.
I'm bloody well sick and tired of the piracy argument. The most succint argument about the permission culture that we are moving towards is put by Lessig in "Free Culture". We have this view that because something has value, that it equates to right. Look, if i bloody well want to share files, it is not obvious that I am "stealing" from anyone.
Example: When photography first became relatively widespread, it was not clear whether someone was in their right to take pictures of people or buildings without permission. Afterall, the photographer might be getting something of value, so perhaps they should ask permission. Now, ask yourself, what would the culture be like right now if whenever you wanted to take some vacation photos, you need to get permission? Jeez, Kodak would have been just like Napster, just aiding people trying to steal other people's value.
Remember, treating sharing as stealing someone's property is *one* system for treating intellectual property but it ain't the only one and it sure as hell ain't the one that the US has had for at least its first 180 years.
Piracy? Bloody well pisses me off whenever someone uses that term!
Admittedly, we had a different situation there. (Shared webservers with 400+ customers per machine, so it's totally unacceptable to take them offline for five hours while restoring 40GB of data over a 100Mb/s connection.)
At which point, management has taken on that responsibility. They've looked at the options and said no, it's not important.
When something goes wrong, they surely deserve the blame.
-- Note: If you don't agree with me, don't bother replying. I won't read it.
That's because you don't make your living off creating original IP. Music, Movies, Games, Books, Etc.
Please. Please take the time to understand the issue from the point of view of the artists. And please be mature enough to realize that not all artists are rich spoiled musicians.
If I create something and people use it without compensating me for my hard work and talent, then that is wrong (assuming I am asking for something in return). Maybe it's not "stealing", but it is not fair and it is wrong.
Do you believe that anything that is not a solid object should be freely copied whenever someone wants? Honestly? Have you really spent the time to think about what that would really mean?
What do you do for a living?
yeah, yeah, i'm sorry, you're sorry, everybody's sorry... quit blaming your users. that aside, i think this article is a little more proof that anti-virus programs like norton, are ineffective these days. the way they function needs to be re-thought badly. i hope to see the cost of devices like this one come down to more consumer friendly levels in the future. anyone have any ideas on how anti-virus can be improved?
scott king
The problem with this is that most applications for Windows don't consider the "multi-user" environment. There are a lot of apps that simply don't work well when it's not run by an Administrator account. Take for example Office 2000. I've installed this before on a Windows 2000 machine. When I run it as an Administrator, there is no problem. When I run it as a User account, it keeps asking me to insert the Office 2000 CD because there are missing components. WTF? Granted I installed it with only the features I need, but why the hell should it ask for the CD in the User account and not the Administrator account?
Another case... I used to program for a corporate environment. I was the only one who programs with conditions as to who is running the software, so I could save their data into their respective "Documents and Settings" folder, under Application Data. The rest of the developers don't care. I even set the installer to make sure only an Administrator account can install (using InnoSetup, great software).
So who's to blame? Users for running as Administrator (because they have no choice a lot of times)? Developers for not developing with multi-user environment consideration? Or Microsoft, for "hacking" Windows to become a horrible multi-user environment?
There's a lot of corporations that refuse to report a breech in security. Simply for the reasoning that people will bail out like rats, leaving the company with little to no customer base. I suspect there's an amount of identity theft involved with the whole sordid affair, and that quite a few people make the mistake of signing up with those companies.
One day, some kid working on his thesis paper will compile a list of the IDT (IDentity Theft) victims, and there will be a nasty little coincidence...
"If I create something and people use it without compensating me for my hard work and talent, then that is wrong."
Bullshit.
There is nothing in the theory of property or the history and evolution of the human species and economic social behavior which supports this notion.
Nothing.
Period.
As for "copying anything not a solid object", what the fuck do you think people are going to do when nanotech allows you to copy ANYTHING - including solid objects?
There is no such thing as "intellectual property" - except the one situation where I know something you don't and I sell that information to you - ONE TIME. After that, it is no longer "intellectual property" and becomes "general knowledge" (unless of course you keep it a secret, too - then you become a competitor.)
And in addition, your argument is bullshit because there is nothing in economic theory that says you HAVE to be compensated for anything, OR that you have to be "properly" compensated. All economic theory says is that you can trade something for something else. It does not say you have to be repeatedly compensated for the same item, nor does it say that you have to make a living from that compensation, nor does it say anything about replication and distribution by anyone else.
Nor does economic theory say anything about "fair". "Fair" is a value judgement and has nothing to do with economics. Economics measures "value" based on action - if you do it, you thought it was in your interest to do it, so that was the "value" you placed on it.
Anything else is moralistic bullshit.
If you produce a product which is easily reproducible and distributable, you'd better find a way to make your money up front or all at once, because in the real world - not the world of lawyers and politicians - in the real world of technology, the "value" of your product is going to go to near (but never absolute) zero very quickly. The way you deal with that is to be creative in your marketing - not by whining and passing laws and attempting to coerce people into giving you money for something which has MUCH less "value" than you think it does.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
...because it verges on flamebait for responses that will not be entirely on topic [I thought the /. gods did a good thing recatorizing the story as IT] but the sparks have been kind of flying and I do enjoy
fireworks. The sad truth is that there are valid
points being made by both Calamormine and Quaters.
Consider how some small time software developers try
to make a living with share ware or the "free" trial
version that, if you like it but want all the bells
and whistles, you have to pony up 59.95 to get a
licencse key [and of course, those poor guys are at the mercy of people who pass around key-gen
programs]. Point being that products that benefit
from word-of-keyboard marketing CAN take advantage of pervasive sharing. You could learn a lot from
reading Dan Bricklin's article on how the right
license can make or break a small company's
fortunes.
BTW, My oldest son is a fairly creative musician but though he still spends hours per day composing or improvising, has chosen to study molecular biology, abandoning an
idea he had in high school to put his compositions up on his web site. Why? When he comes home from college, I unplug the rest of our computers from the cable modem, he plugs his laptop in so he can keep picking "stuff" up with Ares. I let him have a nice wallow in the information sewer highway and point out the keylog files on his hard drive at the end of his visit. Within a few days the weird protocol/port combinations bouncing off my firewall drop down to normal levels. Why? You have to ask someone his age I guess.
I can't tell you how fervently I wish I could make a living in a cabin off the grid with a few hot PCs and a solar powered satellite dish serving up fairly priced tricks and treats you all would not mind paying to have on your computers but I can't think of any way to protect it. I have resigned myself to working in a soulless megacorp, writing software I can't tell anyone about because megacorps have the means to get customers by the short hairs and hang on.
SLASHDOT: news for people who can't concentrate on work or have no life at all and got tired of yelling back at the TV.
Really? I have a hobby business, and I sell music and books - pretty much flogging licences to IP. I don't exploit the creators of the IP, in fact, pretty much everything I sell comes straight from the author or artist, with them getting a reasonable cut of the profits. These are the people that "sharing" is supposed to help, but in reality, it doesn't really work out for them. They sure need the money more than RHCP or Stephen King does - so each individual sale lost to piracy hurts like hell. It doesn't help me either, because the money that I spend promoting these wares, and developing the infrastructure to sell/distribute the materials is also lost when some pimply kid decides he'd rather "share" the music than pay for it. I'm all for using new technology to distribute material, cut out the middlemen, and get artists an equitable share for their work. But if you want something, even IP, you have to pay for it, and no amount of feel-good "sharing" arguments are going to change that. Piracy isn't just hurting the big record company executives, it's hurting everyone else down the chain as well.