Slashdot Mirror

← Back to Stories (view on slashdot.org)

Curing a Corporate Virus Infection

Posted by michael on from the lift-off-and-nuke-the-site-from-orbit dept.

museumpeace writes "Over at Internet Storm Center Deb Hale's 'In search of the bot net' entry for September 25 recounts a grueling hunt for all the .exe's, reg entries and sources for a bot infection of a 60 server corporate network. What a nightmare! The story ends with an indictment of careless users and a suspicion that Ares, one of the sloppier Pirate2Pirate filesharing tools was the original souce of the extensive corruption that eventually even crippled the AV tools. How typical is this sort of grief? [More more frequent than reported, I would expect: the corporate victim demanded anonymity for the story to be told]."

16 of 346 comments (clear)

  1. Pirate to Pirate? by Anonymous Coward · · Score: 5, Insightful

    Only slightly biased. I understand the annoyance of the admins over this screwup, but take deep breaths and count to 10 before you badmouth all P2P networks.

    1. Re:Pirate to Pirate? by glockenspieler · · Score: 5, Interesting

      Ok, I'm going to go off on a rant here.

      I'm bloody well sick and tired of the piracy argument. The most succint argument about the permission culture that we are moving towards is put by Lessig in "Free Culture". We have this view that because something has value, that it equates to right. Look, if i bloody well want to share files, it is not obvious that I am "stealing" from anyone.

      Example: When photography first became relatively widespread, it was not clear whether someone was in their right to take pictures of people or buildings without permission. Afterall, the photographer might be getting something of value, so perhaps they should ask permission. Now, ask yourself, what would the culture be like right now if whenever you wanted to take some vacation photos, you need to get permission? Jeez, Kodak would have been just like Napster, just aiding people trying to steal other people's value.

      Remember, treating sharing as stealing someone's property is *one* system for treating intellectual property but it ain't the only one and it sure as hell ain't the one that the US has had for at least its first 180 years.

      Piracy? Bloody well pisses me off whenever someone uses that term!

    2. Re:Pirate to Pirate? by glockenspieler · · Score: 5, Insightful

      That's because you don't make your living off creating original IP. Music, Movies, Games, Books, Etc.
      br> I'm a scientist. I create what you refer to as IP every day.

      Please. Please take the time to understand the issue from the point of view of the artists. And please be mature enough to realize that not all artists are rich spoiled musicians.

      I never said nor thought that they were all "rich spoiled musicians". Indeed, I would argue that small indendent creators have more to gain from a system of distribution that bypasses the typical middle men such as publishers and record labels. I have many friends that have had book or recording contracts. I think that I would have a hard time telling these individuals whose market is likely to be small for their output that they are better off with these publishers/labels than developing alternative distribution methods. P2P is one possible distribution method and one that does not obviously equate to taking the food from the mouth of creators children.

      Do you believe that anything that is not a solid object should be freely copied whenever someone wants?

      Nice attempt to distort my original point. No, of course I do not. Do you believe that the only and best way that creators can make a living is by allowing a small number of media companies control distribution and use of media?

      Have you really spent the time to think about what that would really mean?

      Yes. Have you?

    3. Re:Pirate to Pirate? by Calamormine · · Score: 5, Insightful

      Allow me to interject. I am a professional musician (no, you haven't heard of me) and when I write a song, or a piece of music, I am thrilled to see it end up on a P2P network. Frankly, I think it's a shame that it is so hard to be a musician without having to sign with a soulless record company who only wants the rights to your intellectual property. It would be nice if selling music were more like selling your house. If you don't want to use a gigantic record corp., you put the music out yourself! Now, how would you put the music out yourself? P2P? Brilliant! It's so easy to assume the moral high ground in jumping down P2P users throats, but it's actually a very useful thing to upcoming musicians. If people don't know you they can't like you, and most people are not going to go out and buy stacks of CDs from people they know nothing about. But people are going to do genre searches, and if they come across your stuff, they are going to be able to like it, and then if they like it, they will support it.

      --
      So THAT'S what that means!
    4. Re:Pirate to Pirate? by Quarters · · Score: 5, Insightful
      So should I be saying "FU!" to the people that steal the games I work on or should I be saying "FU!" to myself for being such a whore that I want to have a house for myself and my wife, food on our table, clothes in our closet, and money with which to enjoy our lives?

      According to you I'm a horrible horrible person for not working my life away to let you have all the fun you want while I live in squalor. Gee, thanks. I don't understand how I completely misunderstood my place in life all these years! You, the one with no talents but a freely available file sharing program get everything while I, the educated, hard working person with a great idea and the means to produce it must be resigned to a life of crap.

      Do you enjoy going through live being a complete and total self-centered, cheap ass bastard?

  2. Protected Ports by Anonymous Coward · · Score: 5, Informative

    If you can use the 'protected port' option on e.g. cisco switches, TURN IT ON.

    Essentially, it prevents the indicated ports on the switch from communicating with other ports that also have that protection set. Unless you have sloppy shared directories or some reason for the actual PC's to talk directly to eachother, it won't harm anything and will prevent the viruses from spreading pc-to-pc once (not when) they get in.

  3. Control your network. by JasonUCF · · Score: 5, Interesting

    [disclaimer: i work for a major fortune 500 company with a large, 50+ distributed node WAN]

    Everytime there's a big ass Windows vulnerabilty, there are security emails and IT manager emails basically saying "heads up, check your shit." But let's say somebody doesnt check his shit, and a site ends up infected. The WAN group watches the network, especially during times like this, and nodes are just dropped off routing from the rest of the network until they get their act back together.

    I realize the article is talking more about the pains of these nasty new infections that mutilate machines, but the old saying works -- a good offense is a great defense. Assign local managers responsibility for the server boxen at their node, he/she should be keeping the machines patched, but when that fails, close the node off the network before it can damage anywhere else.

    Of course the major server boxen have their own layer of network between them and the rest of the WAN, so they can be isolated if the worm is already rampant on the network. Doesn't hurt to access list transmission ports, either, icmp, tftp, foo...

  4. Re:It's easy to blame the users... by SlamMan · · Score: 5, Insightful

    Plenty of don't have that option. When management says "no, of course users should be able to install software on the machines they use," the IT shop has a bit more of an added challenge.

    --
    Mod point free since 2001
  5. Point the finger at yourself by Anonymous Coward · · Score: 5, Insightful

    Blame your own policies, not your users. Users are not IT experts and will not be even with extensive training.

    Restrict privileges. Don't allow anything that is not necessary...

  6. Wrong approach by cperciva · · Score: 5, Insightful

    ...a grueling hunt for all the .exe's, reg entries and sources for a bot infection...

    Wrong answer. If you have a compromised system, trying to clean it is (a) likely to be really difficult, and (b) not secure.

    Wipe the system, reinstall, and recover from backups. (You do keep good backups, right?) It sounds pessimistic, but in most cases an attempt to "clean" a system is going to end up with you pulling out the OS reinstall disks anyway.

    --
    Tarsnap: Online backups for the truly paranoid
  7. Modding by StevenHenderson · · Score: 5, Insightful
    one of the sloppier Pirate2Pirate

    There are really times when I wish you could mod a submission as "Flamebait."

  8. Re:It's easy to blame the users... by superpulpsicle · · Score: 5, Informative

    Just go back to the classic-server rule of thumb.

    1.) Desktop machines can use windows

    2.) Servers must be unix based.

    The user can corrupt the hell out of their hard disk, and they have only themselves to blame.

  9. Re:It's easy to blame the users... by mrseigen · · Score: 5, Interesting

    We actually lock down our Windows XP machines pretty hard, yet for some reason a virus is capable of installing DLLs into the system folder on a non-priveleged account.

    We've had a number of keylogger viruses and such pop up on local machines, even from machines with restricted permissions (i.e. can't even write to C:). I don't know what's wrong with XP, but this looks to be a pretty big flaw.

  10. Re:It's easy to blame the users... by Spoing · · Score: 5, Informative
    1. We've had a number of keylogger viruses and such pop up on local machines, even from machines with restricted permissions (i.e. can't even write to C:). I don't know what's wrong with XP, but this looks to be a pretty big flaw.

    If the service that the viruses are using aren't enabled, they can't be exploited.

    Here's one way to deal with this...

    Isolate the client; vlan/router or yank the system and put it in an isolated environment (test lab, 2 system LAN, ...). Turn off the client XP firewall (if any), run Nessus on another system and point it at the client, go back to the client system and disable all services that Nessus reports -- even the ones that are not considered problems! Do any security hardening Nessus suggests. If you really need the detected services, write down what you would loose by disabling the service, what it would take to secure the service, and if there are any automated tools that can be run client side to clean up or better block hostile attacks.

    Document what you needed to do, do the same to a few more systems, and then automate the process (registry files, boot scripts, policies, ...).

    --
    A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
  11. Flag on the field!!! by goldspider · · Score: 5, Funny
    "Apple Macs and Assorted Linucen

    "Making up a new plural case of a word to try to sound cool", on "haxor.dk". That's a 15 yd. penalty and loss of down.

    --
    "Ask not what your country can do for you." --John F. Kennedy
  12. Re:The root/admin flaw by thepoch · · Score: 5, Interesting

    The problem with this is that most applications for Windows don't consider the "multi-user" environment. There are a lot of apps that simply don't work well when it's not run by an Administrator account. Take for example Office 2000. I've installed this before on a Windows 2000 machine. When I run it as an Administrator, there is no problem. When I run it as a User account, it keeps asking me to insert the Office 2000 CD because there are missing components. WTF? Granted I installed it with only the features I need, but why the hell should it ask for the CD in the User account and not the Administrator account?

    Another case... I used to program for a corporate environment. I was the only one who programs with conditions as to who is running the software, so I could save their data into their respective "Documents and Settings" folder, under Application Data. The rest of the developers don't care. I even set the installer to make sure only an Administrator account can install (using InnoSetup, great software).

    So who's to blame? Users for running as Administrator (because they have no choice a lot of times)? Developers for not developing with multi-user environment consideration? Or Microsoft, for "hacking" Windows to become a horrible multi-user environment?