Forgot your password?
typodupeerror
Botnet Security

How To Avoid a Botnet Infection? 396

Posted by CmdrTaco
from the yeah-good-luck-with-that dept.
Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.
This discussion has been archived. No new comments can be posted.

How To Avoid a Botnet Infection?

Comments Filter:
  • Yeah... (Score:5, Insightful)

    by Pojut (1027544) on Monday March 22, 2010 @08:53AM (#31565866) Homepage

    ...I'm going to go ahead and guess the general answer most people around here are going to give.

    Linux or OSX.

    AmIright?

    • No (Score:5, Insightful)

      by Anonymous Coward on Monday March 22, 2010 @08:55AM (#31565902)

      Stop letting users use your computers or just accept that shit happens was my suggestion. Windows, OS X, or linux. If users touch it, they'll fuck it up.

      • Re: (Score:2, Funny)

        by sopssa (1498795)

        Stop letting users use your computers

        Yes! While we're on it, lets fire all the people in the company! They just bring expenses and fuck things up!

      • by way2trivial (601132) on Monday March 22, 2010 @09:27AM (#31566530) Homepage Journal

        the only way to secure the system- is don't let anyone into the system

      • Re:No (Score:5, Informative)

        by 0100010001010011 (652467) on Monday March 22, 2010 @09:54AM (#31567118)

        So make it a persistent state. Every computer lab on campus had a 'deep freeze' piece of software installed.

        You HAD to save your files to your shared drive. If you rebooted the PC, the entire PC was reimaged back to a 'clean' state.

        I'm sure such software works for Linux (if not just get a Live CD/LiveUSB).

        Disable executable access for anything running on a shared drive and there shouldn't be anyway for them to permanently do any damage.

        No matter how they screw a computer up, a reboot will fix it.

        • Re:No (Score:5, Interesting)

          by kainewynd2 (821530) on Monday March 22, 2010 @11:20AM (#31569182)

          You HAD to save your files to your shared drive. If you rebooted the PC, the entire PC was reimaged back to a 'clean' state.

          I love Deep Freeze, Centurion Guard, Drive Shield, etc... but it's not fool proof.

          At one of my former employers, we had something like 700 Windows PCs out in various labs and all equipped with Drive Shield. If one of them got infected, reboot and all was well... right?

          Well, kind of. Since we were not allowed to automatically reboot these machines (24/7 labs), some of these stayed up for weeks, which opened them up to all sorts of fun stuff. In short, I spent about 200-300 man hours manually rebooting machines, convincing the administration to change the policies on automatic reboots, and working with the guy in charge of our PC lab image to implement security features to protect against this sort of thing in the future (automatic A/V update on boot, for example).

          Comparably, it took me about 40 hours to build a Terminal Server and another 60 to build and install Thin Clients to replace a bunch of those machines...

    • Re: (Score:3, Insightful)

      by Magorak (85788) *

      Unfortunately you are probably right.

    • Re: (Score:2, Funny)

      by euyis (1521257)
      Competent users maybe?
      • Re:Yeah... (Score:5, Insightful)

        by jimicus (737525) on Monday March 22, 2010 @09:21AM (#31566388)

        We've been hoping for competent users (and trying to educate people into competence) for decades. Hasn't happened yet - probably because the usual result of your computer getting a virus which wasn't automatically blocked is you have a legitimate excuse to do no work until such time as someone can clean up the mess.

      • Re:Yeah... (Score:5, Insightful)

        by fuzzyfuzzyfungus (1223518) on Monday March 22, 2010 @09:47AM (#31566988) Journal
        I don't buy the "competent users" argument.

        It is definitely the case that incompetence users can cause system compromises. "Ooh, free smilies!"(though, IT should ideally have blocked most of their most common avenues of idiocy.

        However, in a world where you can get compromised just by going to a perfectly legitimate website that happens to be running a flash ad with an embedded zero-day of some flavor, the idea that "competence" is going to save you is an unpleasant mixture of naiveté and adherence to the just-world hypothesis [scu.edu].

        Competence doesn't hurt, and is always a desirable quality; but it is a near-worthless foundation for a security system. First and foremost, there are many attacks from which competence will not save you. Second, and also pretty important, is that any organization of reasonable size is going to contain people hired for their competence in something other than computer security. The pool of people competent in skill X and computer security is always smaller than the pool of people competent in skill X. Even if the former pool is large enough to fulfil your needs, recruiting from it will cost more than recruiting from the entire skill X pool. Competent users are a nice perk, when they happen; but depending on them is folly.
      • Re:Yeah... (Score:4, Funny)

        by v1 (525388) on Monday March 22, 2010 @10:13AM (#31567606) Homepage Journal

        Competent users maybe?

        As far as "programming errors" go, I'd label "expect competent users" as "#1".

    • Re: (Score:2, Interesting)

      by miffo.swe (547642)

      If you really want to be sure you avoid being part of a botnet, then yes, Windows is not one of the choices you have. It cant be secured, its like going down the rapids in a colander while trying to plug the holes with cabbage.

      If you want to mitigate the problem you can add all sorts of defences but you will be owned eventually if you stay on Windows. The question is, is it worth all the money? One thing is sure, its damn expensive to fix Windows up to half-bad.

      • Re: (Score:3, Insightful)

        by lordandmaker (960504)

        If you really want to be sure you avoid being part of a botnet, then yes, Windows is not one of the choices you have. It cant be secured, its like going down the rapids in a colander while trying to plug the holes with cabbage.

        Thing is, though, *everyone* running Windows treats it as holey, exploitable and generally unsafe. So they apply every security mechanism they can, they bother to audit things, and generally treat it as a dangerous thing that needs attention.

        Too many Linux/OSX users sit there th

    • Re:Yeah... (Score:5, Interesting)

      by gandhi_2 (1108023) on Monday March 22, 2010 @09:10AM (#31566150) Homepage

      No. [networkworld.com] That's not sufficient. [lwn.net]

      Disallowing USB drives helped the military cut down on infections, though.

      How about: users run restricted. Using GPO's: mandatory win updates daily with reboot. Automate patching of commonly-used helpers like flash, shockwave, adobereader, firefox, java. And MS security essentials.

      Some rigorous port filters on EVERY machine and iptables rules on routers and l3 switches...a whitelist approach.

      • Re:Yeah... (Score:5, Informative)

        by ZeroPly (881915) on Monday March 22, 2010 @09:47AM (#31566996)

        The military has reversed its policy on USB drives - because quite frankly it was throwing out the baby with the bathwater. The restriction was actually preventing work from getting done, a lot of times at my unit we would leave at 3:30pm instead of finishing a project because we had no way to move files from a laptop that was not on the network to one of our machines, and IT help was not available. You're talking about millions of hours of worker productivity lost because IT could not figure out a way to make one of the most useful technologies safe. The USB restriction is precisely the way NOT to conduct security - unless you're lazy and don't care much about your users actually work.

        IT people make the common mistake of "the NSA does it that way" + "the NSA is very secure" = "this is a secure way of doing it". You're not the NSA. Look at your users first and tailor the solution around them.

        There is no quick answer to this. You can't ask "how to do I prevent bot infections?" any more than you can ask "how can I keep my body healthy?" It's just too general a question. The solution is going to involve assessment of your particular situation, and the combination of the appropriate products and policies.

        • Re: (Score:3, Funny)

          by gandhi_2 (1108023)

          my neck of the No-Go's still bans USB drives...I have to email all my botnet viruses to the training NCO.... like a freaking ape!

        • Re:Yeah... (Score:4, Interesting)

          by Svartalf (2997) on Monday March 22, 2010 @10:35AM (#31568112) Homepage

          Yes and no.

          In the case of the DoD, I'd be looking closer to the NSA way of doing things than not. Too much risk of a mission critical piece of data leaking or of some critical infrastructure piece in C-cubed being crippled by other things. Seriously.

          If you have issues with your users in the context of this- perhaps it's time to re-evaluate your software, hardware, etc. Ease of use will cause problems with security each and every time. No, it doesn't need to be complicated- but ease of use will invariably inject exploit paths where you didn't want them. So, you should only make it as easy as it makes sense to do so in the context of security. For the DoD, I would have thought the problems they were having with USB thumbs would be a red-flag item for the system choices they're making, but apparently not.

        • Re: (Score:3, Interesting)

          by Creepy (93888)

          From what I heard, the military reversed its policy on SECURED USB [wikipedia.org] drives, but most USB drives are unsecured, which is kinda like having sex without a condom or sharing a needle - the more you do it, the higher chance you'll come down with a disease. While a secured drive isn't going to guarantee you won't get an infection, it does improve the odds.

          Incidentally, all of the botnet outbreaks at my work that I know of were from people bringing in unsecured rootkit infected USB Fobs, which led to a company-wid

    • Re:Yeah... (Score:5, Insightful)

      by beh (4759) * on Monday March 22, 2010 @09:11AM (#31566170)

      Yep, most people will say that - even though I had one of my machines broken into years ago - even though it was a linux machine... Even though it *should* have been secure, but I had been somewhat lax in keeping it updated, and hence might have left a potential door open for an attacker due to that, simply by believing linux would have been secure enough.

      But, yes, that would never stand in the way of most people saying 'linux would solve this'. I think more proactive monitoring and regular application of security fixes, etc. would help.
      Another thing that might help, is IF you need to leave users with a web-browser, try and install them in a way that the browsers are properly sandboxed. (yeah, yeah, yeah - I know 'firefox'/'chrome'/'my-other-non-IE-browsers' are safe... Sorry, I've gone past believing that...)

      I don't think there is an inherently secure OS / OS distro - at least, not beyond the moment it gets any kind of software that goes beyond its default installation...

      • by Xugumad (39311)

        Linux/OS X aren't miracle cures, but frankly you'd have to restrict so much of what users can do in Windows to stop them wrecking stuff, you might as well just give them Linux and save the license fee for Windows.

        OpenBSD of course is the real answer, but I don't think we're going to see people moving to OpenBSD any time soon...

    • Re:Yeah... (Score:5, Interesting)

      by ByOhTek (1181381) on Monday March 22, 2010 @09:13AM (#31566218) Journal

      Yes, that's the general answer. Probably not the correct one.

      *NOTHING* short of educating a user, or massively restricting their privileges on a computer can protect from this kind of problem. I worked at a place where we used Windows, and locked everything *really* tight, using a lot of sysinternals software (regmon/diskmon) to figure out where to allow nonprived users to write so that poorly written windows software would work for them. It's easier on Linux and MacOS, but it is still a problem.

      Remember - even if it is only the user's account, and not the whole computer that is infected, it can still cause trouble (cleanup is easier though).

      I've seen windows boxes go uncracked for years, and I've seen Linux and MacOS boxes cracked within weeks of being set up. With the proper security precautions, security flaws are mostly user based.

      That being said, in a networked environment, once one computer behind a firewall gets cracked, the floodgates have been opened, whoever did the cracking just got a firewall bypass.

      • by zappepcs (820751)

        There is reason to believe that network topology contributes to the damage done by viruses and malware. If malware gets into the network for marketing and you make it just as difficult for it to get from marketing to the customer service network as it was to get into the marketing network, you have added extra levels of security. There are too many networks that are designed so that once it gets to one machine it has carte blanche to go to any of them. Yes, the Titanic still sank, but compartmentalization w

        • Re:Yeah... (Score:5, Insightful)

          by TheCarp (96830) <sjc@carpane[ ]et ['t.n' in gap]> on Monday March 22, 2010 @11:11AM (#31568974) Homepage

          An old boss of mine used to call it the "Soft creamy center security model".

          He was also the one who had us implementing packet filtering on each and every individual box. It was some work, but it was worth it.

          Compartmentalization is good, if you are smart about it.

          Another good analogy is "Defense in depth". Should you have a firewall? Yes. You should also patch regularly, sniff packets with an IDS, packet filter on every machine, run tripwire (or equivalent), have antivirus (on platforms that require it :cough: windows :cough:), seperate users segments from server segments, seperate out a DMZ for services, have a password policy, educate users.

          No one of those things is going to protect you fully. All of them together, has a good chance of making you a far less appealing target with a very unsatisfying and sour center, rather than soft and chewy goodness.

          -Steve

    • Re:Yeah... (Score:5, Insightful)

      by Lorien_the_first_one (1178397) on Monday March 22, 2010 @09:26AM (#31566506)
      Amiga.
    • Re:Yeah... (Score:4, Funny)

      by L4t3r4lu5 (1216702) on Monday March 22, 2010 @09:28AM (#31566552)

      AmIright?

      Urnotrong.

    • Re: (Score:3, Insightful)

      by Runaway1956 (1322357)

      Mod parent to at least +50 insightful. Despite all the bragging that Microsoft and MS fanbois do, the botnets are still constructed with Windows. When that changes, then we can discuss that little issue again.

      Meanwhile, migrate to a more secure operating system.

      • Re: (Score:3, Insightful)

        by Ploum (632141)

        Exactly.

        "The day Linux will have Windows marketshare, it will also have botnets".

        Maybe. But, until that day, use Linux. Currently, you have *a lot* less chances to be infected on a Linux computer. When it will change (if it changes someday), we will reconsider the situation.

        Using a broken system for the sole reason that the proposed replacement might be broken too in the future is, at best, stupid.

    • by Z00L00K (682162)

      No - OpenVMS is the ultimate and expensive answer.

    • Block outbound SMTP (Score:5, Informative)

      by pushf popf (741049) on Monday March 22, 2010 @09:52AM (#31567086)
      • Block all outbound (to the internet) connections to any ports except 443 and 80 from any machines that don't have a legitimate business need. (This won't help you much but will save the rest of us when you do get hit)
      • Block all incoming email that isn't plain text.
      • Require authentication on your outbound mail server
      • Install a filtering web proxy and block everything except plain HTML and images. (this actually isn't foolproof, since there are actually some image rendering vulnerabilities).


        • Your users will be really pissed off but the infection rate will be way down.
    • Everyone knows that BeOS is the best.
  • Users (Score:3, Interesting)

    by oojah (113006) on Monday March 22, 2010 @08:57AM (#31565948) Homepage

    You'll probably find that most of your problems will go away if you get rid of your users :)

  • by Drethon (1445051) on Monday March 22, 2010 @08:57AM (#31565954)
    I'm a coder not IT so my knowledge of security pretty much stops at installing anti-virus and setting up a firewall. I have not found any problems on my computers but it is quite possible I've missed active bots with such simple protections.

    So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?
    • by Chrisq (894406) on Monday March 22, 2010 @09:06AM (#31566082)
      Well, a firewall is usually configured to let some things in; if you give your users internet access then you are at risk of them downloading a virus form the internet, similarly emails may tempt people to open executable attachments.

      Virus writers are constantly trying to find ways to circumvent antivirus programs. Regularly applying updates helps, but you could still be one of the first people hit by a new virus. Once infected some viruses interfere with AV programs so that they can't be removed even by later versions.
      • by Drethon (1445051)
        Sounds like a lot of what I've heard then. My AVS is up to date and includes spyware checking and I avoid free porn, screen savers and other such downloads and avoid accepting any wierd pop-ups.

        My distributed operating systems course did mention how the biggest security issues are social engineering and I guess this is the case here as well.
    • Re: (Score:3, Informative)

      by MasterOfMagic (151058)

      Think of anti-virus as a vaccination. When you receive a vaccination, it protects you against the specific threat that the vaccination is designed to protect you from. The same holds true for anti-virus software. There is no magical "this program will destroy your computer or steal your personal information" opcode in software, so anti-virus software is designed to detect things it knows to be suspicious. If something is unknown (either because it is new and there aren't virus definition files for it or

    • by jimicus (737525) on Monday March 22, 2010 @09:27AM (#31566516)

      So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?

      No they're not. Trojans are becoming much more adept at avoiding antivirus (mainly because most antivirus is essentially a glorified "grep for this sequence of bytes", which doesn't work very well with polymorphic infectors) and much better at remaining hidden once installed.

      A few years ago it was fairly obvious because an infected computer had all the speed and grace of a slug break-dancing in black treacle and most AV vendors' websites magically stopped working (though actually your browser was being screwed around with) - today that doesn't happen so much.

      Short of the major AV vendors drastically upping their game in very short order (difficult - heuristics scanning is the obvious thing to look at but it's tantamount to the halting problem), I can't really see this situation improving much.

    • by stiggle (649614)

      First of all they need a firewall which doesn't block everything.

      A decent firewall blocks everything, then allows specific stuff through.
      So you block everything - then allow ports 80 & 443 out through a caching proxy, you allow SMTP & IMAP - but only to your own mailservers, etc.

      Incoming connections are either redirected to the company servers or completely blocked.

    • Easy: Excel Hell [thewebsiteisdown.com]
  • whitelist (Score:3, Interesting)

    by deusmetallum (1607059) on Monday March 22, 2010 @09:00AM (#31566010)
    Run a program that only allows whitelisted applications, and block all removable media. It's the only way you can be absolutely certain there is nothing running on your network that shouldn't be there. http://en.wikipedia.org/wiki/Whitelist#Application_whitelists [wikipedia.org]
  • educate (Score:3, Insightful)

    by orange47 (1519059) on Monday March 22, 2010 @09:02AM (#31566024)
    teach all the workers about security. disable autorun on all machines. dont let them run as admins. use noscript and adblock and foxit (or similar). update windows and AV regularly...
    • Re: (Score:3, Informative)

      by Scutter (18425)

      teach all the workers about security. disable autorun on all machines. dont let them run as admins. use noscript and adblock and foxit (or similar). update windows and AV regularly...

      Education is a red herring. It doesn't work. Non-technical people know how to turn their computer on and do their day's work, and that's about it. If you change a single menu item they are completely lost, even a day after formal training. Constant remedial training costs more and is more time consuming than recovering from an outbreak.

      Many (poorly written) enterprise applications won't run properly without admin rights to the PC, so restricting admin access is often not possible. Keeping Windows up-to

  • by alen (225700) on Monday March 22, 2010 @09:03AM (#31566048)

    where i work we've been blocking a long list of email attachments like exe's and others. few years ago we also started blocking facebook.

      i set it up years ago and don't remember myself. we're all windows and have never been zombified. you can buy all the firewalls you want, but in the end it's still idiots clicking on everything in every email and every link they get sent over facebook and twitter

    • by magamiako1 (1026318) on Monday March 22, 2010 @09:18AM (#31566332)
      A properly implemented firewall solution would guard against all of these things, as a properly implemented solution will also filter layer 7.
    • Re: (Score:3, Insightful)

      by coofercat (719737)

      Just a decent email filtering solution would probably do what you want, and not look like you were making unilateral decisions. One place I used to work used MessageLabs, which used to report to me just how frequently people were about to receive something dangerous (which for a 20 people company was surprisingly frequently - and more surprising would be the sales people asking to have something taken out of quarantine because 'it might be useful' when it looked pretty obvious it was spam/scam/malware).

      If y

  • XP (Score:5, Interesting)

    by Anonymous Coward on Monday March 22, 2010 @09:04AM (#31566062)

    Let me guess, all the computers are using xp. I work at a computer repair depot and i see alot of this on XP computers and rarely on vista/Windows 7 with uac turned on *sure its a pain but once everything is installed the user should never even see uac pop up. But i would guess if anything the computers are out of date for their OS patchs

  • In an ideal world... (Score:5, Interesting)

    by fuzzyfuzzyfungus (1223518) on Monday March 22, 2010 @09:06AM (#31566084) Journal
    You'd be running a lot fewer XP boxes, and much, much meaner firewall rules. In practice, of course, users crying about how they "need" to "get their work done" generally prevents this.

    That being so, there are a few things to do: At present, our good buddies at Adobe are among the most popular and exciting vectors for infection. Where possible, ensure that neither Flash, nor shockwave, nor Acrobat are installed. Where not possible, make sure that they are kept up to date. Yes, this means updating all the bloody time and WSUS won't help(useful tip, with some poking around, you can find a utility from adobe, an .exe that, when run, removes all versions of flash, they hide it; but it lurks in the bowels of their site somewhere. You can also find .msi flash installers. Set up a network share, readable by all your administered machines, writeable only by admins, containing that utility, and the .msi for the latest flash player. Every time adobe updates, download the newer .msi, and run a script on all your administered PCs that runs the flash remover, and then msiexecs the newest flash MSI. It's a pain in the ass; but it will save you from some flash exploits). Updates for all other plugins you are using, plus OS components, should of course be adhered to with the same regularity.

    Assuming that user pushback isn't excessive, stripping executables and .zips from emails will also save you from some common vectors of stupidity.
    • Oh, one more thing. Assuming you are running windows and AD(which is pretty much the plausible assumption when "company" "networks" and "zombified" show up in the same sentence), there is something of a nuclear option...

      Software Restriction Policies.

      The details are quite complex, Microsoft will have to tell you more [microsoft.com]; but you can substantially ruin joe script kiddie's day(as well as pissing off users, and making life miserable for your IT minions, which is why so many people don't use them). In a nutshe
      • by jscott (11965) on Monday March 22, 2010 @10:04AM (#31567390) Homepage

        In the K-12 district for which I work, there have ~600 staff (teachers/non-teachers), ~7800 student users and about 3000 workstations + notebooks. We're a Windows (XP for educational software product requirements) shop and run AD. In the past two years we've reigned in administrative users [even I, the sysadmin, run as a limited user on my workstation] and implemented a fairly detailed SRP White Listing. These two changes alone greatly reduced not only issues with crap-ware infections, but greatly reduced technician support time requirements.

        The vast majority of our users [excluding the students who can no longer run proxy software] Do. Not. Fucking. Hate. Us. You would be surprised how happy people are when their computers "just work" and don't require cleaning/futzing every couple weeks.

        I /cannot/ recommend enough budgeting time to investigate what SRP can do for your network.

  • by magamiako1 (1026318) on Monday March 22, 2010 @09:10AM (#31566146)
    It really depends on the size of the companies and the resources they're willing to spend on proper security. You should do a cost analysis of the downtime, not to mention the IT time required to fix the ecosystem. You can do it in waves, and some changes will be more well received than others.

    #1. Don't allow users to be Admins of their own machines. I know in this day and age it's harder to push this one on people, but the ultimate reality is that if the user can't infect the system then they aren't going to get very far.

    #2. Managed, host-based firewalls on each of the machines that have rules for incoming and outgoing. This can be any number of centrally managed tools. if you're on XP, your best solution is likely something from say Symantec, Mcafee, or whichever company you want to use. I know with SEP you can manage the firewall portions and prevent worms from auto spreading.

    #3. Transparent, Layer 7 filtering at the network edge. Whether you want to use a proxy or a firewall for this is up to you. Juniper makes some pretty nice layer 7 devices for this purpose.

    #4. NAC/NAP. Again, useful technologies--prevent systems from communicating on the network that don't register as having proper updates or AV settings.

    These are just some basics, there's probably something entirely different based on the specific method these worms are using to spread. Perhaps a centrally managed website policy that locks systems down a bit more is all that's needed? Maybe keeping things more up-to-date, such as rolling out Windows 7 desktops with IE8?
    • Re: (Score:3, Interesting)

      by obarthelemy (160321)

      I second that, with some additions.

      1- You can't trust users to be honest, nor working, nor knowledgeable. That means educating them is probably a waste. You need to remove admin rights, block all non-controlled data sources. That means USB, CD, FD, Bluetooth, Wifi, card readers....

      2- In some cases, you may be able/have to use disk images or remote desktops. You can configure those so the users cannot write anything to the disk image, thus ensuring that the OS and Apps are always clean at boot.

      • Re: (Score:3, Interesting)

        I am not aware of the current state of Microsoft security, but it is possible to set up Unix-type systems with non-writable executable partitions, and non-executable mounts for all writable partitions.

        Even that is not 100% proof against malware, but it raises the bar beyond any attack I have seen so far.

  • Suggestions (Score:5, Informative)

    by Z34107 (925136) on Monday March 22, 2010 @09:13AM (#31566210)

    A few suggestions from my experience as a technician:

    • Keep vulnerable programs off of your base image. We saw infections go down dramatically after removing Java and replacing Adobe Acrobat Reader with something else.
    • Uninstall Internet Explorer if you can. Unless you're running Window 7, the easiest way to "uninstall" it is change the permissions on iexplore.exe to Deny for the Everyone account.
    • Lock down computers as much as you can with Group Policy, especially if you have a Windows Server infrastructure.
    • If you can, deploy Windows Steady State if you're using XP or purchase Faronics DeepFreeze. They're both ways of preventing permanent changes to your base image (installation of programs, modification of files) by users. If a Frozen machine gets infected, reboot it.
    • Don't license McAfee. It's worthless.
  • It might be the CEO. It might be you. But the fault is always with a person, and they should be help responsible for their actions, including recovering costs.
  • That's precisely the problem, is that enterprise environments often assume using anti-virus and firewall solutions mean they no longer have to be concerned with information security.

    It is all too easy to bypass anti-virus detection, and anti-virus products often only protect against known threats. There will always be unknown threats it doesn't protect against.

    What you really need is proper sandboxing, but that is a hassle that most people just don't want to deal with.

  • I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.

    Do you mean web *server*?

    The vast, vast, vast majority of companies are going to need port 80 (and 443) opened. I don't know the last time you stepped into a corporate environment, Taco, but that's how you do your timecard, put your vacation time on the calendar, sometimes how you answer email even.

    • by IBBoard (1128019)

      Made sense to me - although I'm not sure how it'd be done. If a computer runs a web browser then 99%+ of the time it won't need to run a web server, so blocking inbound requests on port 80 would stop it being used as a server. I assume that's important and that it is indicative of zombies, but I could be trusting Taco too much there!

      • by TheMidget (512188)
        Most zombies run as clients (periodically connecting to a "command-and-control" server), or else they wouldn't work behind a NAT (which is quite common in most home networks which have a DSL- or cable- router, rather than a modem)
    • Fortunately with a combination of cntlm, corkscrew and ssh, I can tunnel anything through port 80.
    • by TheMidget (512188)

      The vast, vast, vast majority of companies are going to need port 80 (and 443) opened.

      Never heard of a Squid proxy? Port 3128 is all your workers need.

  • If we are talking about XP machines, consider to take away admin permissions from ordinary users. Maybe set up a local admin, that the users know the password for, but let them do their daily work as restricted users.

  • Simple (Score:5, Interesting)

    by rindeee (530084) on Monday March 22, 2010 @09:25AM (#31566488)
    I am over Cyber Security for a 36k seat enterprise. We've had no infections...period (and yes, we do have monitoring in place to catch behavioral anomalies that indicate zero-day, etc.). Here are the "must do's": 1. Block social networking sites. Need convincing? Here. http://google.com/safebrowsing/diagnostic?site=facebook.com/ [google.com] or http://google.com/safebrowsing/diagnostic?site=myspace.com/ [google.com] or http://google.com/safebrowsing/diagnostic?site=twitter.com/ [google.com] 2. Block porn sites. All of them. Use keywords, IP/FQDN blacklists, adaptive/reputation blocking (Trusted Source type technology) 3. Use a managed AV/AM/HIPS solution such as McAfee ePO/AVE/HIPS/etc. if you can afford it. A good HIPS that does both network and application blocking is essential. 4. Exhaustively scan e-mail for content, attachments and (most of all) embedded URLs. 5. Finally, have a good dashboard. We rolled our own using Cacti, Nagios, Drupal and some simple Java, CSS and PHP. You need to be able to visualize things in as close to real time as is possible. Once you've established 'normal', you can spot 'abnormal' visually long before many automated analysis engines will alert you. This allows you to catch the things that may otherwise slip through the cracks. This doesn't have to be expensive (well, except for #3, it's expensive). You can scale a Linux based solution with entirely open source tools large enough to cover thousands of concurent users.
  • Filtering (Score:3, Interesting)

    by lord_rotorooter (1482955) on Monday March 22, 2010 @09:29AM (#31566568)
    If you have a Cisco ASA 5510 or higher you can purchase the botnet filter for roughly $320 a year. Then enable the filter on your internal interface to block any outbound traffic going to the known botnet IP ranges. I would also recommend blocking unnecessary outbound ports and limiting necessary ports to specific machines (ex. Port 25 mail server only outbound). I would also look at setting up a proxy server such as SQUID proxy. I would do mime filtering on untrusted web traffic and perhaps using dansguardian for prebuilt whitelist/blacklisting. At my workplace I am fortunate enough to be allowed to do a default deny on the entire internet, only white-listing work related sites (of course I work at a bank). Antivirus should be considered a secondary defense in this day and age. You really need to look at getting an IPS device for your network and then perhaps an aggregated log server if you haven't already. These last two recommendations will cost some money. So short term I would focus on outbound firewall filtering and a proxy server.
  • by zuki (845560) on Monday March 22, 2010 @09:40AM (#31566816) Journal
    This is more of a question than anything, as I find this to be a fascinating topic, but have little experience in managing corporate networks.

    At what point does it make sense to have your users having to run all that they do on a virtual machine, which if anything gets compromised can just be rolled back without too much fuss?

    Also, does it make sense to move a lot of what people do to some sort of hosted app infrastructure (private cloud for example) where the lockdown can occur in an easier and more granular manner as all of the apps are managed by IT only, or is this just a pipe dream that's at least another 10 years away?

    Still, in the end it all has to do with your users not practicing safe browsing, double-clicking on attachments that they did not expect, and the likes.

    I do like fuzzyfuzzyfungus, magamiako1 and Z34107's suggestions very much, seems fairly practical yet transparent to the users. (wish I had mod points for you guys, but not today!)

    But regardless, I guess in some sense any of these solutions seem like they are going to be quite costly and labor-intensive, from a business owner's perspective should those long-term costs not be taken into account when comparing them to deploying a network of machines running Linux or OS-X (and Windows apps inside a VM on those)? Does this all have to do with many corporate apps only working in a Windows network, and with legacy code not being able to be migrated away from a Microsoft-centric platform?

    Sorry for sounding naive, but this is not my area of expertise...
  • How To Avoid the Infection of Botnet?

    By using the common of sense?

  • 1) Only Allow web browsing through an http/https/ftp proxy server(s). The proxy server(s) should include anti-botnet blacklist and be logically have a network firewall between it and the internet..

    2) No open direct connections from the internal network to the internet in general by workstations.

    3) Don't allow non-corporate workstations on the Corporate LAN. The corp shoudl have a guest LAN that includes internet access for guest and personal devices of employees.

    4) Corporate workstations must have up-to-dat

  • by Bearhouse (1034238) on Monday March 22, 2010 @09:52AM (#31567084)

    In addition to the sound advice already give above, I'd suggest also regularly just re-installing everything.
    This sounds scary, but actually has a lot of benefits:
    1. It forces you to get good at configuration management and massive deployment
    2. You can schedule and apply security & application updates in one hit, hence avoiding cross- or retro-infection, and also ensuring that patches really are applied
    3. It forces users to take responsibility for data backup & restore, (or at least makes sure you get your centralised system working reliably and transparently
    4. All the crap that people install 'by accident' but then never use vanishes, and the security holes with them)
    5. A lot of miscellaneous error reports will also vanish, as stuff that people had broken is reset, (slow PCs, random hangs, network glitches...)

    It sounds like a lot of work, but since I've never found any security produce that detects, and then reliably removes, 100% of all known nasties, it's actually the only way to be sure your systems are 100% clean, (albeit probably only briefly). You'll also, ultimately, spend less time. NEVER waste time trying to disinfect a machine - reinstall...

  • Long answer: You cannot. (Okay, bad pun.)

    Any system that has humans (especially ones that don't follow proper secuity protocols) will always have a chance of a virus appearing. It may be a CEO/VP that insists on being able to run something, or some other app that gains admin prviliges by an exploit.

    At best, you might be able to use a whitelist app system or something like DeepFreeze to cut down on damage. However, any rogue program (e.g. bounty hunter viruses) that breaks out of sandboxing can still zombif

  • by Virtucon (127420) on Monday March 22, 2010 @09:56AM (#31567184)

    Windows isn't going away, Linux and OSX aren't the cure-alls either.

    I've seen lots of things tried, locking down the desktop even to the point that Active-X controls couldn't be installed by an end-user. Still, with any XP or Windows 2000 system we had, if you hooked it to the net without some AV or patching applied within 30 minutes you'd have some virus or malware on it. That was on the company Intranet.

    I think what needs to happen is that network management tools need to start modeling traffic behavior and start watching for abnormal patterns and requests, likewise the Internet is wide open but there's only certain destinations that you really need to go when at work. IPS goes so far but really you need to start identifying traffic patterns and abnormalities in those patterns. Not just for this kind of exploit but for changes in system behavior as well.

    Yes, Port 80 blocks aren't effective, but where is the traffic going? If it's going to Romania or some other place, why is it going there? If your users go to Google, Slashdot and other well known sites, why all of a sudden are they going to ISPs that are known to host botnet controllers?

    I think admins and the industry have put too much emphasis on just fixing the O/S and as Windows holes get filled, there will still be millions of XP systems out there to exploit. A lot of this will start to move to the OSX/Linux community as well, it's just a matter of time because those markets will become victims of their own success. Hackers like a challenge and trust me they'll figure a way out to infect OSX and then the malware companies will start rolling out more products to "protect" those systems as well.

  • by ISurfTooMuch (1010305) on Monday March 22, 2010 @10:08AM (#31567482)

    Here's what I'd do.

    First, if you're running XP, know that its standalone user account types are horrible. Administrators can do anything, while limited users often can't do enough, and some programs don't function correctly with this account type. I hate to say it, but this is one of those cases where Vista was an improvement. Its standard user accounts are just about right, so if you have the option to upgrade to Windows 7 (or even Vista), consider it. There are certainly downsides, especially where older hardware is concerned, but better non-administrative accounts are a reason to think about it.

    If you don't want to do that, then filtering is your next step. First, shore up the browser by making sure its anti-phishing filters are turned on. Another level of filtering/user advising can be performed by McAfee SiteAdvisor (http://www.siteadvisor.com). Its main benefit is that it will place advisory icons next to search engine results, indicating the site's risk. Show these to your users, and teach them what they mean. If you're running Firefox, install AdBlock Plus. That will filter out malware coming in through infected ad servers.

    Next, you can use OpenDNS as a DNS filtering solution. This will let you block sites that folks shouldn't be visiting at work...MySpace, Facebook...did I mention MySpace and Facebook.

    Next, consider whether or not you need your users to have Flash, since it is yet another avenue for infection. Unfortunately, some sites rely on it for basic functionality, so there may be some reason to leave it in, but if you do, MySpace and Facebook (especially MySpace) should be blocked.

    Finally, look at your e-mail, since I'd be willing to bet that malware is coming in by that route. What anti-spam measures is your mail server running? If you aren't sure how well they're working, take a look at the mail your users are receiving daily. And, just in case you aren't doing this, make damn sure users know that their work addresses shouldn't be receiving personal mail, no exceptions. Let the pictures of kittens, puppies, and dancing babies go somewhere else. Put the fear of God in them if nothing else works. Their work addresses are for work, no exceptions.

    You're going to have to fight this battle on an ongoing basis, but you can win if you stay aware of what users are doing and restrict the dangerous stuff.

  • by benjymouse (756774) on Monday March 22, 2010 @12:17PM (#31570328)
    1. Use a reputable antivirus/antimalware suite. (You probably already do)
    2. Never allow users to run as admins on the boxes. If some user types must be able to do so (like developers), isolate those in a separate OU for which you can design specific policies.
    3. Use a WSUS server which will let you control which patches are available. Instead of evaluating/testing if/when to allow a patch through, consider segmenting the clients/servers and do a gradual rollout of all patches (like 15% the first day (tuesday), 35% the next day and the rest on the 3rd day). This will lower the risk of a bad patch messing everything up but will ensure a fast rollout.
    4. Use Network Access Protection (only available for Vista/7 clients IIRC). This is a service which will use an agent program to ensure that the client meets certain policies, like patch level. The clients which do not meet requirements should be quarantined and only allowed to download from the WSUS server. This way you can ensure that old machines do not suddenly appear on the network in an unpatched state.
    5. Use Windows 7 or Vista clients. These have much better protection against e.g. memory corruption bugs and supports integrity level for e.g. Internet Explorer 7+ and Chrome.
    6. Use Chrome or IE8 as browsers. Both are designed with proper sandboxing ind mind. IE8 is more AD-policy friendly and can be locked down pretty tightly. Chrome is less of a target but is somewhat harder to manage in an enterprise.
    7. Consider an OU for "vanilla users" with a policy which includes Applocker rules. With Applocker you can whitelist applications signed with certain signatures to execute and prevent all others. I.e. you can allow digitally signed MS, Adobe, Apple, Google apps to execute and bar all others. In-house apps can be self-signed (no need to buy an expensive cert).
    8. Filter dangerous content at the firewall, e.g. block "executable content". Consider subscribing to a reputation service which can block pr0n and warez sites etc.
    9. Lastly, for the ultimate in client resilience, consider deploying Microsoft SteadyState. With SteadyState you can set up policies to virtualize harddisks so that any change to the system partition will be reverted on every reboot. It can still be set to allow automatic patching.

Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec

Working...