Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To Avoid a Botnet Infection?

Posted by CmdrTaco on from the yeah-good-luck-with-that dept.

Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.

7 of 396 comments (clear)

  1. XP by Anonymous Coward · · Score: 5, Interesting

    Let me guess, all the computers are using xp. I work at a computer repair depot and i see alot of this on XP computers and rarely on vista/Windows 7 with uac turned on *sure its a pain but once everything is installed the user should never even see uac pop up. But i would guess if anything the computers are out of date for their OS patchs

  2. In an ideal world... by fuzzyfuzzyfungus · · Score: 5, Interesting

    You'd be running a lot fewer XP boxes, and much, much meaner firewall rules. In practice, of course, users crying about how they "need" to "get their work done" generally prevents this.

    That being so, there are a few things to do: At present, our good buddies at Adobe are among the most popular and exciting vectors for infection. Where possible, ensure that neither Flash, nor shockwave, nor Acrobat are installed. Where not possible, make sure that they are kept up to date. Yes, this means updating all the bloody time and WSUS won't help(useful tip, with some poking around, you can find a utility from adobe, an .exe that, when run, removes all versions of flash, they hide it; but it lurks in the bowels of their site somewhere. You can also find .msi flash installers. Set up a network share, readable by all your administered machines, writeable only by admins, containing that utility, and the .msi for the latest flash player. Every time adobe updates, download the newer .msi, and run a script on all your administered PCs that runs the flash remover, and then msiexecs the newest flash MSI. It's a pain in the ass; but it will save you from some flash exploits). Updates for all other plugins you are using, plus OS components, should of course be adhered to with the same regularity.

    Assuming that user pushback isn't excessive, stripping executables and .zips from emails will also save you from some common vectors of stupidity.

  3. Re:Yeah... by gandhi_2 · · Score: 4, Interesting

    No. That's not sufficient.

    Disallowing USB drives helped the military cut down on infections, though.

    How about: users run restricted. Using GPO's: mandatory win updates daily with reboot. Automate patching of commonly-used helpers like flash, shockwave, adobereader, firefox, java. And MS security essentials.

    Some rigorous port filters on EVERY machine and iptables rules on routers and l3 switches...a whitelist approach.

    --
    THL phish sticks
  4. Re:Yeah... by ByOhTek · · Score: 5, Interesting

    Yes, that's the general answer. Probably not the correct one.

    *NOTHING* short of educating a user, or massively restricting their privileges on a computer can protect from this kind of problem. I worked at a place where we used Windows, and locked everything *really* tight, using a lot of sysinternals software (regmon/diskmon) to figure out where to allow nonprived users to write so that poorly written windows software would work for them. It's easier on Linux and MacOS, but it is still a problem.

    Remember - even if it is only the user's account, and not the whole computer that is infected, it can still cause trouble (cleanup is easier though).

    I've seen windows boxes go uncracked for years, and I've seen Linux and MacOS boxes cracked within weeks of being set up. With the proper security precautions, security flaws are mostly user based.

    That being said, in a networked environment, once one computer behind a firewall gets cracked, the floodgates have been opened, whoever did the cracking just got a firewall bypass.

    --
    Self proclaimed typo king, and inventor of the bear destroying coffee table (patent not pending).
  5. Simple by rindeee · · Score: 4, Interesting

    I am over Cyber Security for a 36k seat enterprise. We've had no infections...period (and yes, we do have monitoring in place to catch behavioral anomalies that indicate zero-day, etc.). Here are the "must do's": 1. Block social networking sites. Need convincing? Here. http://google.com/safebrowsing/diagnostic?site=facebook.com/ or http://google.com/safebrowsing/diagnostic?site=myspace.com/ or http://google.com/safebrowsing/diagnostic?site=twitter.com/ 2. Block porn sites. All of them. Use keywords, IP/FQDN blacklists, adaptive/reputation blocking (Trusted Source type technology) 3. Use a managed AV/AM/HIPS solution such as McAfee ePO/AVE/HIPS/etc. if you can afford it. A good HIPS that does both network and application blocking is essential. 4. Exhaustively scan e-mail for content, attachments and (most of all) embedded URLs. 5. Finally, have a good dashboard. We rolled our own using Cacti, Nagios, Drupal and some simple Java, CSS and PHP. You need to be able to visualize things in as close to real time as is possible. Once you've established 'normal', you can spot 'abnormal' visually long before many automated analysis engines will alert you. This allows you to catch the things that may otherwise slip through the cracks. This doesn't have to be expensive (well, except for #3, it's expensive). You can scale a Linux based solution with entirely open source tools large enough to cover thousands of concurent users.

  6. Re:What gets around Firewalls and AVS? by jimicus · · Score: 4, Interesting

    So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?

    No they're not. Trojans are becoming much more adept at avoiding antivirus (mainly because most antivirus is essentially a glorified "grep for this sequence of bytes", which doesn't work very well with polymorphic infectors) and much better at remaining hidden once installed.

    A few years ago it was fairly obvious because an infected computer had all the speed and grace of a slug break-dancing in black treacle and most AV vendors' websites magically stopped working (though actually your browser was being screwed around with) - today that doesn't happen so much.

    Short of the major AV vendors drastically upping their game in very short order (difficult - heuristics scanning is the obvious thing to look at but it's tantamount to the halting problem), I can't really see this situation improving much.

  7. Re:No by kainewynd2 · · Score: 5, Interesting

    You HAD to save your files to your shared drive. If you rebooted the PC, the entire PC was reimaged back to a 'clean' state.

    I love Deep Freeze, Centurion Guard, Drive Shield, etc... but it's not fool proof.

    At one of my former employers, we had something like 700 Windows PCs out in various labs and all equipped with Drive Shield. If one of them got infected, reboot and all was well... right?

    Well, kind of. Since we were not allowed to automatically reboot these machines (24/7 labs), some of these stayed up for weeks, which opened them up to all sorts of fun stuff. In short, I spent about 200-300 man hours manually rebooting machines, convincing the administration to change the policies on automatic reboots, and working with the guy in charge of our PC lab image to implement security features to protect against this sort of thing in the future (automatic A/V update on boot, for example).

    Comparably, it took me about 40 hours to build a Terminal Server and another 60 to build and install Thin Clients to replace a bunch of those machines...

    --
    I just don't get... eh, ugh... never mind. This post wasn't worth the research I put into it.