Slashdot Mirror
How To Avoid a Botnet Infection?
Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.
...I'm going to go ahead and guess the general answer most people around here are going to give.
Linux or OSX.
AmIright?
Living With a Nerd
Stop letting users use your computers or just accept that shit happens was my suggestion. Windows, OS X, or linux. If users touch it, they'll fuck it up.
To be 100% protected against all forms of computer infection is to unplug all of your network cables and wireless connections and work off-line. Even then you will still have to contend with possibly infected removal media such as USB drives and CD-Roms from untrusted sources.
Linux seems to be less vulnerable. Using as few windows boxes as possible helps. Using blacklists in the host files of bad servers (Spybot's list is good). May Bluecoat device, we have one here and it's helped a LOT. Email vectors are still huge, and the user error 1D107...
is gmer still up to date in detecting rootkits?
You'll probably find that most of your problems will go away if you get rid of your users :)
Do you have any better hostages?
I'm a coder not IT so my knowledge of security pretty much stops at installing anti-virus and setting up a firewall. I have not found any problems on my computers but it is quite possible I've missed active bots with such simple protections.
So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?
Run a program that only allows whitelisted applications, and block all removable media. It's the only way you can be absolutely certain there is nothing running on your network that shouldn't be there. http://en.wikipedia.org/wiki/Whitelist#Application_whitelists
"Detected running a web browser" /the/ vector for virus infections, other than ridiculously insecure OS's, so simply uninstall all browsers and use a telnet BBS for any serious internet work.
There's your source of the problems.
Web browsers are
Perhaps somewhat obvious, but you will never achieve 100% protection against malware unless you unhook the internet connections, block the USB ports, optical drive, floppy drive, multi-media card reader etc.
The worth of any IT support company comes not from the level of prevention they can provide against outages, it's how quickly and effectively they respond to bring systems back in line after a problem occurs.
Assuming you cannot prevent a botnet infestation, you minimally need a documented procedure on how you're going to deal with the cleanup.
In a more direct answer to your question though... put systems in place that are supported by big companies, e.g. Checkpoint firewalls at boundaries, Symantec/F-Secure/ESET AV throughout (with solidly applied policies and installed by a certified provider).
teach all the workers about security. disable autorun on all machines. dont let them run as admins. use noscript and adblock and foxit (or similar). update windows and AV regularly...
where i work we've been blocking a long list of email attachments like exe's and others. few years ago we also started blocking facebook.
i set it up years ago and don't remember myself. we're all windows and have never been zombified. you can buy all the firewalls you want, but in the end it's still idiots clicking on everything in every email and every link they get sent over facebook and twitter
Let me guess, all the computers are using xp. I work at a computer repair depot and i see alot of this on XP computers and rarely on vista/Windows 7 with uac turned on *sure its a pain but once everything is installed the user should never even see uac pop up. But i would guess if anything the computers are out of date for their OS patchs
You'd be running a lot fewer XP boxes, and much, much meaner firewall rules. In practice, of course, users crying about how they "need" to "get their work done" generally prevents this.
.exe that, when run, removes all versions of flash, they hide it; but it lurks in the bowels of their site somewhere. You can also find .msi flash installers. Set up a network share, readable by all your administered machines, writeable only by admins, containing that utility, and the .msi for the latest flash player. Every time adobe updates, download the newer .msi, and run a script on all your administered PCs that runs the flash remover, and then msiexecs the newest flash MSI. It's a pain in the ass; but it will save you from some flash exploits). Updates for all other plugins you are using, plus OS components, should of course be adhered to with the same regularity.
.zips from emails will also save you from some common vectors of stupidity.
That being so, there are a few things to do: At present, our good buddies at Adobe are among the most popular and exciting vectors for infection. Where possible, ensure that neither Flash, nor shockwave, nor Acrobat are installed. Where not possible, make sure that they are kept up to date. Yes, this means updating all the bloody time and WSUS won't help(useful tip, with some poking around, you can find a utility from adobe, an
Assuming that user pushback isn't excessive, stripping executables and
This stops mailware:
http://protobalance.com/
-paul
It really depends on the size of the companies and the resources they're willing to spend on proper security. You should do a cost analysis of the downtime, not to mention the IT time required to fix the ecosystem. You can do it in waves, and some changes will be more well received than others.
#1. Don't allow users to be Admins of their own machines. I know in this day and age it's harder to push this one on people, but the ultimate reality is that if the user can't infect the system then they aren't going to get very far.
#2. Managed, host-based firewalls on each of the machines that have rules for incoming and outgoing. This can be any number of centrally managed tools. if you're on XP, your best solution is likely something from say Symantec, Mcafee, or whichever company you want to use. I know with SEP you can manage the firewall portions and prevent worms from auto spreading.
#3. Transparent, Layer 7 filtering at the network edge. Whether you want to use a proxy or a firewall for this is up to you. Juniper makes some pretty nice layer 7 devices for this purpose.
#4. NAC/NAP. Again, useful technologies--prevent systems from communicating on the network that don't register as having proper updates or AV settings.
These are just some basics, there's probably something entirely different based on the specific method these worms are using to spread. Perhaps a centrally managed website policy that locks systems down a bit more is all that's needed? Maybe keeping things more up-to-date, such as rolling out Windows 7 desktops with IE8?
Depending on your network topology you might be able to solve this by just adding one proxy/caching server to the mix. Proxy allows port 80 html traffic but doesn't allow other programs to bootleg themselves as something running on 80 to connect as there generally is application protocol checking. Firewalls do not remove the need for an application/proxy server in this mess and do not replace it as without that function you still have machines directly connecting to remote hosts and are still vulnerable. Firewall all traffic off both ways at the firewall and only allow traffic originating from the proxy to transverse the screen. Bot programs already on hosts thus have lost access to anything, and you are pushing your proxy list down via group policies to the client machines. And no, you don't need Linux to do this despite what I see other people commenting. Linux is more secure in most cases due to obscurity, but it is not the same thing as Windows and expecting your user base to use it is like cutting off one of their arms and asking them to do the same work. Properly implementing your windows security is all that is required and it probably would be easier to add one machine to fix all of your problems than to wipe all the machines in your office and load Linux wouldn't it?
A few suggestions from my experience as a technician:
DATABASE WOW WOW
Block ads as much as you can: Ad networks are an attack vector. Disable scripting if you can or whitelist the scripts you can't do without. No Flash, Quicktime, or Acrobat plugins. Use an alternative PDF viewer for downloaded PDFs. Disable scripting in the PDF viewer as well. Filter active email content on the server, use a local email client other than Outlook, disable all scripting and network access except to your local email server. Keep your systems and applications (!) updated, disable unnecessary services, especially those which open network sockets. Don't do stupid things.
It might be the CEO. It might be you. But the fault is always with a person, and they should be help responsible for their actions, including recovering costs.
If you were blocking sigs, you wouldn't have to read this.
That's precisely the problem, is that enterprise environments often assume using anti-virus and firewall solutions mean they no longer have to be concerned with information security.
It is all too easy to bypass anti-virus detection, and anti-virus products often only protect against known threats. There will always be unknown threats it doesn't protect against.
What you really need is proper sandboxing, but that is a hassle that most people just don't want to deal with.
http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.
Do you mean web *server*?
The vast, vast, vast majority of companies are going to need port 80 (and 443) opened. I don't know the last time you stepped into a corporate environment, Taco, but that's how you do your timecard, put your vacation time on the calendar, sometimes how you answer email even.
Comment of the year
If we are talking about XP machines, consider to take away admin permissions from ordinary users. Maybe set up a local admin, that the users know the password for, but let them do their daily work as restricted users.
"Beware of he who would deny you access to information, for in his heart he dreams himself your master."
Btw thanks harrymcc/timothy re the posting of the "Russian ASCII Art Animated Cat From 1968" article.... my local library really appreciated the pissoff.exe malware on their machine.... that article should be renamed to "In soviet Russia BESM-4 GOST 10859-64 ASCIISKI Art Animated Kitty Porn From 1968 with blessing of Russian malware from 2010 - now all IE bases belong to Boris Grishenko" !
I am over Cyber Security for a 36k seat enterprise. We've had no infections...period (and yes, we do have monitoring in place to catch behavioral anomalies that indicate zero-day, etc.). Here are the "must do's": 1. Block social networking sites. Need convincing? Here. http://google.com/safebrowsing/diagnostic?site=facebook.com/ or http://google.com/safebrowsing/diagnostic?site=myspace.com/ or http://google.com/safebrowsing/diagnostic?site=twitter.com/ 2. Block porn sites. All of them. Use keywords, IP/FQDN blacklists, adaptive/reputation blocking (Trusted Source type technology) 3. Use a managed AV/AM/HIPS solution such as McAfee ePO/AVE/HIPS/etc. if you can afford it. A good HIPS that does both network and application blocking is essential. 4. Exhaustively scan e-mail for content, attachments and (most of all) embedded URLs. 5. Finally, have a good dashboard. We rolled our own using Cacti, Nagios, Drupal and some simple Java, CSS and PHP. You need to be able to visualize things in as close to real time as is possible. Once you've established 'normal', you can spot 'abnormal' visually long before many automated analysis engines will alert you. This allows you to catch the things that may otherwise slip through the cracks. This doesn't have to be expensive (well, except for #3, it's expensive). You can scale a Linux based solution with entirely open source tools large enough to cover thousands of concurent users.
the only way to secure the system- is don't let anyone into the system
every day http://en.wikipedia.org/wiki/Special:Random
If you have a Cisco ASA 5510 or higher you can purchase the botnet filter for roughly $320 a year. Then enable the filter on your internal interface to block any outbound traffic going to the known botnet IP ranges. I would also recommend blocking unnecessary outbound ports and limiting necessary ports to specific machines (ex. Port 25 mail server only outbound). I would also look at setting up a proxy server such as SQUID proxy. I would do mime filtering on untrusted web traffic and perhaps using dansguardian for prebuilt whitelist/blacklisting. At my workplace I am fortunate enough to be allowed to do a default deny on the entire internet, only white-listing work related sites (of course I work at a bank). Antivirus should be considered a secondary defense in this day and age. You really need to look at getting an IPS device for your network and then perhaps an aggregated log server if you haven't already. These last two recommendations will cost some money. So short term I would focus on outbound firewall filtering and a proxy server.
myspace and facebook and disable autorun on all drives like usb and cdrom.
Identify the people responsible, sack and sue them
That's a nice suggestion. However, the machine could well be infected due to an infected legitimate website that the person visited in the course of his/her duties.
install gentoo
This is more of a question than anything, as I find this to be a fascinating topic, but have little experience in managing corporate networks.
At what point does it make sense to have your users having to run all that they do on a virtual machine, which if anything gets compromised can just be rolled back without too much fuss?
Also, does it make sense to move a lot of what people do to some sort of hosted app infrastructure (private cloud for example) where the lockdown can occur in an easier and more granular manner as all of the apps are managed by IT only, or is this just a pipe dream that's at least another 10 years away?
Still, in the end it all has to do with your users not practicing safe browsing, double-clicking on attachments that they did not expect, and the likes.
I do like fuzzyfuzzyfungus, magamiako1 and Z34107's suggestions very much, seems fairly practical yet transparent to the users. (wish I had mod points for you guys, but not today!)
But regardless, I guess in some sense any of these solutions seem like they are going to be quite costly and labor-intensive, from a business owner's perspective should those long-term costs not be taken into account when comparing them to deploying a network of machines running Linux or OS-X (and Windows apps inside a VM on those)? Does this all have to do with many corporate apps only working in a Windows network, and with legacy code not being able to be migrated away from a Microsoft-centric platform?
Sorry for sounding naive, but this is not my area of expertise...
As I said, it could be the BOFH's fault for having inadequate firewalling, filtering and virus checking. But someone ballsed up, and they need to go.
If you were blocking sigs, you wouldn't have to read this.
What antivirus system and what firewall rules? What security policys? And more the important, how the people were trainend. If you ask someone to type the root/admin password, probaly they will.
Anti-virus, try a good one, not necessarely a free one.
Firewall must be configured by application and user, not by port.
Group Policys must be used, users must not be authorized to run any software out of the whitelist.
People must be trained. Culture takes time to change. You will not solve this with software and appliances only.
(Block China and Russia IPs if possble)
Seriously? Litigation is the best solution you can think of?
How To Avoid the Infection of Botnet?
By using the common of sense?
1) Only Allow web browsing through an http/https/ftp proxy server(s). The proxy server(s) should include anti-botnet blacklist and be logically have a network firewall between it and the internet..
2) No open direct connections from the internal network to the internet in general by workstations.
3) Don't allow non-corporate workstations on the Corporate LAN. The corp shoudl have a guest LAN that includes internet access for guest and personal devices of employees.
4) Corporate workstations must have up-to-date AV to connect to the Corp LAN (force them to the guest network otherwise and issue an alert).
5) Don't allow users the rights to install software (but have a robust User Tech Support organization that can quickly test and push out ok'd software to workstations).
6) Have and actually monitor logs from egress filters on the network firewalls.
In addition to the sound advice already give above, I'd suggest also regularly just re-installing everything.
This sounds scary, but actually has a lot of benefits:
1. It forces you to get good at configuration management and massive deployment
2. You can schedule and apply security & application updates in one hit, hence avoiding cross- or retro-infection, and also ensuring that patches really are applied
3. It forces users to take responsibility for data backup & restore, (or at least makes sure you get your centralised system working reliably and transparently
4. All the crap that people install 'by accident' but then never use vanishes, and the security holes with them)
5. A lot of miscellaneous error reports will also vanish, as stuff that people had broken is reset, (slow PCs, random hangs, network glitches...)
It sounds like a lot of work, but since I've never found any security produce that detects, and then reliably removes, 100% of all known nasties, it's actually the only way to be sure your systems are 100% clean, (albeit probably only briefly). You'll also, ultimately, spend less time. NEVER waste time trying to disinfect a machine - reinstall...
Your users will be really pissed off but the infection rate will be way down.
Long answer: You cannot. (Okay, bad pun.)
Any system that has humans (especially ones that don't follow proper secuity protocols) will always have a chance of a virus appearing. It may be a CEO/VP that insists on being able to run something, or some other app that gains admin prviliges by an exploit.
At best, you might be able to use a whitelist app system or something like DeepFreeze to cut down on damage. However, any rogue program (e.g. bounty hunter viruses) that breaks out of sandboxing can still zombify your network.
Also, a Facebook friend recently sent a link which was one of those virus-type sites. Inexperience users will encounter agressive attempts to download "setup.exe" - and like most other browsers, Firefox still didn't provide an option to immediatly block virus-like activity. It should: there's a key labeled "Break" in the top-right corner of my keyboard.
How is Botnet formed ?
How computer get infected ?
There should be a way to instain hacker who infected computer because
computer cant fright back.
I read from a sysadm in AR who lost their computer to botnet.
Everyone knows that BeOS is the best.
I scream. You scream. I assume that means we're both acquainted with the problem. We proceed.
Windows isn't going away, Linux and OSX aren't the cure-alls either.
I've seen lots of things tried, locking down the desktop even to the point that Active-X controls couldn't be installed by an end-user. Still, with any XP or Windows 2000 system we had, if you hooked it to the net without some AV or patching applied within 30 minutes you'd have some virus or malware on it. That was on the company Intranet.
I think what needs to happen is that network management tools need to start modeling traffic behavior and start watching for abnormal patterns and requests, likewise the Internet is wide open but there's only certain destinations that you really need to go when at work. IPS goes so far but really you need to start identifying traffic patterns and abnormalities in those patterns. Not just for this kind of exploit but for changes in system behavior as well.
Yes, Port 80 blocks aren't effective, but where is the traffic going? If it's going to Romania or some other place, why is it going there? If your users go to Google, Slashdot and other well known sites, why all of a sudden are they going to ISPs that are known to host botnet controllers?
I think admins and the industry have put too much emphasis on just fixing the O/S and as Windows holes get filled, there will still be millions of XP systems out there to exploit. A lot of this will start to move to the OSX/Linux community as well, it's just a matter of time because those markets will become victims of their own success. Hackers like a challenge and trust me they'll figure a way out to infect OSX and then the malware companies will start rolling out more products to "protect" those systems as well.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Make a star topology off the ethernet (for example by mandating pptp to central server for web access).
Monitor IP connections there.
Put a filtering proxy po
Do not allow IP view from one workstation to other. No workstation should see each other on IP. Each one should see only the server.
I'm sure the best and brightest in your field will be knocking down your door when you develop a reputation for suing your own employees with frivolous lawsuits. No court is going to hold a non-technical employee liable for getting an infection, especially if they didn't intentionally break established IT policy you made them agree to and trained them on. If they did break policy, you can probably fire them without worrying to much about wrongful termination suits, although it might vary from state to state. Getting damages is just a pipe dream though, employees are not responsible for damage from accidents, generally even if they were negligent.
For example, people are still surprised when they learn about Adobe Acrobat and reader are commonly exploited (if you can call it that) as a means of inserting code into a machine. And there are other insertion vectors as well and, interestingly enough, most have to do with Javascript. So what to do?
First step is awareness. Get yourself aware. Get on bugtraq and other mailing lists/forums to make yourself aware of these things as they emerge. The second step is to control and limit the doors used to walk into your network. If you have to set up a proxy server in order to prevent users from hitting servers in Russia and other countries your business interests have no need to travel, then that is what you should do. Further, blocking Javascript is an important step in protecting the network. Cisco routers can use rules to prevent scripts from being downloaded, interestingly enough, as I have observed where it had actually prevented me from hosting certain web apps taking me a LONG time figuring out why and how. Finally, using browsers that enable the selective control of which Javascript code to run is extremely useful. (To my knowledge, MSIE still has no such "NoScript" functionality.)
Many people correctly jump to the stock answer "It's a Windows problem." This is correct in fact, but is inappropriate where a larger picture is concerned. If people stopped using Windows today, the attackers would simply begin exploiting Linux and MacOS more frequently. These rules of safety apply to all platforms even if the non-Windows machines are not presently the primary target.
In short, if you cannot fix the problem, avoid using the software that is vulnerable. And if you cannot avoid that, then block communications with botnet controllers as most of them reside in other nations and are generally known.
As an added note, if it's possible, try to use a non-corruptible Windows solution. What I mean by this is using a system by which machines can be reloaded or recovered with more ease. Sometimes it is far less important to know how or why and more important to have a path of quick recovery ready and available. Many people use Ghost images to recover quickly. Others use virtual machine technologies. Deep Freeze is one solution that I have heard great things about. In the case of Windows, you have to disable much usability and functionality to lock it down. Some of this usability and functionality is required for day-to-day business. Such solutions would be unacceptable. So preparing a fast recovery method is your next best thing to prevention.
1. Block out Facebook. 2. For small shops, get rid of Exchange and go to Gmail. For larger get some sort of black box virus filter like what Barracuda makes on top of existing email AV. Use Spamhaus blocking lists. 3. Encourage users to use FireFox and AdBlock instead of IE when possible. Not always possible since many corporate apps only run on IE. 4. Centralize management of AV and Microsoft Updates. 5. Make user education continuous. Give real world examples of how failure to follow proper procedures can harm them and IT infrastructure.
"I'm not a quack, I'm a mad scientist! There's a difference." - Dr. Cockroach
I have no doubt this thread will be filled with unreasonable answers that won't solve your real-world problems. Here is a real world checklist: firewall: configure it right! mail server: scan for known viruses, run blacklists and setup filter that look for unusual traffic patterns, setup company-wide spam identification that notifies the mail server. This will help prevent false positives and identify misses. Block bad filetypes (all password protected compressed formats, all video files, anything remotely executable. internet: run everything through a proxy that checks for content and have dns check for known bad domains and redirect to 127.0.0.1 if they attempt to go to a forbidden page - this is better than directing to the server because it will prevent you DDOSing your own servers. Set firefox as the default security: enable DEP on all computers, run basic antispyware and antivirus on all computers (use microsoft security essentials and spybot combo if you can't afford anything else). Turn off macro support on office products unless necessary for a specific user. lockdown group policy so that desktop and c drive can't be written by users, rename the administrative account and set a password. Make sure that system settings cannot be changed. Use an imaging product to reset the hard drive each boot (such as steadystate) or load the OS from a LAN image Updates: Set the computers to Wake on lan or wake at a given time for updates. Use fox-it or another alternate pdf viewer whenever possible instead of adobe. Make sure flash is up-to-date, spyware and antivirus is up-to-date and browser and OS are up-to-date Physical: lock the computer cases and prevent hardware installation by normal users. Prevent external drives if possible (this can be configured under steady state or group policy). Checkups: check computers once a month with a full scan and monitor network at idle for unusual activity. This can be done for a large organization if you don't work weekends for instance by turning on all the machines and letting them sit idle and looking for unusual port activity or large volumes of data when they should not be updating.
Get a web developer
Did anyone else read the title as "How To Avoid the Infection of your Botnet"? ;)
XML is like violence. If it doesn't solve the problem, use more. Junta
Right - and the CEO reads "Catholic Schoolgirl Spanking" for the articles, right?
Here's what I'd do.
First, if you're running XP, know that its standalone user account types are horrible. Administrators can do anything, while limited users often can't do enough, and some programs don't function correctly with this account type. I hate to say it, but this is one of those cases where Vista was an improvement. Its standard user accounts are just about right, so if you have the option to upgrade to Windows 7 (or even Vista), consider it. There are certainly downsides, especially where older hardware is concerned, but better non-administrative accounts are a reason to think about it.
If you don't want to do that, then filtering is your next step. First, shore up the browser by making sure its anti-phishing filters are turned on. Another level of filtering/user advising can be performed by McAfee SiteAdvisor (http://www.siteadvisor.com). Its main benefit is that it will place advisory icons next to search engine results, indicating the site's risk. Show these to your users, and teach them what they mean. If you're running Firefox, install AdBlock Plus. That will filter out malware coming in through infected ad servers.
Next, you can use OpenDNS as a DNS filtering solution. This will let you block sites that folks shouldn't be visiting at work...MySpace, Facebook...did I mention MySpace and Facebook.
Next, consider whether or not you need your users to have Flash, since it is yet another avenue for infection. Unfortunately, some sites rely on it for basic functionality, so there may be some reason to leave it in, but if you do, MySpace and Facebook (especially MySpace) should be blocked.
Finally, look at your e-mail, since I'd be willing to bet that malware is coming in by that route. What anti-spam measures is your mail server running? If you aren't sure how well they're working, take a look at the mail your users are receiving daily. And, just in case you aren't doing this, make damn sure users know that their work addresses shouldn't be receiving personal mail, no exceptions. Let the pictures of kittens, puppies, and dancing babies go somewhere else. Put the fear of God in them if nothing else works. Their work addresses are for work, no exceptions.
You're going to have to fight this battle on an ongoing basis, but you can win if you stay aware of what users are doing and restrict the dangerous stuff.
Nuff said.
While Antivirus and a well setup firewall can help, I've found as a sysadmin that there are additional layers that need to be applied. We also use Content Filters to block out any unwanted malicious sites, porn and other sites we need to block. While I use Websense at work as an in-line filter, I setup Opendns at home and on home user's computers to cut most malicious websites off at the knees. We also employ an off-site email scanning service to scan our emails before they hit our internal email server. Once email hits the server, then it gets scanned again. All computers have are locked down and we utilize LANDesk for Malware and Patch Updates / Security Vulnerability scanning. Of course, Altiris works well too as well as MS System Center. Having a layered approach tends to mitigate most problems. Some do get through, but the computer immediately gets re-imaged. All User Files are stored on a central server. The computers themselves are as 'dumb' as I can make them and thus, easy to fix. Of course, you can't avoid everything. However, many solutions exist and are very low cost to implement if needed. A decent home stack would be: Anti-Virus (Sophos, Kaspersky, yada, yada) Malware Detection (Adaware, Spybot, etc.) Content-Filter (aka opendns or k9 webprotection) Backup (aka mozy or carbonite) Online Email (aka gmail, yahoo, etc.) Baseline Image (...) Ad-block, Flashblock and Firefox... Sorry Slashdot... There are many choices available. Many of them work very well. While this won't mitigate all attacks, it will minimize them quite a bit. As long as folks don't intentionally break them... :)
Hope this helps.
As a user who has a more advanced degree, more hands on experience, more interest, and broader programming experience than 90% of the IT personnel where I work I find the constant blaming of the user to be offensive. I have been down right lied to by IT personnel because they were either too lazy or too stupid to do their job correctly. I have had dedicated equipment stolen by IT personnel because they didn't understand what it was doing and thought they could make better use of it else where. Take some pride in your work, learn how to do your job correctly, and grow some balls (i.e. take responsibility for your failures).
Start sending your resume out, 'cause your ASS should be fired!
Tips for not getting bot-ified.
- Stay patched on OS, Apps, Browsers, Plugins, religiously.
- Don't allow complete in/out network access without aggressive filters and proxies
- Don't allow IE to be used on external web sites
- Don't allow Outlook to be used at all
- Users don't get admin equiv accounts
- At the first sign of trouble on a PC, wipe it. That is the only answer. Users hate this so they will take steps to avoid spyware and other nasty stuff.
- Don't allow complete access to the internet. Only allow white listed websites
- Don't allow DNS to desktops
- Don't allow the default route anywhere but your proxy server
- Perform as much malware scanning on the proxy, email, and file servers as possible.
- Push scanner updates to clients. Verify the updates are installed and if not, place those systems on a limited part of your network where they can only get system, AV and malware removal updates.
- Migrate as many systems to non-Windows as possible.
- Don't allow users to install software on their machines
- Follow the hundreds of "how to protect PCs from malware, viruses, and other bad parts of the internet" guides that google will show you
- Make it clear that work PCs are for WORK.
- Remove most video codecs
- Set Internet options to HIGH for anything outside the local network. Don't allow users to change them.
- Set Internet options to Medium for anything inside the local network. Never deploy OCX-based web apps.
- Make FireFox the default browser, install NoScript and AdBlock. Only whitelist internal websites. Don't let users change these settings.
- For any exceptions, have a formal process where both the Head of Security AND the CEO must sign a piece of paper accepting the risks. It should be difficult, but there are times when a system cannot be securely configured due to vendor requirements (which suck).
- Protect admin rights. Nobody gets them.
That should be enough. You'll be hated. The CEO will hate you too. Be certain to tell him the estimated costs of what you are currently dealing with now.
there is no need for a technical solution..assuming this is for a business, fire anyone who decides to infect a company-owned PC with malware. (make sure your AUP/HR Policies *clearly* state this).
ideally this would let you uninstall any anti-virus on end-user PC's, which will increase performance...you still need to do some checking at the perimeter of course.
The basic sleazeware produced in a drunken fury by a bunch of UCBerkeley grad students was still the core of BIND. --PV
I just spent the weekend at work, due to an apparently "new" rootkit that hit our network. Friday 9AM, Ticket was submitted to MaBigVendee (with sample of affected file). At 3 PM: Admins had ticket escalated due to lack of response. (120 workstations affected) At 6 PM: MaBigVendee responded that we did have "unwanted software" and asked for us to make some logs (Using Process Monitor; the vendor application internal scan log). -> but hey: Try our latest beta virus definitions file.... it should work.... By 9 PM: The initial link for ftp sent by the vendor did not work; while the ftp client on our side said the second link worked & accepted & completed the upload ... Ticket is escalated to the highest level it can go to. I am attached to the incident.
At 11 PM: We have shut down much or our core network. The contact and phone number I got with ticket escalation to the highest level of handling do not work. I have to sit in the main queue to contact anyone: who states something like: we have no files and can do no work on the issue.
I do not have a copy of the files; all engineers who were on the case
Saturday:
~9:30 AM: 20MB log file is broken into a multi-part zip file & emailed. (Don't forget to change the extension to .txt so it can stay as an attachment.)
11:30 AM: MaBigVendee states they are missing part of the zip. I get the copy I was cc'd on & forward it again.:: Someone is getting security to let them into offices to collect instances of affected laptops.
12:30 PM: MaBigVendee states that the logs sent were useless: Asks if we got the alert during them: (I did not know then, but it turns out MaBigVendee asked for us to create the alert popup condition while the log was being created. This was done per request.)
At this point, we are asked to test another virus definitions file: Why: no reason I can tell. I hear various refrains on response was delayed due to a lack of information being sent to the vendor. Apparently all information was sent to the vendor & vendor is so large that one hand is unaware of the other. (EG: Concierge service is unaware of anything touched by phone monkeys; researchers can neither access corporate nor concierge resources.)
12:45 MaBigVendee remote assistance site is blocked at the web-proxy due to environmental restrictions applied by admins:
2:15 PM Another admin & I go way out of policy to get MaBigVendee access to an instance of an infected workstation. MaBigVendee researchers play on this workstation for the next several hours.
At some point vendor asks for a VM of the infected machine: but seem to want the machine there researchers are attached to .. don't start until the researchers finish.
9PM: We get bored and VM another instance of an infected machine:
11:45 PM: Call MaBigVendee concierge service number: No response... leave message no response: go home.
Sunday:
9AM: Vendor will get to office to pick up VM image at noonish.
12:00: Cannot replicate symptoms in Virtual environment. Point this out to vendor. ("Hey, you know how some programs check to see if they are in a virtual environment & shutdown? I think this may be one.")
MaBigVendee response: "We don't think you virtualized an infected machine." Can you understand how insulting this is? I mean seriously? Go show vendor's guy Virtualization Log Summary on infected machine & that that machine has the issue we are trying to get resolved.
More Boring frustrating stuff here.
By 7:PM Vendor finally tests a method of removing "unwanted software", but neither of the vendor tools (2) that we own & could be used to push out a Virus definations file & force a full scan will work. We will have to wait for an approved definition, or sneaker-net the beta to 250+ workstations.
So: Having a company that will actually respond and put researchers on the problem is a good part of having a competent company, but big is no panacea & may work against you.
Personally, I think Microsoft has much better rootkit d
Defense in layers would have gone quite a ways to assist in this problem. I don't recommend chrome/firefox/etc because it's not IE, I recommend it because you can run script blockers etc that will cut down on the risk of infection. Most corporate machines I've seen disable firewalls and uac because it might interfere with workstation management, which is great until your sales team takes it out and puts it on some random network x at a hotel. Defending each machine individually with firewall, antivirus, and scriptblocking. Push patches out same day. Disable unused services on your workstation images.
Monitor your exchange server, run antivirus and block obvious attachment that could contain viruses. be careful about restricting pdf, doc, or other files which while potentially harmful will necessitate your users going around your protections to get the job done.
Employ access lists in your internal routers to segregate/restrict traffic between workstations and and tight firewall security on your perimeters. Once that is done, set up a honeypot or 3 that mimick your production components as an early warning system.
Lastly monitor your network traffic for trends. use DPI and stateful firewalls to keep ahead of the ball.
Within the arms of tragedy, there is little comfort in being right.
Don't image new freaking machines while the bot-net is going crazy on your network. At least not without putting them behind a NAT. You won't get the first round of patches fast enough, and you'll kick off another round of infections. Might seem like common sense, but some jackasses at an old company just kept on imaging new computers during a huge outbreak. And couldn't figure out why they were getting infected.
Can you construct some sort of rudimentary lathe?
....is to prevent all Windows computers from accessing the internet.
There is no perfect answer.... but...
1) Users cannot have administrative privileges. :)
2) You need up to date antivirus and host IDS (I hate SEP, but it works).
3) Critical user data needs to be backed up somewhere safe.
4) User segments should have outgoing traffic restricted, and all traffic should go through proxies unless exceptions must be made. Those proxies must do something to help as well - blacklists, antivirus, depends on your budget.
5) Edge firewall should not allow direct connections from user workstations to the outside unless very specific and required for the task at hand.
6) You need to be able to cleanly and quickly re-deploy infected workstations in a clean environment, with minimal delay - because at some point, you will get hit hard, and this will help ease the pain. This is where imaging and backups come in.
7) Understand that regardless of what you do - things will happen - so see #6 again
1. Apply the Principle Of Least Privilege (http://en.wikipedia.org/wiki/Principle_of_least_privilege). Make sure all users have basic user accounts, not admin rights. Most malware runs in the context of the logged on user, if the user account doesn't have access to modify system files or install services, neither will the malware.
2. Make sure you have working patch management. Install all security updates asap.
3. Have up-to-date antivirus/antimalware software. Yes, number 3. This is less important the other 2, but still paramount.
Security is not a state nor a technology, it's a process, and you'll never reach 100% protection. The above, however, should be (properly implemented) enough for most organizations. Awareness training, NAC/NAP, IDS/IPS, proxies and application layer firewalls etc are all helpful, but those 3 are IMO the essential ones.
Don't let your Windows boxen have Internet access. If your users just use web and email, give them an HTTP proxy server, an internal email server, and no real Internet gateway.
# cat
Damn, my RAM is full of llamas.
So tired of the whining from Windows users. Botnets are almost 10 years old now. It's 8 years since Bill Gates promised to eradicate them. Why the fuck are you still running Windows? There is absolutely nothing it does which is unique. A mix of Mac and other Unix gives you malware-free computing. Not by accident, but by design.
I have no sympathy for you.
Good luck firing your CEO for being a computer-illiterate idiot.
If that worked, half of all executives would be out of a job.
I run IT for a small company of around 60 computers and to the best of my knowledge I haven't seen a breach in 2 years since I've taken over. It's NOT that difficult. Here's how you do it:
1. Disable or discourage people from browsing the Internet with IE. Use SeaMonkey, FireFox or some other safer browser.
2. Use at least a simple NAT firewall to the Internet. No computer including the servers should be exposed to the Internet. If need be forward the necessary ports into your servers but no computer should be fully exposed to the Internet.
3. Use a good viral scanner and keep your workstation's windows updated with patches. You don't need to be right up to date but if you're still using service pack 1 for windowsXP that's a BAD sign.
4. Use a spam / viral scanner to protect your mail system.
5. Make sure users do not have ADMINISTRATOR access on any system including their own workstations. Yes, it can be a pain because then you have to install any customized applications but at least they won't install a virus on their own system.
6. Make it clear in the company policy that you're not suppose to visit porn or questionable sites. It's rare that official sites have viruses and that installation of software is an admin only privilage.
Most modern viruses aren't as clever as the ones I recall from my DOS days. They typically exploit major bugs in IE, expect Administrator access, require a user dumb enough to install it or use ancient bugs in systems Administrators have neglected to patch in years. While nothing is foolproof, after seeing how well things have run for me in years, I suspect you're not up to speed on one or more of these points.
Dump Windows. Switch to Linux.
Make a boot CD / write-locked bootable USB drive that a user can throw into the system. Can't infect sh!@ with read-only properties and no hard drive (can just disable from BIOS). The advantage of the write-lockable USB would be the ease of adding programs or other files at the flick of a switch and then re-securing.
This is the most reliable way to avoid malware problems with Windows.
It certainly won't solve everything. But non-administrators can only bork their own profile; not the whole system.
Not letting users run as admin is the one security step you can take that will have the largest impact on improving computer security in any organization.
Don't let senior management load USB keys, CDs DVDs or anything else. There are numerous anecdotes about the 'net' which indicate that the 'suits' are one of the biggest sources of infection of company systems. I'd agree with Linux also.
I say we take off and nuke the entire [system] from orbit. It's the only way to be sure.
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.
You could have the most shiny brand spankin' new content filtering servers and enterprise class antiviruses, the most strict inbound firewall rules and you could patch your hosts like a fury BUT, if you let a machine go out your perimeter, even for a day, you cannot be sure of what you're welcoming inside your borders.
I think the human factor is still the biggest infection vector. As an IT pro, you usually have to chose between more security or more flexibility. You could have the best technology in the world and still get a network wide infection. The tie breaker is the users' needs. If the users want more "freedom", they will have to take on more personal responsibilities in ensuring the company's security. If the users want more security without the overhead of a security learning curve, more limited options would have to be applied by the network administrator.
Hand your business off to Google Apps, Zoho, Freshbooks, Saleforce.com, and the like. Boot all computers with read-only media and very few applications. Netboot so that you only update the boot image in one place. Bingo. No botnets. OK, maybe not none, but you just power everything off for five minutes and restart with a clean network.
Yeah, I know it's not realistic for many companies. It's an option for some, though.
Put identity in the browser.
Goes to "jimicus". Well done!
Now waiting for an animated GIF . . .
I'm not tense. I'm just terribly, terribly, alert.
Create a live CD image to boot off of. This probably means Linux, but I'm sure you could probably hack something with XP Embedded if you tried hard enough.
You could do a network boot, but someone could still infect that.
In your CD image, disable all nonsense such as Autorun. When someone needs something installed, install it on a freshly reconstituted image machine and burn a custom CD-R for them. Keep your image machines offline, and under physical security.
For that matter, push all your updates via new CDs, with a simple version numbering scheme.
Save work on network drives. Scan the drives for macro and other forms of viruses.
I hope to God that nobody takes this advice :)
a. Get off Windows if you can. You simply don't see these attacks on other OS platforms. Even with all the below precautions we still catch people getting infected with malware....
(Reality... We are stuck with Windows...)
1. Install advanced firewall and web proxy filtering, block all social networks, non-work email, any Pr0n, or non-work related sites, etc.
2. Block foreign international IP ranges such as China, Korea, India, Russia, the Balkins, etc that you really don't need.
3. Remove admin privileges from your users on Windows; only IT staff such as developers and deskside tech's need it.
4. Install anti-virus protection but don't think that covers you completely.
5. Audit where your users are surfing, start blocking things you didn't think of.
6. Be cautious of laptop users who could get infected while on WiFi when not using VPN, etc.
7. Install a good intelligent Packet Analysis system like Netwitness and review it's logs regularly. This is how that Kneber botnet with 74K+ infected systems was discovered.
(Seriously, get the heck off Windows if you can!)
I am not going to argue the Windows is vulnerable because it's popular argument. Windows is vulnerable because it's security is terrible. Yeah every system has vulnerabilities but no one has quite so many as Windows! If it wasn't for Windows, we would not have the problems we have with malware and SPAM. i.e. all SPAM comes from infected Windows boxes and about 90% of all email is SPAM!
Got to do online banking for your small business? Do yourself a favor and go burn a Linux Live CD right now! Then use it for online banking. You won't get infected with that... Many millions getting siphoned from small businesses with online banking because they're Windows computer got hacked by a trojan botnet!
If you have to use Windows, then setup a Citrix farm and lock it down super tight.
How protect oneself with a helmet and bullet-resistant west?
No matter what brand one uses still a criminal can aim at an unprotected area between helmet and vest. Or use an RPG.
The same, it is not possible to protect only with passive technological means. Speaking figuratively, a shield alone is not enough. There should be a sword too.
In this case it should be an active law-enforcement by government agencies. Bot-net operators should be placed in prisons, where they could obtain a profession, read fiction books, like, say, "Crime and Punishment", but not programming books, and not to have an access to computers at least for several years.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
or in your case, some additional work. Sounds like you guys already have put in alot of effort.
So, look at the two boxes that are compromised and determine what technical and social aspects failed in your overall policies and runbooks.
Was it a new exploit that you couldn't have blocked? Was someone infected at home, and brought the infection to work? Was it a case of mobile device infecting desktop systems? Etc.
The only 100% system that cannot be infected is one that is completely powered off and cutoff from human and non-human contact. So, there will always be some risk with networked devices being actively used.
Realizing that switching OS(s) might not be feasible, other folks' suggestions for state locking desktop computers is a good idea.
Another possibility is to virtualize your desktops with something like VMware's VDI(Virtual desktop infrastructure) or Citrix's virtual desktop offerings. You can restrict the activity of the port on the physical machine the user is using. This also has the added benefit of virtual machine snapshots automatically occuring at regular intervals and/or mass upgrade/backup of company data that normally resides on the physical desktop machine.
However, even those solutions can fail. So, it's a calculated risk.
In the end, the fact that you only had 2 machines compromised and it did not spread like wlidfire, is a good sign that you have good controls in place. Just reassess your controls and make the necessary adjustments to close the loophole or lapse in judgement that occured.
It's alot like an ongoing war. No matter how well equip'd your army and no matter how numerous your defenses, you will suffer casualties, eventually.
Winged Power Photography
I completely and utterly disagree that you put a dumb stupid user on a PC and it means it gets insta-rooted. I put my clueless girlfriend on her own user account on my hardened Debian Linux box and there's no fscking way that my "per user account" iptables will suddenly allow some rootkit to have her account emit or receive on ports she's not allowed to use. There's also no friggin' way anything shall be run automatically on the next reboot. At worst the malware shall have local priviledge and will only be run once she logs into her account.
That's how secure a correctly configured Linux is.
So please all paid M$ astroturfers, stop the kneejerk reactions: "it's because of the users, they're so dumb". You know what the root cause (pun ?) of all these botnets is: Windows has a pathetic security record track. Don't make up for that one by saying it's because of the stupid users.
Paid M$ astroturfers, yes. Botnets only because of stupid users: no way. My SO *is* a "stupid user" and there's no way her stupidness will give the latest script kiddie exploit root access on the box we share. Get real paid M$ astroturfers.
Having an antivirus and a firewall is basic network security. Many worms know how to bypas those protections, turn them off and make their dirty work... To have good security you need :
1-Antivirus
2-Firewall
3-Network traffic log facility (really really important!!!)
4-IDS/IPS
5-Good computer technician with good security knowledge(it's often the weakest link)
6-Network and workstations restrictions (allow only what needed for work, no less, no more)
If any of that fails, well you are in great danger. Computer worm are nasty, they often steal information about your customers, your user credentials, your network infrastructure... They also tend to infect other computer on network, USB drive (those thing should be ban on your workstations, unless absolutely needed).
As you've found out the anti-virus is useless. Even if you have the current day's latest definitions they won't stop some new variant.
It can take up to 1 week before the anti-virus vendor even gets a definition that can clean the systems.
Anti-virus is just a waste of money and computer performance.
Try ensuring all OS updates, Adobe, and Browser updates are applied very quickly. That'll stop almost all of it right there.
Changing to Linux/OS X/etc won't really help in the long term. There are already cross-platform viruses.
Stop. Running. With. Administrator. Privileges. By. Default.
Have a look at Software Restriction Policies. They can prevent unauthorized executables from being launched through a web browser, or from a USB drive, etc. Software Restriction Policies are not infallible, but they're far more effective than other preventive measures like antivirus software.
At my company, we have avoiding becoming a botnet.
100+ systems running XP Pro SP3 and installing updates as they are released.
SOPHOS.
Required use of Firefox for web browsing, with exceptions only for specifics sites coded for IE (stupid banks!).
XP's firewall is on for each system.
The occasional system gets spiked, but that is it -- there is no stopping the efforts of the truly insipid. System-wide infections have never happened.
It is about that simple.
Bearded Dragon
Botnets. Worldwide Botnets.
What kind of boxes are on botnets?
Gateway, HP, Dell & Sony, true!
Compaq, Packard Bell, maybe even Asus, too!
Are boxes, found on botnets.
And they all run Windows, Foo!
Guaranteed! This comment 100% Anthrax free!
Where you work, have you been able to disallow the user of a machine having the local administrator password, or an administrator level account?
How were you able to overcome the political battle that this would cause? Did your management support the idea?
Do not allow users to plug mass storage devices into their PCs. This means thumb drives, cameras, MP3 players, whatever.
Also don't allow in any executables over the internet, at least until they've been scanned.
I used to work for a company whose anonymity I'll protect by giving only its initials—HP. It was a few years back, but a couple of viruses (I think it was Code Red and Nimda) took down the entire freaking corporate network for a total of at least two weeks. They'd get it fixed, then it would go down again; it was a big game of whack-a-mole. The principal cause was eventually determined to be laptops. IT had no policy to prevent users from taking their laptops home or traveling and connecting to insecure networks, doing stupid things, and then simply bringing them to work and plugging them into the corporate network. That couldn't possibly be the case in your organization, could it?
When I take my laptop traveling, I image it before I leave home, then when I return I take any files I need off via a thumb drive, and plunk the old image over the disk. That's for my personal laptop.
Great men are almost always bad men--Lord Acton's Corollary
and have yet to have a rogue progress or get infected by malware/a virus ... and how do you KNOW this? on a real time basis?
If you run a windows box that can get to the internet and don't have AV and a firewall you are foolishly naive.
One thing that is quite effective is Microsoft's built-in software restriction policies, however implementing this on a default block, white-list known good process requires a fair amount of knowledge of what EXACTLY runs on your network as a business application. More info here http://technet.microsoft.com/en-us/library/bb457006.aspx.
Predictable a lot of slashdotters have just gone with the knee-jerk "install Linux" response. Over here in the real world here are some solutions I've done/seen in enterprise environments.
network level
1 - block all outgoing network traffic from the internal network. You can have a proxy server for web access.
2 - The proxy server can also be a content filter (IE bluecoat)
3 - Block all outgoing connections from the DMZ
physical controls
1 - don't allow USB drives. If they're needed, use something like pointsec to only allow company owned USB sticks on, which can then be encrypted and password protected. The result is that only company USB systems can use the company USB drives, and there's a much lower risk of outside data getting on (or off).
2 - don't allow CD/DVD drives. See above.
OS controls
1 - use Software restriction policies. (To be called Applocker in Windows 7). This is essentially whitelisting/blacklisting at the app level. If you say that only a specific group of apps can be run, then no other program will be able to execute.
2 - turn on Data Execution Prevention. (Google if you don't know how - it's simple and can be done through a GPO).
Email
1 - do antivirus scanning on email.
2 - block outside webmail sites people may be using (also check the corporate policies on this while your at it. What are people doing using gmail on company time anyway?)
Other
1 - block social networking sites (myspace, facebook, etc.)
A demo or training session whould
A live demonstration of infections on a scheduled time in the work week, maybe.
IT staff asks users to check mail - mail looks innocent with "Smileys!", "urgent", "your account is about to expire" messages.
People "click here" and then they get a blue screen saying "f--k you, just infected"
The fear of the BSOD will do the major part of the education :-)
Then make sure that you show them how much time it takes to clean up your "education" malware and then let the guys go back to work.
Make this demo/training a quarterly or half-yearly feature. Showing them the problem visually makes a lasting impact.
Id hate to work for someone like you. I have more important things to do than run around fighting fires. Like, tending to business interests instead of dealing with technological shortcomings of one specific vendor.
Spoken like a pointy haired manager that is clueless about science in general, and just expects his IT 'tools' to do perfect jobs instantly and with zero expense.
I use OpenDNS to block this stuff, as an added layer. I saw all the other recommendations, but noticed DNS style lists were not listed.
http://www.opendns.com/
Then you should stop being a coder. Anyway, if you are running Windows you can't be a contributor. Windows and coding
So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?
Go read what a firewall does. The real name is packet filter
As far as AVS goes, it's reactive and can never catch up. The very principles on which the AVS is designed means it will always be 2 or more steps behind. Go read about the propagation of Windows malware, especially the rate of spread. Then go look at how 'fast' the AVS companies roll out a new update. Then go look how many weeks or months it takes M$ to patch -- usually they don't patch, but instead tie the patch to an upgrade, bundling in new bugs or licensing or other changes.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Linux is harder to hack. Not impossible to do so especially with closed source add ons.
Only deploy thin clients or thin client software to users. With some thin clients, you can even forward USB drive mounts to the VM. Partition your VMs into isolated groups, some with internet connections, others completely locked down. Just assume that any VM open to the net or that any user has used for web browsing, etc., is compromised. Take them offline for a full scan and reimage per login, or at least daily.
The Google analysis was based on 2 orders of magnitude more pages than the Bing one. The number of pages that pushed malware from Google were under 100. A comparison of page counts thus means that if the Bing analysis were bigger, it might well serve malware at the same rate.
Of course, with google, you're already operating at 6e-5 or so (10/150996) for your odds of coming up with malware. 42/112649 for Yahoo. 9/22948 for EBay. 0/1 (!) for wikipedia. 0/128654 for Youtube.
Really? NO malware on youtube? Interesting.
-Block IRC & P2P.
-Block Port 80 requests to anything that isn't a server.
-No local Admin rights.
-Keep your devices patched.
Yes, such software exists, (e.g. unionmount squashfs & ramfs) but what if you managed to install malware on your network share? You'd have to mount all executable shares readonly, and the rest noexec. But then only admins can add any sort of software to the system (good or mal) and they can get infected to and normally have more privileges. Overall security might increase, though.
But more importantly that would break one of the holy laws of Unix: Unix does not prevent people from doing stupid things as that would also prevent them from doing clever things. But if users are never going to tweak their system, mutate their sofware or hack around, it's possible. Otherwise there's no way to stay clean for long.
Doing this on Windows sounds funny though. Office documents, images and all documents containing any sort of ActiveY would have to be readonly and normal users forbidden from browsing the interwebs, reading email, using removable media and creating new folders. Good luck with that.
P.S. My school really does forbid installation of drivers for USB-flashsticks we were told to buy on computers students have access to. So one can forbid something like that... enforcing that is another matter, though, on system which gives one root-access when booting in single user mode.
See subject-line, and then, see the SECUNIA.COM &/or SECURITYFOCUS.COM websites. They'll tell you how many of these exploits get set upon users via the usage of javascript (something along the lines of 95% or better). Use javascript ONLY on websites you absolutely need it on, and trust. Otherwise, turn it off (Browsers like Opera let you do that, by site, natively built into it. FireFox lets you do so via addons like NoScript. IE will let you, but it will nag the living hell out of you if you turn off scripting (one of the things I'd like to see change in IE, is this alone)).
> They are taken off the grid as we speak.
Well, there's your trouble. Taking those computers off the grid and powering them by your own electrical source (diesel generator, solar, wind, etc.) isn't going to help.
Tell your IT department to take them off the Internet.
Let Lesson
always preview use
or smash text
Is she available for a date?
1. No client talks to any other client directly: managed routers.
2. Servers run A/V.
3. IDS, e.g. snort (free)
4. Firewall departments as well as outside world
5. Patch users machines regularly for the major exploit targets: IE, Firefox, Adobe Acrobat, Flash
6. A $299 netbook, in a safe, that is the only machine used to admin salesforce and other online services.
There are two ways that your organization can be infected before you can react to it:
1. A local network worm, i.e a TCP/UDP from one client to another.
2. An email worm, i.e. Outlook.
Either of these can and will bypass *any* security solution implemented on the client.
Most attacks are neither: they are attacks intended to compromise a single machine. 80% of these are things like Adobe PDF exploits.
Stopping a local network worm is simple: Clients do not talk to each other. All it takes is a managed router. Clients talk to servers. Specifically their own servers.
Stopping an Outlook worm is more complex, unless you want to piss people off. Its pretty easy to strip everything but plain text out of email. But there are other methods. First email spamming the whole company gets quarantined, and the user told (automatically) that mail doesnt work like that. Second, any email to a distribution list is refused if it has an attachment. Use an in-house equivalent of sendthisfile.com, or sharepoint (!), or something like that. That may take some getting used to, so an alternative may be that such email is distributed slowly, e.g. after 30 seconds. Or the user has to confirm it with a second email. There are good reasons not to have users passing around documents in email but instead to have some kind of centralized document management system. There are also good reasons to allow them to. So you are going to have to use your judgment on this. Any solution that *you* write, is going to be immune to automated worms (unless someone with inside knowledge targets you deliberately).
Why NAC/NAP/SEM is a waste of money:
1. The chance of anyone being infected in an organization is fairly small.
2. The chance of the whole organization being infected if just one is infected: very high.
3. When running things like NAC/NAP/SEM, users' machines get pretty slow.
4. NAC/NAP/SEM simply don't offer complete protection against attacks.
5. Running NAC/NAP/SEM etc reduces users productivity when there are no attacks.
6. NAC/NAP/SEM cost a lot of money.
You should read this: End Users Buck Security Advice For Economic Reasons
Herley uses an example of an exploit that affects 1 percent of users per year and takes 10 hours of clean-up time per user. So implementing any security advice, he argues, should incur only 0.98 seconds per user per day to actually reduce the time involved. But it eats up much more time than that, which demonstrates that security advice provides a poor cost-benefit trade=off to users, he argues.
All that other bullshit adds huge costs to your company, and doesn't stop bots. I worked at a company that used SEM or something like it. We got a worm. Still had to bring routers down. Still lost days of network while it was cleaned up. Here's the *big* question: if it works, why is it not guaranteed? If you pay for something like this, and you get a worm, Semantec should come to your building and clean up all your computers for free. Why don't they offer that? Because they would go bankrupt in a month.
Increasingly, small business use things like Salesforce and online services. Online attacks are going to be aimed at stealing users passwords. So the most important thing is getting it into the bosses head that his day-to-day account should not be the one that has full control, i.e. add/delete users, etc. But most successful businessmen are rational, and when you explain that there are viruses that do nothing other than steal salesforce passwords, as you type them, then he/she will get it. Try to persuade him/her to have one machine that is for admin only. It can be a $299 netbook. Tell him to keep it in his safe at home.
If you can't trust or train your users, then use thin client machines. When the OS is in ROM it's hard for a virus to do anything; then all you have to do is secure the servers adequately and you're golden.
Hmm, I don't agree that a virus infection should lead to a head-roll. But to each of our opinion.
Anyway, would you like to leave a few notes in the next story, "Malware Delivered By Yahoo, Fox, Google Ads"? I don't care about the TFA. What's interesting is the individual anecdotes written by Slashdot writers.
I run a Linux desktop and I DARE you to try and crack it! I'll even give you my IP address:
127.0.0.1
(And yes, those are your files, because I have ALREADY cracked your box!! Luser!)
Enforce a scan of all hard drives and USB sticks that walk in at the front desk.
You are at first glance doing the right thing. You are monitoring SMTP traffic and blocking it. (right?) No SMTP traffic to strange servers on strange ports. But, I also ask which antivirus you are running, which antispyware and which firewall. I recommend Microsoft Security Essentials for users that won't pay, but corporations should be using something other than Norton -- a corporate edition with update servers at the antivirus vendor.
I recommend Trend Micro although I've never used its corporate edition, the consumer edition is excellent, although causes some conflicts on one dell laptop I saw, and idisk (webdav drives.) Mcafee seems to have a good "detection rate", and can remove most with a scan.
For antispyware, Mcafee or Trend Micro will try to help, but I recommend Superantispyware. Pay the licensing fees. Also, if you can figure out how to configure strict firewall walls to only allow the web browser, and e-mail client, that will go a long way.
--Sam