How To Avoid a Botnet Infection?

Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.

Yeah...

[Pojut]

...I'm going to go ahead and guess the general answer most people around here are going to give.

Linux or OSX.

AmIright?

No

[Anonymous Coward]

Stop letting users use your computers or just accept that shit happens was my suggestion. Windows, OS X, or linux. If users touch it, they'll fuck it up.

Re:Yeah...

[Magorak]

Unfortunately you are probably right.

educate

[orange47]

teach all the workers about security. disable autorun on all machines. dont let them run as admins. use noscript and adblock and foxit (or similar). update windows and AV regularly...

block some email attachments and facebook

[alen]

where i work we've been blocking a long list of email attachments like exe's and others. few years ago we also started blocking facebook.

  i set it up years ago and don't remember myself. we're all windows and have never been zombified. you can buy all the firewalls you want, but in the end it's still idiots clicking on everything in every email and every link they get sent over facebook and twitter

Re:What gets around Firewalls and AVS?

[Chrisq]

Well, a firewall is usually configured to let some things in; if you give your users internet access then you are at risk of them downloading a virus form the internet, similarly emails may tempt people to open executable attachments.

Virus writers are constantly trying to find ways to circumvent antivirus programs. Regularly applying updates helps, but you could still be one of the first people hit by a new virus. Once infected some viruses interfere with AV programs so that they can't be removed even by later versions.

Is it really necessary to ask?

[magamiako1]

It really depends on the size of the companies and the resources they're willing to spend on proper security. You should do a cost analysis of the downtime, not to mention the IT time required to fix the ecosystem. You can do it in waves, and some changes will be more well received than others.

#1. Don't allow users to be Admins of their own machines. I know in this day and age it's harder to push this one on people, but the ultimate reality is that if the user can't infect the system then they aren't going to get very far.

#2. Managed, host-based firewalls on each of the machines that have rules for incoming and outgoing. This can be any number of centrally managed tools. if you're on XP, your best solution is likely something from say Symantec, Mcafee, or whichever company you want to use. I know with SEP you can manage the firewall portions and prevent worms from auto spreading.

#3. Transparent, Layer 7 filtering at the network edge. Whether you want to use a proxy or a firewall for this is up to you. Juniper makes some pretty nice layer 7 devices for this purpose.

#4. NAC/NAP. Again, useful technologies--prevent systems from communicating on the network that don't register as having proper updates or AV settings.

These are just some basics, there's probably something entirely different based on the specific method these worms are using to spread. Perhaps a centrally managed website policy that locks systems down a bit more is all that's needed? Maybe keeping things more up-to-date, such as rolling out Windows 7 desktops with IE8?

Re:Yeah...

[beh]

Yep, most people will say that - even though I had one of my machines broken into years ago - even though it was a linux machine... Even though it *should* have been secure, but I had been somewhat lax in keeping it updated, and hence might have left a potential door open for an attacker due to that, simply by believing linux would have been secure enough.

But, yes, that would never stand in the way of most people saying 'linux would solve this'. I think more proactive monitoring and regular application of security fixes, etc. would help.
Another thing that might help, is IF you need to leave users with a web-browser, try and install them in a way that the browsers are properly sandboxed. (yeah, yeah, yeah - I know 'firefox'/'chrome'/'my-other-non-IE-browsers' are safe... Sorry, I've gone past believing that...)

I don't think there is an inherently secure OS / OS distro - at least, not beyond the moment it gets any kind of software that goes beyond its default installation...

I hope Taco doesn't work in IT

[Blakey Rat]

I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.

Do you mean web *server*?

The vast, vast, vast majority of companies are going to need port 80 (and 443) opened. I don't know the last time you stepped into a corporate environment, Taco, but that's how you do your timecard, put your vacation time on the calendar, sometimes how you answer email even.

Re:Yeah...

[lordandmaker]

If you really want to be sure you avoid being part of a botnet, then yes, Windows is not one of the choices you have. It cant be secured, its like going down the rapids in a colander while trying to plug the holes with cabbage.

Thing is, though, *everyone* running Windows treats it as holey, exploitable and generally unsafe. So they apply every security mechanism they can, they bother to audit things, and generally treat it as a dangerous thing that needs attention.

Too many Linux/OSX users sit there thinking "I use Unix. I have no need for security software". Especially the ones who were sold the idea on the grounds that 'there are no viruses for this'.

Re:Yeah...

[jimicus]

We've been hoping for competent users (and trying to educate people into competence) for decades. Hasn't happened yet - probably because the usual result of your computer getting a virus which wasn't automatically blocked is you have a legitimate excuse to do no work until such time as someone can clean up the mess.

Re:Yeah...

[Lorien_the_first_one]

Amiga.

The new meme "Terry Childs approach"

[way2trivial]

the only way to secure the system- is don't let anyone into the system

Re:I hope Taco doesn't work in IT

[Anonymous Coward]

You missed the vast, vast, vast majority of the joke.

Re:Yeah...

[Runaway1956]

Mod parent to at least +50 insightful. Despite all the bragging that Microsoft and MS fanbois do, the botnets are still constructed with Windows. When that changes, then we can discuss that little issue again.

Meanwhile, migrate to a more secure operating system.

Re:Yeah...

[fuzzyfuzzyfungus]

I don't buy the "competent users" argument.

It is definitely the case that incompetence users can cause system compromises. "Ooh, free smilies!"(though, IT should ideally have blocked most of their most common avenues of idiocy.

However, in a world where you can get compromised just by going to a perfectly legitimate website that happens to be running a flash ad with an embedded zero-day of some flavor, the idea that "competence" is going to save you is an unpleasant mixture of naiveté and adherence to the just-world hypothesis [scu.edu].

Competence doesn't hurt, and is always a desirable quality; but it is a near-worthless foundation for a security system. First and foremost, there are many attacks from which competence will not save you. Second, and also pretty important, is that any organization of reasonable size is going to contain people hired for their competence in something other than computer security. The pool of people competent in skill X and computer security is always smaller than the pool of people competent in skill X. Even if the former pool is large enough to fulfil your needs, recruiting from it will cost more than recruiting from the entire skill X pool. Competent users are a nice perk, when they happen; but depending on them is folly.

Re:What gets around Firewalls and AVS?

[Drethon]

Knowing how to write a basic non-networked application with no memory leaks is not the same as knowing how a bot hacks into an OS. I'll look into that if I ever get hired by M$. Meinwhile there are not too many bots trying to hack into my avionics navigation software (Though with Datalink and similar aplications I'm sure this is coming. Still the OS guy's job, not the flight management and navigation developer's).

Re:block some email attachments and facebook

[coofercat]

Just a decent email filtering solution would probably do what you want, and not look like you were making unilateral decisions. One place I used to work used MessageLabs, which used to report to me just how frequently people were about to receive something dangerous (which for a 20 people company was surprisingly frequently - and more surprising would be the sales people asking to have something taken out of quarantine because 'it might be useful' when it looked pretty obvious it was spam/scam/malware).

If you don't like the various vendors doing it for you, then you can do it yourself, but honestly, the quickest win would probably to out-source the work for now and move it in-house later on if you decide you want to.

I'm not a big fan of these corporate website blockers - however, logging where people go at the firewall can be useful - especially if you find a correlation between infections and the 'colourfulness' of the sites people visit. Of course, you need strong management to actually do something about it. I suspect that taking networks off the Internet is getting you some attention, so it's possible you may be able to direct that attention where it's deserved.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:The new meme "Terry Childs approach"

[v1]

the only way to secure the system- is don't let anyone into the system

Where is my "+1 insightful" when I need it??!

Re:Yeah...

[TheCarp]

An old boss of mine used to call it the "Soft creamy center security model".

He was also the one who had us implementing packet filtering on each and every individual box. It was some work, but it was worth it.

Compartmentalization is good, if you are smart about it.

Another good analogy is "Defense in depth". Should you have a firewall? Yes. You should also patch regularly, sniff packets with an IDS, packet filter on every machine, run tripwire (or equivalent), have antivirus (on platforms that require it :cough: windows :cough:), seperate users segments from server segments, seperate out a DMZ for services, have a password policy, educate users.

No one of those things is going to protect you fully. All of them together, has a good chance of making you a far less appealing target with a very unsatisfying and sour center, rather than soft and chewy goodness.

-Steve

Re:Yeah...

[gparent]

Not that that's MS' problem, but yes.

Re:Yeah...

[cbiltcliffe]

But those 90% of incompetents are voters, and vote themselves on.

That's because each and every one of those 90% that are incompetent thinks that there's actually 90% - 1 that are incompetent.

Either that, or they're so boneheaded that they don't realize that _anybody's_ actually incompetent.

That's usually my test for incompetence. If I can't see that 90% of the people trying to do "Activity A" are incompetent, then I have no clue what I'm doing, because I must be one of those 90%.

Re:No

[spazdor]

They'll have to install it as a superuser, or else the rootkit will have to exploit a local privilege escalation on the workstation.

Thoughtful selection of your OS/platform can mitigate this risk. (for instance, what if *all* user activities were done in a virtualbox?)

Re:Block outbound SMTP

[Chris Mattern]

In my world, if someone takes the time to add formatting to an email, it's usually for good reason and makes it more readable

In my world, if someone takes the time to add formatting to an email, it's usually to use a really ugly font and add a distracting, busy background that makes my eyes bleed.