How To Avoid a Botnet Infection? 396
Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.
Re:What gets around Firewalls and AVS? (Score:3, Informative)
Think of anti-virus as a vaccination. When you receive a vaccination, it protects you against the specific threat that the vaccination is designed to protect you from. The same holds true for anti-virus software. There is no magical "this program will destroy your computer or steal your personal information" opcode in software, so anti-virus software is designed to detect things it knows to be suspicious. If something is unknown (either because it is new and there aren't virus definition files for it or if your virus definition files are out of date because your 30-day trial has expired or you're not connected to the Internet or the software fails to automatically update or your anti-virus software has been compromised or switched off), your anti-virus software has a very slim chance of picking something malicious.
That is why an anti-virus package wouldn't stop threats newer than its definition files.
Suggestions (Score:5, Informative)
A few suggestions from my experience as a technician:
Re:educate (Score:3, Informative)
teach all the workers about security. disable autorun on all machines. dont let them run as admins. use noscript and adblock and foxit (or similar). update windows and AV regularly...
Education is a red herring. It doesn't work. Non-technical people know how to turn their computer on and do their day's work, and that's about it. If you change a single menu item they are completely lost, even a day after formal training. Constant remedial training costs more and is more time consuming than recovering from an outbreak.
Many (poorly written) enterprise applications won't run properly without admin rights to the PC, so restricting admin access is often not possible. Keeping Windows up-to-date is a must, but AV is almost useless these days as the primary attack vector is via spyware, not viruses. There is no good on-access anti-spyware software out there. Even the "best" is only about 80% effective, which is as good as useless.
Re:Yeah... (Score:5, Informative)
The military has reversed its policy on USB drives - because quite frankly it was throwing out the baby with the bathwater. The restriction was actually preventing work from getting done, a lot of times at my unit we would leave at 3:30pm instead of finishing a project because we had no way to move files from a laptop that was not on the network to one of our machines, and IT help was not available. You're talking about millions of hours of worker productivity lost because IT could not figure out a way to make one of the most useful technologies safe. The USB restriction is precisely the way NOT to conduct security - unless you're lazy and don't care much about your users actually work.
IT people make the common mistake of "the NSA does it that way" + "the NSA is very secure" = "this is a secure way of doing it". You're not the NSA. Look at your users first and tailor the solution around them.
There is no quick answer to this. You can't ask "how to do I prevent bot infections?" any more than you can ask "how can I keep my body healthy?" It's just too general a question. The solution is going to involve assessment of your particular situation, and the combination of the appropriate products and policies.
Block outbound SMTP (Score:5, Informative)
Your users will be really pissed off but the infection rate will be way down.
Re:No (Score:5, Informative)
So make it a persistent state. Every computer lab on campus had a 'deep freeze' piece of software installed.
You HAD to save your files to your shared drive. If you rebooted the PC, the entire PC was reimaged back to a 'clean' state.
I'm sure such software works for Linux (if not just get a Live CD/LiveUSB).
Disable executable access for anything running on a shared drive and there shouldn't be anyway for them to permanently do any damage.
No matter how they screw a computer up, a reboot will fix it.
Re:In an ideal world... (Score:5, Informative)
In the K-12 district for which I work, there have ~600 staff (teachers/non-teachers), ~7800 student users and about 3000 workstations + notebooks. We're a Windows (XP for educational software product requirements) shop and run AD. In the past two years we've reigned in administrative users [even I, the sysadmin, run as a limited user on my workstation] and implemented a fairly detailed SRP White Listing. These two changes alone greatly reduced not only issues with crap-ware infections, but greatly reduced technician support time requirements.
The vast majority of our users [excluding the students who can no longer run proxy software] Do. Not. Fucking. Hate. Us. You would be surprised how happy people are when their computers "just work" and don't require cleaning/futzing every couple weeks.
I /cannot/ recommend enough budgeting time to investigate what SRP can do for your network.
Restrict what users can do (Score:3, Informative)
Here's what I'd do.
First, if you're running XP, know that its standalone user account types are horrible. Administrators can do anything, while limited users often can't do enough, and some programs don't function correctly with this account type. I hate to say it, but this is one of those cases where Vista was an improvement. Its standard user accounts are just about right, so if you have the option to upgrade to Windows 7 (or even Vista), consider it. There are certainly downsides, especially where older hardware is concerned, but better non-administrative accounts are a reason to think about it.
If you don't want to do that, then filtering is your next step. First, shore up the browser by making sure its anti-phishing filters are turned on. Another level of filtering/user advising can be performed by McAfee SiteAdvisor (http://www.siteadvisor.com). Its main benefit is that it will place advisory icons next to search engine results, indicating the site's risk. Show these to your users, and teach them what they mean. If you're running Firefox, install AdBlock Plus. That will filter out malware coming in through infected ad servers.
Next, you can use OpenDNS as a DNS filtering solution. This will let you block sites that folks shouldn't be visiting at work...MySpace, Facebook...did I mention MySpace and Facebook.
Next, consider whether or not you need your users to have Flash, since it is yet another avenue for infection. Unfortunately, some sites rely on it for basic functionality, so there may be some reason to leave it in, but if you do, MySpace and Facebook (especially MySpace) should be blocked.
Finally, look at your e-mail, since I'd be willing to bet that malware is coming in by that route. What anti-spam measures is your mail server running? If you aren't sure how well they're working, take a look at the mail your users are receiving daily. And, just in case you aren't doing this, make damn sure users know that their work addresses shouldn't be receiving personal mail, no exceptions. Let the pictures of kittens, puppies, and dancing babies go somewhere else. Put the fear of God in them if nothing else works. Their work addresses are for work, no exceptions.
You're going to have to fight this battle on an ongoing basis, but you can win if you stay aware of what users are doing and restrict the dangerous stuff.
Re:Yeah... (Score:4, Informative)
Re:In an ideal world... (Score:3, Informative)
and SRP stands for?
Software Restriction Policies. It allows you to white list applications at the binary executable level. It is a feature of the Group Policy Object (GPO) infrastructure that is part of Microsoft's Active Directory (AD).
In a Windows network: WSUS + NAP + Vista/7 (Score:3, Informative)
Re:What gets around Firewalls and AVS? (Score:3, Informative)
Microsoft "fixed it" with Windows 7 and Vista. But in doing so, they broke a lot of older software. A LOT of software was written to require higher privileges than necessary, because almost all users were running as an Administrator by default, and they never put any thought into it. The new security model forces the restrictions on administrator accounts and user accounts alike, and coders finally started coding properly. Most new stuff does run on a proper security model - but there is a lot of old code out there that has no chance of being updated. The only solution in Vista/7 is to run those applications as an administrator.