How To Avoid a Botnet Infection?

Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.

Re:What gets around Firewalls and AVS?

[MasterOfMagic]

Think of anti-virus as a vaccination. When you receive a vaccination, it protects you against the specific threat that the vaccination is designed to protect you from. The same holds true for anti-virus software. There is no magical "this program will destroy your computer or steal your personal information" opcode in software, so anti-virus software is designed to detect things it knows to be suspicious. If something is unknown (either because it is new and there aren't virus definition files for it or if your virus definition files are out of date because your 30-day trial has expired or you're not connected to the Internet or the software fails to automatically update or your anti-virus software has been compromised or switched off), your anti-virus software has a very slim chance of picking something malicious.

That is why an anti-virus package wouldn't stop threats newer than its definition files.

Suggestions

[Z34107]

A few suggestions from my experience as a technician:

• Keep vulnerable programs off of your base image. We saw infections go down dramatically after removing Java and replacing Adobe Acrobat Reader with something else.
• Uninstall Internet Explorer if you can. Unless you're running Window 7, the easiest way to "uninstall" it is change the permissions on iexplore.exe to Deny for the Everyone account.
• Lock down computers as much as you can with Group Policy, especially if you have a Windows Server infrastructure.
• If you can, deploy Windows Steady State if you're using XP or purchase Faronics DeepFreeze. They're both ways of preventing permanent changes to your base image (installation of programs, modification of files) by users. If a Frozen machine gets infected, reboot it.
• Don't license McAfee. It's worthless.

Re:Yeah...

[ZeroPly]

The military has reversed its policy on USB drives - because quite frankly it was throwing out the baby with the bathwater. The restriction was actually preventing work from getting done, a lot of times at my unit we would leave at 3:30pm instead of finishing a project because we had no way to move files from a laptop that was not on the network to one of our machines, and IT help was not available. You're talking about millions of hours of worker productivity lost because IT could not figure out a way to make one of the most useful technologies safe. The USB restriction is precisely the way NOT to conduct security - unless you're lazy and don't care much about your users actually work.

IT people make the common mistake of "the NSA does it that way" + "the NSA is very secure" = "this is a secure way of doing it". You're not the NSA. Look at your users first and tailor the solution around them.

There is no quick answer to this. You can't ask "how to do I prevent bot infections?" any more than you can ask "how can I keep my body healthy?" It's just too general a question. The solution is going to involve assessment of your particular situation, and the combination of the appropriate products and policies.

Block outbound SMTP

[pushf+popf]

• Block all outbound (to the internet) connections to any ports except 443 and 80 from any machines that don't have a legitimate business need. (This won't help you much but will save the rest of us when you do get hit)
• Block all incoming email that isn't plain text.
• Require authentication on your outbound mail server
• Install a filtering web proxy and block everything except plain HTML and images. (this actually isn't foolproof, since there are actually some image rendering vulnerabilities).
  • 
    
    Your users will be really pissed off but the infection rate will be way down.

Re:No

[0100010001010011]

So make it a persistent state. Every computer lab on campus had a 'deep freeze' piece of software installed.

You HAD to save your files to your shared drive. If you rebooted the PC, the entire PC was reimaged back to a 'clean' state.

I'm sure such software works for Linux (if not just get a Live CD/LiveUSB).

Disable executable access for anything running on a shared drive and there shouldn't be anyway for them to permanently do any damage.

No matter how they screw a computer up, a reboot will fix it.

Re:In an ideal world...

[jscott]

In the K-12 district for which I work, there have ~600 staff (teachers/non-teachers), ~7800 student users and about 3000 workstations + notebooks. We're a Windows (XP for educational software product requirements) shop and run AD. In the past two years we've reigned in administrative users [even I, the sysadmin, run as a limited user on my workstation] and implemented a fairly detailed SRP White Listing. These two changes alone greatly reduced not only issues with crap-ware infections, but greatly reduced technician support time requirements.

The vast majority of our users [excluding the students who can no longer run proxy software] Do. Not. Fucking. Hate. Us. You would be surprised how happy people are when their computers "just work" and don't require cleaning/futzing every couple weeks.

I /cannot/ recommend enough budgeting time to investigate what SRP can do for your network.

Re:Yeah...

[TheRaven64]

Ah, VMS, the only OS to be banned from Defcon for being too secure. They had to invent a 'must run on x86' rule to keep it out.