How To Avoid a Botnet Infection?

Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.

Re:What gets around Firewalls and AVS?

[MasterOfMagic]

Think of anti-virus as a vaccination. When you receive a vaccination, it protects you against the specific threat that the vaccination is designed to protect you from. The same holds true for anti-virus software. There is no magical "this program will destroy your computer or steal your personal information" opcode in software, so anti-virus software is designed to detect things it knows to be suspicious. If something is unknown (either because it is new and there aren't virus definition files for it or if your virus definition files are out of date because your 30-day trial has expired or you're not connected to the Internet or the software fails to automatically update or your anti-virus software has been compromised or switched off), your anti-virus software has a very slim chance of picking something malicious.

That is why an anti-virus package wouldn't stop threats newer than its definition files.

Suggestions

[Z34107]

A few suggestions from my experience as a technician:

• Keep vulnerable programs off of your base image. We saw infections go down dramatically after removing Java and replacing Adobe Acrobat Reader with something else.
• Uninstall Internet Explorer if you can. Unless you're running Window 7, the easiest way to "uninstall" it is change the permissions on iexplore.exe to Deny for the Everyone account.
• Lock down computers as much as you can with Group Policy, especially if you have a Windows Server infrastructure.
• If you can, deploy Windows Steady State if you're using XP or purchase Faronics DeepFreeze. They're both ways of preventing permanent changes to your base image (installation of programs, modification of files) by users. If a Frozen machine gets infected, reboot it.
• Don't license McAfee. It's worthless.

Re:educate

[Scutter]

teach all the workers about security. disable autorun on all machines. dont let them run as admins. use noscript and adblock and foxit (or similar). update windows and AV regularly...

Education is a red herring. It doesn't work. Non-technical people know how to turn their computer on and do their day's work, and that's about it. If you change a single menu item they are completely lost, even a day after formal training. Constant remedial training costs more and is more time consuming than recovering from an outbreak.

Many (poorly written) enterprise applications won't run properly without admin rights to the PC, so restricting admin access is often not possible. Keeping Windows up-to-date is a must, but AV is almost useless these days as the primary attack vector is via spyware, not viruses. There is no good on-access anti-spyware software out there. Even the "best" is only about 80% effective, which is as good as useless.

Re:Yeah...

[ZeroPly]

The military has reversed its policy on USB drives - because quite frankly it was throwing out the baby with the bathwater. The restriction was actually preventing work from getting done, a lot of times at my unit we would leave at 3:30pm instead of finishing a project because we had no way to move files from a laptop that was not on the network to one of our machines, and IT help was not available. You're talking about millions of hours of worker productivity lost because IT could not figure out a way to make one of the most useful technologies safe. The USB restriction is precisely the way NOT to conduct security - unless you're lazy and don't care much about your users actually work.

IT people make the common mistake of "the NSA does it that way" + "the NSA is very secure" = "this is a secure way of doing it". You're not the NSA. Look at your users first and tailor the solution around them.

There is no quick answer to this. You can't ask "how to do I prevent bot infections?" any more than you can ask "how can I keep my body healthy?" It's just too general a question. The solution is going to involve assessment of your particular situation, and the combination of the appropriate products and policies.

Block outbound SMTP

[pushf popf]

• Block all outbound (to the internet) connections to any ports except 443 and 80 from any machines that don't have a legitimate business need. (This won't help you much but will save the rest of us when you do get hit)
• Block all incoming email that isn't plain text.
• Require authentication on your outbound mail server
• Install a filtering web proxy and block everything except plain HTML and images. (this actually isn't foolproof, since there are actually some image rendering vulnerabilities).
  • 
    
    Your users will be really pissed off but the infection rate will be way down.

Re:No

[0100010001010011]

So make it a persistent state. Every computer lab on campus had a 'deep freeze' piece of software installed.

You HAD to save your files to your shared drive. If you rebooted the PC, the entire PC was reimaged back to a 'clean' state.

I'm sure such software works for Linux (if not just get a Live CD/LiveUSB).

Disable executable access for anything running on a shared drive and there shouldn't be anyway for them to permanently do any damage.

No matter how they screw a computer up, a reboot will fix it.

Re:In an ideal world...

[jscott]

In the K-12 district for which I work, there have ~600 staff (teachers/non-teachers), ~7800 student users and about 3000 workstations + notebooks. We're a Windows (XP for educational software product requirements) shop and run AD. In the past two years we've reigned in administrative users [even I, the sysadmin, run as a limited user on my workstation] and implemented a fairly detailed SRP White Listing. These two changes alone greatly reduced not only issues with crap-ware infections, but greatly reduced technician support time requirements.

The vast majority of our users [excluding the students who can no longer run proxy software] Do. Not. Fucking. Hate. Us. You would be surprised how happy people are when their computers "just work" and don't require cleaning/futzing every couple weeks.

I /cannot/ recommend enough budgeting time to investigate what SRP can do for your network.

Restrict what users can do

[ISurfTooMuch]

Here's what I'd do.

First, if you're running XP, know that its standalone user account types are horrible. Administrators can do anything, while limited users often can't do enough, and some programs don't function correctly with this account type. I hate to say it, but this is one of those cases where Vista was an improvement. Its standard user accounts are just about right, so if you have the option to upgrade to Windows 7 (or even Vista), consider it. There are certainly downsides, especially where older hardware is concerned, but better non-administrative accounts are a reason to think about it.

If you don't want to do that, then filtering is your next step. First, shore up the browser by making sure its anti-phishing filters are turned on. Another level of filtering/user advising can be performed by McAfee SiteAdvisor (http://www.siteadvisor.com). Its main benefit is that it will place advisory icons next to search engine results, indicating the site's risk. Show these to your users, and teach them what they mean. If you're running Firefox, install AdBlock Plus. That will filter out malware coming in through infected ad servers.

Next, you can use OpenDNS as a DNS filtering solution. This will let you block sites that folks shouldn't be visiting at work...MySpace, Facebook...did I mention MySpace and Facebook.

Next, consider whether or not you need your users to have Flash, since it is yet another avenue for infection. Unfortunately, some sites rely on it for basic functionality, so there may be some reason to leave it in, but if you do, MySpace and Facebook (especially MySpace) should be blocked.

Finally, look at your e-mail, since I'd be willing to bet that malware is coming in by that route. What anti-spam measures is your mail server running? If you aren't sure how well they're working, take a look at the mail your users are receiving daily. And, just in case you aren't doing this, make damn sure users know that their work addresses shouldn't be receiving personal mail, no exceptions. Let the pictures of kittens, puppies, and dancing babies go somewhere else. Put the fear of God in them if nothing else works. Their work addresses are for work, no exceptions.

You're going to have to fight this battle on an ongoing basis, but you can win if you stay aware of what users are doing and restrict the dangerous stuff.

Re:Yeah...

[TheRaven64]

Ah, VMS, the only OS to be banned from Defcon for being too secure. They had to invent a 'must run on x86' rule to keep it out.

Re:In an ideal world...

[Nkwe]

and SRP stands for?

Software Restriction Policies. It allows you to white list applications at the binary executable level. It is a feature of the Group Policy Object (GPO) infrastructure that is part of Microsoft's Active Directory (AD).

In a Windows network: WSUS + NAP + Vista/7

[benjymouse]

1. Use a reputable antivirus/antimalware suite. (You probably already do)
2. Never allow users to run as admins on the boxes. If some user types must be able to do so (like developers), isolate those in a separate OU for which you can design specific policies.
3. Use a WSUS server which will let you control which patches are available. Instead of evaluating/testing if/when to allow a patch through, consider segmenting the clients/servers and do a gradual rollout of all patches (like 15% the first day (tuesday), 35% the next day and the rest on the 3rd day). This will lower the risk of a bad patch messing everything up but will ensure a fast rollout.
4. Use Network Access Protection (only available for Vista/7 clients IIRC). This is a service which will use an agent program to ensure that the client meets certain policies, like patch level. The clients which do not meet requirements should be quarantined and only allowed to download from the WSUS server. This way you can ensure that old machines do not suddenly appear on the network in an unpatched state.
5. Use Windows 7 or Vista clients. These have much better protection against e.g. memory corruption bugs and supports integrity level for e.g. Internet Explorer 7+ and Chrome.
6. Use Chrome or IE8 as browsers. Both are designed with proper sandboxing ind mind. IE8 is more AD-policy friendly and can be locked down pretty tightly. Chrome is less of a target but is somewhat harder to manage in an enterprise.
7. Consider an OU for "vanilla users" with a policy which includes Applocker rules. With Applocker you can whitelist applications signed with certain signatures to execute and prevent all others. I.e. you can allow digitally signed MS, Adobe, Apple, Google apps to execute and bar all others. In-house apps can be self-signed (no need to buy an expensive cert).
8. Filter dangerous content at the firewall, e.g. block "executable content". Consider subscribing to a reputation service which can block pr0n and warez sites etc.
9. Lastly, for the ultimate in client resilience, consider deploying Microsoft SteadyState. With SteadyState you can set up policies to virtualize harddisks so that any change to the system partition will be reverted on every reboot. It can still be set to allow automatic patching.

Re:What gets around Firewalls and AVS?

[omnichad]

Microsoft "fixed it" with Windows 7 and Vista. But in doing so, they broke a lot of older software. A LOT of software was written to require higher privileges than necessary, because almost all users were running as an Administrator by default, and they never put any thought into it. The new security model forces the restrictions on administrator accounts and user accounts alike, and coders finally started coding properly. Most new stuff does run on a proper security model - but there is a lot of old code out there that has no chance of being updated. The only solution in Vista/7 is to run those applications as an administrator.