Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Avoid a Botnet Infection?

Posted by CmdrTaco on from the yeah-good-luck-with-that dept.

Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.

10 of 396 comments (clear)

  1. Yeah... by Pojut · · Score: 5, Insightful

    ...I'm going to go ahead and guess the general answer most people around here are going to give.

    Linux or OSX.

    AmIright?

    --
    Living With a Nerd
    1. Re:Yeah... by beh · · Score: 5, Insightful

      Yep, most people will say that - even though I had one of my machines broken into years ago - even though it was a linux machine... Even though it *should* have been secure, but I had been somewhat lax in keeping it updated, and hence might have left a potential door open for an attacker due to that, simply by believing linux would have been secure enough.

      But, yes, that would never stand in the way of most people saying 'linux would solve this'. I think more proactive monitoring and regular application of security fixes, etc. would help.
      Another thing that might help, is IF you need to leave users with a web-browser, try and install them in a way that the browsers are properly sandboxed. (yeah, yeah, yeah - I know 'firefox'/'chrome'/'my-other-non-IE-browsers' are safe... Sorry, I've gone past believing that...)

      I don't think there is an inherently secure OS / OS distro - at least, not beyond the moment it gets any kind of software that goes beyond its default installation...

    2. Re:Yeah... by jimicus · · Score: 4, Insightful

      We've been hoping for competent users (and trying to educate people into competence) for decades. Hasn't happened yet - probably because the usual result of your computer getting a virus which wasn't automatically blocked is you have a legitimate excuse to do no work until such time as someone can clean up the mess.

    3. Re:Yeah... by Lorien_the_first_one · · Score: 4, Insightful

      Amiga.

      --
      The diversity and expression of human opinion is essential to human survival.
    4. Re:Yeah... by fuzzyfuzzyfungus · · Score: 5, Insightful

      I don't buy the "competent users" argument.

      It is definitely the case that incompetence users can cause system compromises. "Ooh, free smilies!"(though, IT should ideally have blocked most of their most common avenues of idiocy.

      However, in a world where you can get compromised just by going to a perfectly legitimate website that happens to be running a flash ad with an embedded zero-day of some flavor, the idea that "competence" is going to save you is an unpleasant mixture of naiveté and adherence to the just-world hypothesis.

      Competence doesn't hurt, and is always a desirable quality; but it is a near-worthless foundation for a security system. First and foremost, there are many attacks from which competence will not save you. Second, and also pretty important, is that any organization of reasonable size is going to contain people hired for their competence in something other than computer security. The pool of people competent in skill X and computer security is always smaller than the pool of people competent in skill X. Even if the former pool is large enough to fulfil your needs, recruiting from it will cost more than recruiting from the entire skill X pool. Competent users are a nice perk, when they happen; but depending on them is folly.

    5. Re:Yeah... by TheCarp · · Score: 4, Insightful

      An old boss of mine used to call it the "Soft creamy center security model".

      He was also the one who had us implementing packet filtering on each and every individual box. It was some work, but it was worth it.

      Compartmentalization is good, if you are smart about it.

      Another good analogy is "Defense in depth". Should you have a firewall? Yes. You should also patch regularly, sniff packets with an IDS, packet filter on every machine, run tripwire (or equivalent), have antivirus (on platforms that require it :cough: windows :cough:), seperate users segments from server segments, seperate out a DMZ for services, have a password policy, educate users.

      No one of those things is going to protect you fully. All of them together, has a good chance of making you a far less appealing target with a very unsatisfying and sour center, rather than soft and chewy goodness.

      -Steve

      --
      "I opened my eyes, and everything went dark again"
  2. No by Anonymous Coward · · Score: 5, Insightful

    Stop letting users use your computers or just accept that shit happens was my suggestion. Windows, OS X, or linux. If users touch it, they'll fuck it up.

  3. block some email attachments and facebook by alen · · Score: 4, Insightful

    where i work we've been blocking a long list of email attachments like exe's and others. few years ago we also started blocking facebook.

      i set it up years ago and don't remember myself. we're all windows and have never been zombified. you can buy all the firewalls you want, but in the end it's still idiots clicking on everything in every email and every link they get sent over facebook and twitter

  4. Is it really necessary to ask? by magamiako1 · · Score: 5, Insightful

    It really depends on the size of the companies and the resources they're willing to spend on proper security. You should do a cost analysis of the downtime, not to mention the IT time required to fix the ecosystem. You can do it in waves, and some changes will be more well received than others.

    #1. Don't allow users to be Admins of their own machines. I know in this day and age it's harder to push this one on people, but the ultimate reality is that if the user can't infect the system then they aren't going to get very far.

    #2. Managed, host-based firewalls on each of the machines that have rules for incoming and outgoing. This can be any number of centrally managed tools. if you're on XP, your best solution is likely something from say Symantec, Mcafee, or whichever company you want to use. I know with SEP you can manage the firewall portions and prevent worms from auto spreading.

    #3. Transparent, Layer 7 filtering at the network edge. Whether you want to use a proxy or a firewall for this is up to you. Juniper makes some pretty nice layer 7 devices for this purpose.

    #4. NAC/NAP. Again, useful technologies--prevent systems from communicating on the network that don't register as having proper updates or AV settings.

    These are just some basics, there's probably something entirely different based on the specific method these worms are using to spread. Perhaps a centrally managed website policy that locks systems down a bit more is all that's needed? Maybe keeping things more up-to-date, such as rolling out Windows 7 desktops with IE8?

  5. The new meme "Terry Childs approach" by way2trivial · · Score: 5, Insightful

    the only way to secure the system- is don't let anyone into the system

    --
    every day http://en.wikipedia.org/wiki/Special:Random