How To Avoid a Botnet Infection?

Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.

Yeah...

[Pojut]

...I'm going to go ahead and guess the general answer most people around here are going to give.

Linux or OSX.

AmIright?

Re:Yeah...

[beh]

Yep, most people will say that - even though I had one of my machines broken into years ago - even though it was a linux machine... Even though it *should* have been secure, but I had been somewhat lax in keeping it updated, and hence might have left a potential door open for an attacker due to that, simply by believing linux would have been secure enough.

But, yes, that would never stand in the way of most people saying 'linux would solve this'. I think more proactive monitoring and regular application of security fixes, etc. would help.
Another thing that might help, is IF you need to leave users with a web-browser, try and install them in a way that the browsers are properly sandboxed. (yeah, yeah, yeah - I know 'firefox'/'chrome'/'my-other-non-IE-browsers' are safe... Sorry, I've gone past believing that...)

I don't think there is an inherently secure OS / OS distro - at least, not beyond the moment it gets any kind of software that goes beyond its default installation...

Re:Yeah...

[ByOhTek]

Yes, that's the general answer. Probably not the correct one.

*NOTHING* short of educating a user, or massively restricting their privileges on a computer can protect from this kind of problem. I worked at a place where we used Windows, and locked everything *really* tight, using a lot of sysinternals software (regmon/diskmon) to figure out where to allow nonprived users to write so that poorly written windows software would work for them. It's easier on Linux and MacOS, but it is still a problem.

Remember - even if it is only the user's account, and not the whole computer that is infected, it can still cause trouble (cleanup is easier though).

I've seen windows boxes go uncracked for years, and I've seen Linux and MacOS boxes cracked within weeks of being set up. With the proper security precautions, security flaws are mostly user based.

That being said, in a networked environment, once one computer behind a firewall gets cracked, the floodgates have been opened, whoever did the cracking just got a firewall bypass.

Re:Yeah...

[fuzzyfuzzyfungus]

I don't buy the "competent users" argument.

It is definitely the case that incompetence users can cause system compromises. "Ooh, free smilies!"(though, IT should ideally have blocked most of their most common avenues of idiocy.

However, in a world where you can get compromised just by going to a perfectly legitimate website that happens to be running a flash ad with an embedded zero-day of some flavor, the idea that "competence" is going to save you is an unpleasant mixture of naiveté and adherence to the just-world hypothesis.

Competence doesn't hurt, and is always a desirable quality; but it is a near-worthless foundation for a security system. First and foremost, there are many attacks from which competence will not save you. Second, and also pretty important, is that any organization of reasonable size is going to contain people hired for their competence in something other than computer security. The pool of people competent in skill X and computer security is always smaller than the pool of people competent in skill X. Even if the former pool is large enough to fulfil your needs, recruiting from it will cost more than recruiting from the entire skill X pool. Competent users are a nice perk, when they happen; but depending on them is folly.

Re:Yeah...

[ZeroPly]

The military has reversed its policy on USB drives - because quite frankly it was throwing out the baby with the bathwater. The restriction was actually preventing work from getting done, a lot of times at my unit we would leave at 3:30pm instead of finishing a project because we had no way to move files from a laptop that was not on the network to one of our machines, and IT help was not available. You're talking about millions of hours of worker productivity lost because IT could not figure out a way to make one of the most useful technologies safe. The USB restriction is precisely the way NOT to conduct security - unless you're lazy and don't care much about your users actually work.

IT people make the common mistake of "the NSA does it that way" + "the NSA is very secure" = "this is a secure way of doing it". You're not the NSA. Look at your users first and tailor the solution around them.

There is no quick answer to this. You can't ask "how to do I prevent bot infections?" any more than you can ask "how can I keep my body healthy?" It's just too general a question. The solution is going to involve assessment of your particular situation, and the combination of the appropriate products and policies.

Re:Yeah...

[Binestar]

That's easy, #0: Expect competent programmers.

No

Stop letting users use your computers or just accept that shit happens was my suggestion. Windows, OS X, or linux. If users touch it, they'll fuck it up.

Re:No

[kainewynd2]

You HAD to save your files to your shared drive. If you rebooted the PC, the entire PC was reimaged back to a 'clean' state.

I love Deep Freeze, Centurion Guard, Drive Shield, etc... but it's not fool proof.

At one of my former employers, we had something like 700 Windows PCs out in various labs and all equipped with Drive Shield. If one of them got infected, reboot and all was well... right?

Well, kind of. Since we were not allowed to automatically reboot these machines (24/7 labs), some of these stayed up for weeks, which opened them up to all sorts of fun stuff. In short, I spent about 200-300 man hours manually rebooting machines, convincing the administration to change the policies on automatic reboots, and working with the guy in charge of our PC lab image to implement security features to protect against this sort of thing in the future (automatic A/V update on boot, for example).

Comparably, it took me about 40 hours to build a Terminal Server and another 60 to build and install Thin Clients to replace a bunch of those machines...

XP

Let me guess, all the computers are using xp. I work at a computer repair depot and i see alot of this on XP computers and rarely on vista/Windows 7 with uac turned on *sure its a pain but once everything is installed the user should never even see uac pop up. But i would guess if anything the computers are out of date for their OS patchs

In an ideal world...

[fuzzyfuzzyfungus]

You'd be running a lot fewer XP boxes, and much, much meaner firewall rules. In practice, of course, users crying about how they "need" to "get their work done" generally prevents this.

That being so, there are a few things to do: At present, our good buddies at Adobe are among the most popular and exciting vectors for infection. Where possible, ensure that neither Flash, nor shockwave, nor Acrobat are installed. Where not possible, make sure that they are kept up to date. Yes, this means updating all the bloody time and WSUS won't help(useful tip, with some poking around, you can find a utility from adobe, an .exe that, when run, removes all versions of flash, they hide it; but it lurks in the bowels of their site somewhere. You can also find .msi flash installers. Set up a network share, readable by all your administered machines, writeable only by admins, containing that utility, and the .msi for the latest flash player. Every time adobe updates, download the newer .msi, and run a script on all your administered PCs that runs the flash remover, and then msiexecs the newest flash MSI. It's a pain in the ass; but it will save you from some flash exploits). Updates for all other plugins you are using, plus OS components, should of course be adhered to with the same regularity.

Assuming that user pushback isn't excessive, stripping executables and .zips from emails will also save you from some common vectors of stupidity.

Re:In an ideal world...

[jscott]

In the K-12 district for which I work, there have ~600 staff (teachers/non-teachers), ~7800 student users and about 3000 workstations + notebooks. We're a Windows (XP for educational software product requirements) shop and run AD. In the past two years we've reigned in administrative users [even I, the sysadmin, run as a limited user on my workstation] and implemented a fairly detailed SRP White Listing. These two changes alone greatly reduced not only issues with crap-ware infections, but greatly reduced technician support time requirements.

The vast majority of our users [excluding the students who can no longer run proxy software] Do. Not. Fucking. Hate. Us. You would be surprised how happy people are when their computers "just work" and don't require cleaning/futzing every couple weeks.

I /cannot/ recommend enough budgeting time to investigate what SRP can do for your network.

Is it really necessary to ask?

[magamiako1]

It really depends on the size of the companies and the resources they're willing to spend on proper security. You should do a cost analysis of the downtime, not to mention the IT time required to fix the ecosystem. You can do it in waves, and some changes will be more well received than others.

#1. Don't allow users to be Admins of their own machines. I know in this day and age it's harder to push this one on people, but the ultimate reality is that if the user can't infect the system then they aren't going to get very far.

#2. Managed, host-based firewalls on each of the machines that have rules for incoming and outgoing. This can be any number of centrally managed tools. if you're on XP, your best solution is likely something from say Symantec, Mcafee, or whichever company you want to use. I know with SEP you can manage the firewall portions and prevent worms from auto spreading.

#3. Transparent, Layer 7 filtering at the network edge. Whether you want to use a proxy or a firewall for this is up to you. Juniper makes some pretty nice layer 7 devices for this purpose.

#4. NAC/NAP. Again, useful technologies--prevent systems from communicating on the network that don't register as having proper updates or AV settings.

These are just some basics, there's probably something entirely different based on the specific method these worms are using to spread. Perhaps a centrally managed website policy that locks systems down a bit more is all that's needed? Maybe keeping things more up-to-date, such as rolling out Windows 7 desktops with IE8?

The new meme "Terry Childs approach"

[way2trivial]

the only way to secure the system- is don't let anyone into the system