Slashdot Mirror
How To Avoid a Botnet Infection?
Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.
...I'm going to go ahead and guess the general answer most people around here are going to give.
Linux or OSX.
AmIright?
Living With a Nerd
Stop letting users use your computers or just accept that shit happens was my suggestion. Windows, OS X, or linux. If users touch it, they'll fuck it up.
You'll probably find that most of your problems will go away if you get rid of your users :)
Do you have any better hostages?
I'm a coder not IT so my knowledge of security pretty much stops at installing anti-virus and setting up a firewall. I have not found any problems on my computers but it is quite possible I've missed active bots with such simple protections.
So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?
Run a program that only allows whitelisted applications, and block all removable media. It's the only way you can be absolutely certain there is nothing running on your network that shouldn't be there. http://en.wikipedia.org/wiki/Whitelist#Application_whitelists
teach all the workers about security. disable autorun on all machines. dont let them run as admins. use noscript and adblock and foxit (or similar). update windows and AV regularly...
where i work we've been blocking a long list of email attachments like exe's and others. few years ago we also started blocking facebook.
i set it up years ago and don't remember myself. we're all windows and have never been zombified. you can buy all the firewalls you want, but in the end it's still idiots clicking on everything in every email and every link they get sent over facebook and twitter
Let me guess, all the computers are using xp. I work at a computer repair depot and i see alot of this on XP computers and rarely on vista/Windows 7 with uac turned on *sure its a pain but once everything is installed the user should never even see uac pop up. But i would guess if anything the computers are out of date for their OS patchs
You'd be running a lot fewer XP boxes, and much, much meaner firewall rules. In practice, of course, users crying about how they "need" to "get their work done" generally prevents this.
.exe that, when run, removes all versions of flash, they hide it; but it lurks in the bowels of their site somewhere. You can also find .msi flash installers. Set up a network share, readable by all your administered machines, writeable only by admins, containing that utility, and the .msi for the latest flash player. Every time adobe updates, download the newer .msi, and run a script on all your administered PCs that runs the flash remover, and then msiexecs the newest flash MSI. It's a pain in the ass; but it will save you from some flash exploits). Updates for all other plugins you are using, plus OS components, should of course be adhered to with the same regularity.
.zips from emails will also save you from some common vectors of stupidity.
That being so, there are a few things to do: At present, our good buddies at Adobe are among the most popular and exciting vectors for infection. Where possible, ensure that neither Flash, nor shockwave, nor Acrobat are installed. Where not possible, make sure that they are kept up to date. Yes, this means updating all the bloody time and WSUS won't help(useful tip, with some poking around, you can find a utility from adobe, an
Assuming that user pushback isn't excessive, stripping executables and
It really depends on the size of the companies and the resources they're willing to spend on proper security. You should do a cost analysis of the downtime, not to mention the IT time required to fix the ecosystem. You can do it in waves, and some changes will be more well received than others.
#1. Don't allow users to be Admins of their own machines. I know in this day and age it's harder to push this one on people, but the ultimate reality is that if the user can't infect the system then they aren't going to get very far.
#2. Managed, host-based firewalls on each of the machines that have rules for incoming and outgoing. This can be any number of centrally managed tools. if you're on XP, your best solution is likely something from say Symantec, Mcafee, or whichever company you want to use. I know with SEP you can manage the firewall portions and prevent worms from auto spreading.
#3. Transparent, Layer 7 filtering at the network edge. Whether you want to use a proxy or a firewall for this is up to you. Juniper makes some pretty nice layer 7 devices for this purpose.
#4. NAC/NAP. Again, useful technologies--prevent systems from communicating on the network that don't register as having proper updates or AV settings.
These are just some basics, there's probably something entirely different based on the specific method these worms are using to spread. Perhaps a centrally managed website policy that locks systems down a bit more is all that's needed? Maybe keeping things more up-to-date, such as rolling out Windows 7 desktops with IE8?
A few suggestions from my experience as a technician:
DATABASE WOW WOW
I am over Cyber Security for a 36k seat enterprise. We've had no infections...period (and yes, we do have monitoring in place to catch behavioral anomalies that indicate zero-day, etc.). Here are the "must do's": 1. Block social networking sites. Need convincing? Here. http://google.com/safebrowsing/diagnostic?site=facebook.com/ or http://google.com/safebrowsing/diagnostic?site=myspace.com/ or http://google.com/safebrowsing/diagnostic?site=twitter.com/ 2. Block porn sites. All of them. Use keywords, IP/FQDN blacklists, adaptive/reputation blocking (Trusted Source type technology) 3. Use a managed AV/AM/HIPS solution such as McAfee ePO/AVE/HIPS/etc. if you can afford it. A good HIPS that does both network and application blocking is essential. 4. Exhaustively scan e-mail for content, attachments and (most of all) embedded URLs. 5. Finally, have a good dashboard. We rolled our own using Cacti, Nagios, Drupal and some simple Java, CSS and PHP. You need to be able to visualize things in as close to real time as is possible. Once you've established 'normal', you can spot 'abnormal' visually long before many automated analysis engines will alert you. This allows you to catch the things that may otherwise slip through the cracks. This doesn't have to be expensive (well, except for #3, it's expensive). You can scale a Linux based solution with entirely open source tools large enough to cover thousands of concurent users.
the only way to secure the system- is don't let anyone into the system
every day http://en.wikipedia.org/wiki/Special:Random
If you have a Cisco ASA 5510 or higher you can purchase the botnet filter for roughly $320 a year. Then enable the filter on your internal interface to block any outbound traffic going to the known botnet IP ranges. I would also recommend blocking unnecessary outbound ports and limiting necessary ports to specific machines (ex. Port 25 mail server only outbound). I would also look at setting up a proxy server such as SQUID proxy. I would do mime filtering on untrusted web traffic and perhaps using dansguardian for prebuilt whitelist/blacklisting. At my workplace I am fortunate enough to be allowed to do a default deny on the entire internet, only white-listing work related sites (of course I work at a bank). Antivirus should be considered a secondary defense in this day and age. You really need to look at getting an IPS device for your network and then perhaps an aggregated log server if you haven't already. These last two recommendations will cost some money. So short term I would focus on outbound firewall filtering and a proxy server.
This is more of a question than anything, as I find this to be a fascinating topic, but have little experience in managing corporate networks.
At what point does it make sense to have your users having to run all that they do on a virtual machine, which if anything gets compromised can just be rolled back without too much fuss?
Also, does it make sense to move a lot of what people do to some sort of hosted app infrastructure (private cloud for example) where the lockdown can occur in an easier and more granular manner as all of the apps are managed by IT only, or is this just a pipe dream that's at least another 10 years away?
Still, in the end it all has to do with your users not practicing safe browsing, double-clicking on attachments that they did not expect, and the likes.
I do like fuzzyfuzzyfungus, magamiako1 and Z34107's suggestions very much, seems fairly practical yet transparent to the users. (wish I had mod points for you guys, but not today!)
But regardless, I guess in some sense any of these solutions seem like they are going to be quite costly and labor-intensive, from a business owner's perspective should those long-term costs not be taken into account when comparing them to deploying a network of machines running Linux or OS-X (and Windows apps inside a VM on those)? Does this all have to do with many corporate apps only working in a Windows network, and with legacy code not being able to be migrated away from a Microsoft-centric platform?
Sorry for sounding naive, but this is not my area of expertise...
Your users will be really pissed off but the infection rate will be way down.
Windows isn't going away, Linux and OSX aren't the cure-alls either.
I've seen lots of things tried, locking down the desktop even to the point that Active-X controls couldn't be installed by an end-user. Still, with any XP or Windows 2000 system we had, if you hooked it to the net without some AV or patching applied within 30 minutes you'd have some virus or malware on it. That was on the company Intranet.
I think what needs to happen is that network management tools need to start modeling traffic behavior and start watching for abnormal patterns and requests, likewise the Internet is wide open but there's only certain destinations that you really need to go when at work. IPS goes so far but really you need to start identifying traffic patterns and abnormalities in those patterns. Not just for this kind of exploit but for changes in system behavior as well.
Yes, Port 80 blocks aren't effective, but where is the traffic going? If it's going to Romania or some other place, why is it going there? If your users go to Google, Slashdot and other well known sites, why all of a sudden are they going to ISPs that are known to host botnet controllers?
I think admins and the industry have put too much emphasis on just fixing the O/S and as Windows holes get filled, there will still be millions of XP systems out there to exploit. A lot of this will start to move to the OSX/Linux community as well, it's just a matter of time because those markets will become victims of their own success. Hackers like a challenge and trust me they'll figure a way out to infect OSX and then the malware companies will start rolling out more products to "protect" those systems as well.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
I say we take off and nuke the entire [system] from orbit. It's the only way to be sure.
If you reply, do so only to what I explicitly wrote. If I didn't write it, don't assume or infer it.