Curing a Corporate Virus Infection
museumpeace writes "Over at Internet Storm Center Deb Hale's 'In search of the bot net' entry for September 25 recounts a grueling hunt for all the .exe's, reg entries and sources for a bot infection of a 60 server corporate network. What a nightmare! The story ends with an indictment of careless users and a suspicion that Ares, one of the sloppier Pirate2Pirate filesharing tools was the original souce of the extensive corruption that eventually even crippled the AV tools. How typical is this sort of grief? [More more frequent than reported, I would expect: the corporate victim demanded anonymity for the story to be told]."
$ su -
# uname
Linux
# iptables -P INPUT -j DENY
# iptables -A INPUT -m state --state=ESTABLISHED,RELATED -j ACCEPT
# exit
$
I want to delete my account but Slashdot doesn't allow it.
[disclaimer: i work for a major fortune 500 company with a large, 50+ distributed node WAN]
Everytime there's a big ass Windows vulnerabilty, there are security emails and IT manager emails basically saying "heads up, check your shit." But let's say somebody doesnt check his shit, and a site ends up infected. The WAN group watches the network, especially during times like this, and nodes are just dropped off routing from the rest of the network until they get their act back together.
I realize the article is talking more about the pains of these nasty new infections that mutilate machines, but the old saying works -- a good offense is a great defense. Assign local managers responsibility for the server boxen at their node, he/she should be keeping the machines patched, but when that fails, close the node off the network before it can damage anywhere else.
Of course the major server boxen have their own layer of network between them and the rest of the WAN, so they can be isolated if the worm is already rampant on the network. Doesn't hurt to access list transmission ports, either, icmp, tftp, foo...
Its easy for admins to blame users.
Users probably broke some internal rule about not installing external software and are certianly not blameless, but the ultimate job and responsibility of admins is to administrate. The admins let them have the right to install programs and seemingly didn't enforce/check logs to see what users had been installing.
--
Slashdot: Racism against Indians OK. China bad, USA good. Blue pill in water supply.
- Running Windows
- Not using total security throughout the network.
- Allowing Users to download any tool that they want
- I will bet that they allow CD/floppy downloads.
- Probably allow Outlook (and in an insecure fashion).
And the Blame goes to:p2p software??????
Our society really suffers from a lack of taking blame.
Anybody who runs MS should know that it takes a lot of effort and money to truely lock it down. As such they should do so. It is simply part of the total cost of running a Windows system.
I prefer the "u" in honour as it seems to be missing these days.
We actually lock down our Windows XP machines pretty hard, yet for some reason a virus is capable of installing DLLs into the system folder on a non-priveleged account.
We've had a number of keylogger viruses and such pop up on local machines, even from machines with restricted permissions (i.e. can't even write to C:). I don't know what's wrong with XP, but this looks to be a pretty big flaw.
Ok, I'm going to go off on a rant here.
I'm bloody well sick and tired of the piracy argument. The most succint argument about the permission culture that we are moving towards is put by Lessig in "Free Culture". We have this view that because something has value, that it equates to right. Look, if i bloody well want to share files, it is not obvious that I am "stealing" from anyone.
Example: When photography first became relatively widespread, it was not clear whether someone was in their right to take pictures of people or buildings without permission. Afterall, the photographer might be getting something of value, so perhaps they should ask permission. Now, ask yourself, what would the culture be like right now if whenever you wanted to take some vacation photos, you need to get permission? Jeez, Kodak would have been just like Napster, just aiding people trying to steal other people's value.
Remember, treating sharing as stealing someone's property is *one* system for treating intellectual property but it ain't the only one and it sure as hell ain't the one that the US has had for at least its first 180 years.
Piracy? Bloody well pisses me off whenever someone uses that term!
The problem with this is that most applications for Windows don't consider the "multi-user" environment. There are a lot of apps that simply don't work well when it's not run by an Administrator account. Take for example Office 2000. I've installed this before on a Windows 2000 machine. When I run it as an Administrator, there is no problem. When I run it as a User account, it keeps asking me to insert the Office 2000 CD because there are missing components. WTF? Granted I installed it with only the features I need, but why the hell should it ask for the CD in the User account and not the Administrator account?
Another case... I used to program for a corporate environment. I was the only one who programs with conditions as to who is running the software, so I could save their data into their respective "Documents and Settings" folder, under Application Data. The rest of the developers don't care. I even set the installer to make sure only an Administrator account can install (using InnoSetup, great software).
So who's to blame? Users for running as Administrator (because they have no choice a lot of times)? Developers for not developing with multi-user environment consideration? Or Microsoft, for "hacking" Windows to become a horrible multi-user environment?