Slashdot Mirror

← Back to Stories (view on slashdot.org)

Curing a Corporate Virus Infection

Posted by michael on from the lift-off-and-nuke-the-site-from-orbit dept.

museumpeace writes "Over at Internet Storm Center Deb Hale's 'In search of the bot net' entry for September 25 recounts a grueling hunt for all the .exe's, reg entries and sources for a bot infection of a 60 server corporate network. What a nightmare! The story ends with an indictment of careless users and a suspicion that Ares, one of the sloppier Pirate2Pirate filesharing tools was the original souce of the extensive corruption that eventually even crippled the AV tools. How typical is this sort of grief? [More more frequent than reported, I would expect: the corporate victim demanded anonymity for the story to be told]."

29 of 346 comments (clear)

  1. Pirate to Pirate? by Anonymous Coward · · Score: 5, Insightful

    Only slightly biased. I understand the annoyance of the admins over this screwup, but take deep breaths and count to 10 before you badmouth all P2P networks.

    1. Re:Pirate to Pirate? by Anonymous Coward · · Score: 4, Insightful

      It still is mostly a pirate to pirate network.

      It still is mostly used as a pirate to pirate network.

      Blame the users, not the network.

    2. Re:Pirate to Pirate? by glockenspieler · · Score: 5, Interesting

      Ok, I'm going to go off on a rant here.

      I'm bloody well sick and tired of the piracy argument. The most succint argument about the permission culture that we are moving towards is put by Lessig in "Free Culture". We have this view that because something has value, that it equates to right. Look, if i bloody well want to share files, it is not obvious that I am "stealing" from anyone.

      Example: When photography first became relatively widespread, it was not clear whether someone was in their right to take pictures of people or buildings without permission. Afterall, the photographer might be getting something of value, so perhaps they should ask permission. Now, ask yourself, what would the culture be like right now if whenever you wanted to take some vacation photos, you need to get permission? Jeez, Kodak would have been just like Napster, just aiding people trying to steal other people's value.

      Remember, treating sharing as stealing someone's property is *one* system for treating intellectual property but it ain't the only one and it sure as hell ain't the one that the US has had for at least its first 180 years.

      Piracy? Bloody well pisses me off whenever someone uses that term!

    3. Re:Pirate to Pirate? by glockenspieler · · Score: 5, Insightful

      That's because you don't make your living off creating original IP. Music, Movies, Games, Books, Etc.
      br> I'm a scientist. I create what you refer to as IP every day.

      Please. Please take the time to understand the issue from the point of view of the artists. And please be mature enough to realize that not all artists are rich spoiled musicians.

      I never said nor thought that they were all "rich spoiled musicians". Indeed, I would argue that small indendent creators have more to gain from a system of distribution that bypasses the typical middle men such as publishers and record labels. I have many friends that have had book or recording contracts. I think that I would have a hard time telling these individuals whose market is likely to be small for their output that they are better off with these publishers/labels than developing alternative distribution methods. P2P is one possible distribution method and one that does not obviously equate to taking the food from the mouth of creators children.

      Do you believe that anything that is not a solid object should be freely copied whenever someone wants?

      Nice attempt to distort my original point. No, of course I do not. Do you believe that the only and best way that creators can make a living is by allowing a small number of media companies control distribution and use of media?

      Have you really spent the time to think about what that would really mean?

      Yes. Have you?

    4. Re:Pirate to Pirate? by Calamormine · · Score: 5, Insightful

      Allow me to interject. I am a professional musician (no, you haven't heard of me) and when I write a song, or a piece of music, I am thrilled to see it end up on a P2P network. Frankly, I think it's a shame that it is so hard to be a musician without having to sign with a soulless record company who only wants the rights to your intellectual property. It would be nice if selling music were more like selling your house. If you don't want to use a gigantic record corp., you put the music out yourself! Now, how would you put the music out yourself? P2P? Brilliant! It's so easy to assume the moral high ground in jumping down P2P users throats, but it's actually a very useful thing to upcoming musicians. If people don't know you they can't like you, and most people are not going to go out and buy stacks of CDs from people they know nothing about. But people are going to do genre searches, and if they come across your stuff, they are going to be able to like it, and then if they like it, they will support it.

      --
      So THAT'S what that means!
    5. Re:Pirate to Pirate? by Quarters · · Score: 5, Insightful
      So should I be saying "FU!" to the people that steal the games I work on or should I be saying "FU!" to myself for being such a whore that I want to have a house for myself and my wife, food on our table, clothes in our closet, and money with which to enjoy our lives?

      According to you I'm a horrible horrible person for not working my life away to let you have all the fun you want while I live in squalor. Gee, thanks. I don't understand how I completely misunderstood my place in life all these years! You, the one with no talents but a freely available file sharing program get everything while I, the educated, hard working person with a great idea and the means to produce it must be resigned to a life of crap.

      Do you enjoy going through live being a complete and total self-centered, cheap ass bastard?

  2. It's easy to blame the users... by Pig+Hogger · · Score: 4, Insightful
    It's easy to blame the users, but the ultimate responsibility always is the IT department, because it is responsible for security.

    And security always includes usage policies.

    1. Re:It's easy to blame the users... by Misinformed · · Score: 4, Interesting

      Its easy for admins to blame users.

      Users probably broke some internal rule about not installing external software and are certianly not blameless, but the ultimate job and responsibility of admins is to administrate. The admins let them have the right to install programs and seemingly didn't enforce/check logs to see what users had been installing.

      --
      --

      Slashdot: Racism against Indians OK. China bad, USA good. Blue pill in water supply.
    2. Re:It's easy to blame the users... by SlamMan · · Score: 5, Insightful

      Plenty of don't have that option. When management says "no, of course users should be able to install software on the machines they use," the IT shop has a bit more of an added challenge.

      --
      Mod point free since 2001
    3. Re:It's easy to blame the users... by superpulpsicle · · Score: 5, Informative

      Just go back to the classic-server rule of thumb.

      1.) Desktop machines can use windows

      2.) Servers must be unix based.

      The user can corrupt the hell out of their hard disk, and they have only themselves to blame.

    4. Re:It's easy to blame the users... by mrseigen · · Score: 5, Interesting

      We actually lock down our Windows XP machines pretty hard, yet for some reason a virus is capable of installing DLLs into the system folder on a non-priveleged account.

      We've had a number of keylogger viruses and such pop up on local machines, even from machines with restricted permissions (i.e. can't even write to C:). I don't know what's wrong with XP, but this looks to be a pretty big flaw.

    5. Re:It's easy to blame the users... by Spoing · · Score: 5, Informative
      1. We've had a number of keylogger viruses and such pop up on local machines, even from machines with restricted permissions (i.e. can't even write to C:). I don't know what's wrong with XP, but this looks to be a pretty big flaw.

      If the service that the viruses are using aren't enabled, they can't be exploited.

      Here's one way to deal with this...

      Isolate the client; vlan/router or yank the system and put it in an isolated environment (test lab, 2 system LAN, ...). Turn off the client XP firewall (if any), run Nessus on another system and point it at the client, go back to the client system and disable all services that Nessus reports -- even the ones that are not considered problems! Do any security hardening Nessus suggests. If you really need the detected services, write down what you would loose by disabling the service, what it would take to secure the service, and if there are any automated tools that can be run client side to clean up or better block hostile attacks.

      Document what you needed to do, do the same to a few more systems, and then automate the process (registry files, boot scripts, policies, ...).

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  3. Doesn't happen here by Gothmolly · · Score: 4, Interesting

    $ su -

    # uname
    Linux

    # iptables -P INPUT -j DENY
    # iptables -A INPUT -m state --state=ESTABLISHED,RELATED -j ACCEPT

    # exit
    $

    --
    I want to delete my account but Slashdot doesn't allow it.
  4. Protected Ports by Anonymous Coward · · Score: 5, Informative

    If you can use the 'protected port' option on e.g. cisco switches, TURN IT ON.

    Essentially, it prevents the indicated ports on the switch from communicating with other ports that also have that protection set. Unless you have sloppy shared directories or some reason for the actual PC's to talk directly to eachother, it won't harm anything and will prevent the viruses from spreading pc-to-pc once (not when) they get in.

  5. Control your network. by JasonUCF · · Score: 5, Interesting

    [disclaimer: i work for a major fortune 500 company with a large, 50+ distributed node WAN]

    Everytime there's a big ass Windows vulnerabilty, there are security emails and IT manager emails basically saying "heads up, check your shit." But let's say somebody doesnt check his shit, and a site ends up infected. The WAN group watches the network, especially during times like this, and nodes are just dropped off routing from the rest of the network until they get their act back together.

    I realize the article is talking more about the pains of these nasty new infections that mutilate machines, but the old saying works -- a good offense is a great defense. Assign local managers responsibility for the server boxen at their node, he/she should be keeping the machines patched, but when that fails, close the node off the network before it can damage anywhere else.

    Of course the major server boxen have their own layer of network between them and the rest of the WAN, so they can be isolated if the worm is already rampant on the network. Doesn't hurt to access list transmission ports, either, icmp, tftp, foo...

  6. Point the finger at yourself by Anonymous Coward · · Score: 5, Insightful

    Blame your own policies, not your users. Users are not IT experts and will not be even with extensive training.

    Restrict privileges. Don't allow anything that is not necessary...

    1. Re:Point the finger at yourself by Blakey+Rat · · Score: 4, Insightful

      Where I work we have 2 employees coping with 180 Windows desktops, 20 IBM Infoprint 21, 5 Infoprint 1120 printers, about 13 servers, and 2 OS/400 running Midranges. Oh yeah, and we're a medical facility so we are subject to HIPAA and our servers must be up 24/7 or it impacts patient-care.

      We don't have the manpower to create policies on all our desktops. I know that everyone on Slashdot is going to declare that I'm incompetent, but I have no training on policies in Active Directory (I came here after managing Novell networks), and every time I start to read up on the subject, there's an emergency... someone's printer died, one of the servers is acting up, etc.

      The place can't afford to hire anyone with sufficient Active Directory experience-- hell, they can barely afford to pay me. The Bonds and Levies run in this district have failed for almost the last decade.

      What is your recommendation? What do I *do*?

      I mean, saying that's the solution is one thing, but implementing it is another. We have some computers that need to be entirely locked-down (patient rooms), some that need to be almost entirely open (marketting and administrative), and tons that are somewhere in the middle.

      --
      Comment of the year
  7. Wrong approach by cperciva · · Score: 5, Insightful

    ...a grueling hunt for all the .exe's, reg entries and sources for a bot infection...

    Wrong answer. If you have a compromised system, trying to clean it is (a) likely to be really difficult, and (b) not secure.

    Wipe the system, reinstall, and recover from backups. (You do keep good backups, right?) It sounds pessimistic, but in most cases an attempt to "clean" a system is going to end up with you pulling out the OS reinstall disks anyway.

    --
    Tarsnap: Online backups for the truly paranoid
  8. Modding by StevenHenderson · · Score: 5, Insightful
    one of the sloppier Pirate2Pirate

    There are really times when I wish you could mod a submission as "Flamebait."

  9. Blame? by WindBourne · · Score: 4, Interesting

    • Running Windows
    • Not using total security throughout the network.
    • Allowing Users to download any tool that they want
    • I will bet that they allow CD/floppy downloads.
    • Probably allow Outlook (and in an insecure fashion).
    And the Blame goes to:

    p2p software??????

    Our society really suffers from a lack of taking blame.

    Anybody who runs MS should know that it takes a lot of effort and money to truely lock it down. As such they should do so. It is simply part of the total cost of running a Windows system.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  10. Is it just me... by DeepHurtn! · · Score: 4, Insightful

    ...or does this guy come across as a total ass? "Pirate2Pirate"? Blaming the users? I mean, isn't *he* paid to enable *them* to do their jobs, not the other way around? (Of course, the actual article is /.ed, so maybe it's just the summary that gives me that impression.)

    1. Re:Is it just me... by Dark+Lord+Seth · · Score: 4, Insightful

      If I drive a car over a bridge, start swerving around for fun, then crash through the side guards and park said car next to a fresh-water lobster, would the goverment be responsible for failing to create a bridge that is capable of withstanding my driving?

      If I install Kazaa, Comet Cursor, Internet Optimizer and surf porn all day long, would the IT department be responsible for the shit I create on the corporate network?

      --
      Hate me!
  11. Re:Confirms my unease with P2P by BandwidthHog · · Score: 4, Funny

    Who convinced you that they were legislating *against* spam?

    CAN-SPAM: It's not just a horrible backronym.

    --

    Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
  12. Re:It's easy to blame the users...Cake talk. by mefus · · Score: 4, Insightful

    Funny how it's IT fault for not getting people to follow the rules (whatever happened to self-discipline?).

    Self-Discipline can be overwhelmed by rules. If you tack on all the Computer Rules to all the other rules (on Harassment, on Job-Requirements, etc) you rely on someone to remember a long list of do's and don'ts.

    But a healthy admin policy will restrict the user without requiring her to remember what's acceptable and what's not acceptable, and why, and all that.

    Who gives diddly what you think about your screensaver. That doesn't help you do your work.

    --
    mefus
    In Open Society, GPL Software frees YOU!
  13. Ahh, blame the users for Admins screwup by AnswerIs42 · · Score: 4, Informative
    Come on.. this is an example of a VERY poorly managed network.

    At work we have 20K users in the US alone. We actualy don't have that bad of a time dealing with viruses and worms and the like.

    Why? Because 98% of the users get pushed their virus updates and their OS updates. This includes the clueless people.

    We also run network scans and know WHEN computers were updated. If the computer is connnected to the network, we know what updates it has or doesn't have. The only hard part is FINDING the unpatched computers.

    We also have a firewall that prevets P2P connections, FTP and anything else non web browser related (gets anoying at times).

    In reading this story.. I can only assign 1% of the blame on the users and 99% of the blame on the admins for not doing a proper job.

  14. Analogies... by MunchMunch · · Score: 4, Insightful
    Yeah, except a network admin should be able to set privileges to disallow the installation of 3rd party software, and so on. And also, this is a private entity, so the public good part also fails. So your analogy should be more like:

    "In a world where a private corporation could create a private bridge and set strict rules of usage for that bridge, would that private corporation be responsible for its own damages if its manager of Bridge Upkeep failed to set the readily available measures to prevent paid employees to swerve around for fun, crash through side guards and park said car next to a fresh-water lobster?"

    Sounds more like this guy was just looking for an excuse to submit a story and use the term "pirate2pirate."

  15. Flag on the field!!! by goldspider · · Score: 5, Funny
    "Apple Macs and Assorted Linucen

    "Making up a new plural case of a word to try to sound cool", on "haxor.dk". That's a 15 yd. penalty and loss of down.

    --
    "Ask not what your country can do for you." --John F. Kennedy
  16. Re:The root/admin flaw by thepoch · · Score: 5, Interesting

    The problem with this is that most applications for Windows don't consider the "multi-user" environment. There are a lot of apps that simply don't work well when it's not run by an Administrator account. Take for example Office 2000. I've installed this before on a Windows 2000 machine. When I run it as an Administrator, there is no problem. When I run it as a User account, it keeps asking me to insert the Office 2000 CD because there are missing components. WTF? Granted I installed it with only the features I need, but why the hell should it ask for the CD in the User account and not the Administrator account?

    Another case... I used to program for a corporate environment. I was the only one who programs with conditions as to who is running the software, so I could save their data into their respective "Documents and Settings" folder, under Application Data. The rest of the developers don't care. I even set the installer to make sure only an Administrator account can install (using InnoSetup, great software).

    So who's to blame? Users for running as Administrator (because they have no choice a lot of times)? Developers for not developing with multi-user environment consideration? Or Microsoft, for "hacking" Windows to become a horrible multi-user environment?

  17. VLANs and Port to Port Security by HermanAB · · Score: 4, Insightful

    Geez, any self respecting switch has some of those features - people should learn to use them to partition the network. On a Windoze office network, very few users need to talk to each other - most only need to talk to a server.

    --
    Oh well, what the hell...