How To Avoid a Botnet Infection?

Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.

Users

[oojah]

You'll probably find that most of your problems will go away if you get rid of your users :)

What gets around Firewalls and AVS?

[Drethon]

I'm a coder not IT so my knowledge of security pretty much stops at installing anti-virus and setting up a firewall. I have not found any problems on my computers but it is quite possible I've missed active bots with such simple protections.

So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?

Re:Yeah...

[miffo.swe]

If you really want to be sure you avoid being part of a botnet, then yes, Windows is not one of the choices you have. It cant be secured, its like going down the rapids in a colander while trying to plug the holes with cabbage.

If you want to mitigate the problem you can add all sorts of defences but you will be owned eventually if you stay on Windows. The question is, is it worth all the money? One thing is sure, its damn expensive to fix Windows up to half-bad.

whitelist

[deusmetallum]

Run a program that only allows whitelisted applications, and block all removable media. It's the only way you can be absolutely certain there is nothing running on your network that shouldn't be there. http://en.wikipedia.org/wiki/Whitelist#Application_whitelists [wikipedia.org]

XP

[Anonymous Coward]

Let me guess, all the computers are using xp. I work at a computer repair depot and i see alot of this on XP computers and rarely on vista/Windows 7 with uac turned on *sure its a pain but once everything is installed the user should never even see uac pop up. But i would guess if anything the computers are out of date for their OS patchs

In an ideal world...

[fuzzyfuzzyfungus]

You'd be running a lot fewer XP boxes, and much, much meaner firewall rules. In practice, of course, users crying about how they "need" to "get their work done" generally prevents this.

That being so, there are a few things to do: At present, our good buddies at Adobe are among the most popular and exciting vectors for infection. Where possible, ensure that neither Flash, nor shockwave, nor Acrobat are installed. Where not possible, make sure that they are kept up to date. Yes, this means updating all the bloody time and WSUS won't help(useful tip, with some poking around, you can find a utility from adobe, an .exe that, when run, removes all versions of flash, they hide it; but it lurks in the bowels of their site somewhere. You can also find .msi flash installers. Set up a network share, readable by all your administered machines, writeable only by admins, containing that utility, and the .msi for the latest flash player. Every time adobe updates, download the newer .msi, and run a script on all your administered PCs that runs the flash remover, and then msiexecs the newest flash MSI. It's a pain in the ass; but it will save you from some flash exploits). Updates for all other plugins you are using, plus OS components, should of course be adhered to with the same regularity.

Assuming that user pushback isn't excessive, stripping executables and .zips from emails will also save you from some common vectors of stupidity.

Re:Yeah...

[gandhi_2]

No. [networkworld.com] That's not sufficient. [lwn.net]

Disallowing USB drives helped the military cut down on infections, though.

How about: users run restricted. Using GPO's: mandatory win updates daily with reboot. Automate patching of commonly-used helpers like flash, shockwave, adobereader, firefox, java. And MS security essentials.

Some rigorous port filters on EVERY machine and iptables rules on routers and l3 switches...a whitelist approach.

Re:Yeah...

[ByOhTek]

Yes, that's the general answer. Probably not the correct one.

*NOTHING* short of educating a user, or massively restricting their privileges on a computer can protect from this kind of problem. I worked at a place where we used Windows, and locked everything *really* tight, using a lot of sysinternals software (regmon/diskmon) to figure out where to allow nonprived users to write so that poorly written windows software would work for them. It's easier on Linux and MacOS, but it is still a problem.

Remember - even if it is only the user's account, and not the whole computer that is infected, it can still cause trouble (cleanup is easier though).

I've seen windows boxes go uncracked for years, and I've seen Linux and MacOS boxes cracked within weeks of being set up. With the proper security precautions, security flaws are mostly user based.

That being said, in a networked environment, once one computer behind a firewall gets cracked, the floodgates have been opened, whoever did the cracking just got a firewall bypass.

Re:block some email attachments and facebook

[magamiako1]

A properly implemented firewall solution would guard against all of these things, as a properly implemented solution will also filter layer 7.

Re:whitelist

[jaroslaw.fedewicz]

Run a program that only allows whitelisted applications, and block all removable media.

Now how do you handle that: the Boss sends a PDF memo. PDF is not an executable, alright, the user opens it with the whitelisted Adobe® Reader(TM), and some bad code gets executed via some kind of a buffer overflow Adobe was so generous to include as its bonus package. The problem being, of course, "how dare you restrict the Boss' access to the 'Net? I'm gonna fire you! (The 'Net here means, of course, some clown fetish porn sites and the like, but that's none of your business)"

Okay, ditch that PDF, send a JPEG. A convenient hole in Microsoft® Outlook(TM), and here go zombies, ready for master's commands, not even having to click anything, just skim through the message.

Simple

[rindeee]

I am over Cyber Security for a 36k seat enterprise. We've had no infections...period (and yes, we do have monitoring in place to catch behavioral anomalies that indicate zero-day, etc.). Here are the "must do's": 1. Block social networking sites. Need convincing? Here. http://google.com/safebrowsing/diagnostic?site=facebook.com/ [google.com] or http://google.com/safebrowsing/diagnostic?site=myspace.com/ [google.com] or http://google.com/safebrowsing/diagnostic?site=twitter.com/ [google.com] 2. Block porn sites. All of them. Use keywords, IP/FQDN blacklists, adaptive/reputation blocking (Trusted Source type technology) 3. Use a managed AV/AM/HIPS solution such as McAfee ePO/AVE/HIPS/etc. if you can afford it. A good HIPS that does both network and application blocking is essential. 4. Exhaustively scan e-mail for content, attachments and (most of all) embedded URLs. 5. Finally, have a good dashboard. We rolled our own using Cacti, Nagios, Drupal and some simple Java, CSS and PHP. You need to be able to visualize things in as close to real time as is possible. Once you've established 'normal', you can spot 'abnormal' visually long before many automated analysis engines will alert you. This allows you to catch the things that may otherwise slip through the cracks. This doesn't have to be expensive (well, except for #3, it's expensive). You can scale a Linux based solution with entirely open source tools large enough to cover thousands of concurent users.

Re:What gets around Firewalls and AVS?

[jimicus]

So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?

No they're not. Trojans are becoming much more adept at avoiding antivirus (mainly because most antivirus is essentially a glorified "grep for this sequence of bytes", which doesn't work very well with polymorphic infectors) and much better at remaining hidden once installed.

A few years ago it was fairly obvious because an infected computer had all the speed and grace of a slug break-dancing in black treacle and most AV vendors' websites magically stopped working (though actually your browser was being screwed around with) - today that doesn't happen so much.

Short of the major AV vendors drastically upping their game in very short order (difficult - heuristics scanning is the obvious thing to look at but it's tantamount to the halting problem), I can't really see this situation improving much.

Filtering

[lord_rotorooter]

If you have a Cisco ASA 5510 or higher you can purchase the botnet filter for roughly $320 a year. Then enable the filter on your internal interface to block any outbound traffic going to the known botnet IP ranges. I would also recommend blocking unnecessary outbound ports and limiting necessary ports to specific machines (ex. Port 25 mail server only outbound). I would also look at setting up a proxy server such as SQUID proxy. I would do mime filtering on untrusted web traffic and perhaps using dansguardian for prebuilt whitelist/blacklisting. At my workplace I am fortunate enough to be allowed to do a default deny on the entire internet, only white-listing work related sites (of course I work at a bank). Antivirus should be considered a secondary defense in this day and age. You really need to look at getting an IPS device for your network and then perhaps an aggregated log server if you haven't already. These last two recommendations will cost some money. So short term I would focus on outbound firewall filtering and a proxy server.

Re:whitelist

[Anonymous Coward]

Except most viruses/botnets also start up their own processes, rather then run in a user process (like outlook or Adobe), so with a white list program will stop those processes from running

Re:Is it really necessary to ask?

[obarthelemy]

I second that, with some additions.

1- You can't trust users to be honest, nor working, nor knowledgeable. That means educating them is probably a waste. You need to remove admin rights, block all non-controlled data sources. That means USB, CD, FD, Bluetooth, Wifi, card readers....

2- In some cases, you may be able/have to use disk images or remote desktops. You can configure those so the users cannot write anything to the disk image, thus ensuring that the OS and Apps are always clean at boot.

Re:Suggestions

[Anonymous Coward]

DeepFreeze rocks. I can't imagine running a public lab (I have a few) without it. But for corporate machines, it seems like overkill.

Sandboxing and VM's in our future ?

[zuki]

This is more of a question than anything, as I find this to be a fascinating topic, but have little experience in managing corporate networks.

At what point does it make sense to have your users having to run all that they do on a virtual machine, which if anything gets compromised can just be rolled back without too much fuss?

Also, does it make sense to move a lot of what people do to some sort of hosted app infrastructure (private cloud for example) where the lockdown can occur in an easier and more granular manner as all of the apps are managed by IT only, or is this just a pipe dream that's at least another 10 years away?

Still, in the end it all has to do with your users not practicing safe browsing, double-clicking on attachments that they did not expect, and the likes.

I do like fuzzyfuzzyfungus, magamiako1 and Z34107's suggestions very much, seems fairly practical yet transparent to the users. (wish I had mod points for you guys, but not today!)

But regardless, I guess in some sense any of these solutions seem like they are going to be quite costly and labor-intensive, from a business owner's perspective should those long-term costs not be taken into account when comparing them to deploying a network of machines running Linux or OS-X (and Windows apps inside a VM on those)? Does this all have to do with many corporate apps only working in a Windows network, and with legacy code not being able to be migrated away from a Microsoft-centric platform?

Sorry for sounding naive, but this is not my area of expertise...

Nuke your boxen regularly

[Bearhouse]

In addition to the sound advice already give above, I'd suggest also regularly just re-installing everything.
This sounds scary, but actually has a lot of benefits:
1. It forces you to get good at configuration management and massive deployment
2. You can schedule and apply security & application updates in one hit, hence avoiding cross- or retro-infection, and also ensuring that patches really are applied
3. It forces users to take responsibility for data backup & restore, (or at least makes sure you get your centralised system working reliably and transparently
4. All the crap that people install 'by accident' but then never use vanishes, and the security holes with them)
5. A lot of miscellaneous error reports will also vanish, as stuff that people had broken is reset, (slow PCs, random hangs, network glitches...)

It sounds like a lot of work, but since I've never found any security produce that detects, and then reliably removes, 100% of all known nasties, it's actually the only way to be sure your systems are 100% clean, (albeit probably only briefly). You'll also, ultimately, spend less time. NEVER waste time trying to disinfect a machine - reinstall...

Lots of tools but where's the intelligence?

[Virtucon]

Windows isn't going away, Linux and OSX aren't the cure-alls either.

I've seen lots of things tried, locking down the desktop even to the point that Active-X controls couldn't be installed by an end-user. Still, with any XP or Windows 2000 system we had, if you hooked it to the net without some AV or patching applied within 30 minutes you'd have some virus or malware on it. That was on the company Intranet.

I think what needs to happen is that network management tools need to start modeling traffic behavior and start watching for abnormal patterns and requests, likewise the Internet is wide open but there's only certain destinations that you really need to go when at work. IPS goes so far but really you need to start identifying traffic patterns and abnormalities in those patterns. Not just for this kind of exploit but for changes in system behavior as well.

Yes, Port 80 blocks aren't effective, but where is the traffic going? If it's going to Romania or some other place, why is it going there? If your users go to Google, Slashdot and other well known sites, why all of a sudden are they going to ISPs that are known to host botnet controllers?

I think admins and the industry have put too much emphasis on just fixing the O/S and as Windows holes get filled, there will still be millions of XP systems out there to exploit. A lot of this will start to move to the OSX/Linux community as well, it's just a matter of time because those markets will become victims of their own success. Hackers like a challenge and trust me they'll figure a way out to infect OSX and then the malware companies will start rolling out more products to "protect" those systems as well.

Re:Is it really necessary to ask?

[randomencounter]

I am not aware of the current state of Microsoft security, but it is possible to set up Unix-type systems with non-writable executable partitions, and non-executable mounts for all writable partitions.

Even that is not 100% proof against malware, but it raises the bar beyond any attack I have seen so far.

Re:Yeah...

[Svartalf]

Yes and no.

In the case of the DoD, I'd be looking closer to the NSA way of doing things than not. Too much risk of a mission critical piece of data leaking or of some critical infrastructure piece in C-cubed being crippled by other things. Seriously.

If you have issues with your users in the context of this- perhaps it's time to re-evaluate your software, hardware, etc. Ease of use will cause problems with security each and every time. No, it doesn't need to be complicated- but ease of use will invariably inject exploit paths where you didn't want them. So, you should only make it as easy as it makes sense to do so in the context of security. For the DoD, I would have thought the problems they were having with USB thumbs would be a red-flag item for the system choices they're making, but apparently not.

Re:Yeah...

[jimicus]

Which means the result needs to be an inquiry from Information Security and a measured punishment from HR. "Infosec found that you violated charter 4.b of our computer usage policy, 'clicking the monkey'. You have only one more demerit before termination. Please review our computer usage policies again. Here's a pamphlet."

This is the common reply on /., and while it might work in highly regulated industries, there are lots of industries which aren't highly regulated and the opinion that "dealing with IT security issues is squarely the IT department's problem" goes right to the top.

Arguably they're right. All we're doing by saying "discipline or fire people who won't follow the policies we propose" is making it Somebody Else's Problem.

Re:No

[kainewynd2]

You HAD to save your files to your shared drive. If you rebooted the PC, the entire PC was reimaged back to a 'clean' state.

I love Deep Freeze, Centurion Guard, Drive Shield, etc... but it's not fool proof.

At one of my former employers, we had something like 700 Windows PCs out in various labs and all equipped with Drive Shield. If one of them got infected, reboot and all was well... right?

Well, kind of. Since we were not allowed to automatically reboot these machines (24/7 labs), some of these stayed up for weeks, which opened them up to all sorts of fun stuff. In short, I spent about 200-300 man hours manually rebooting machines, convincing the administration to change the policies on automatic reboots, and working with the guy in charge of our PC lab image to implement security features to protect against this sort of thing in the future (automatic A/V update on boot, for example).

Comparably, it took me about 40 hours to build a Terminal Server and another 60 to build and install Thin Clients to replace a bunch of those machines...

Re:Block outbound SMTP

[ejtttje]

Either you read all your spam, or you talk to 12 year olds a lot. In my world, if someone takes the time to add formatting to an email, it's usually for good reason and makes it more readable (e.g. lists, bold/italics, code snippets with syntax hilighting, block quotes that can still re-wrap based on window width and don't screw up when you reply...)

If old curmudgeons would get off their plain-text bandwagon we could standardize encrypted email like S/MIME.

Re:Yeah...

[c++0xFF]

There's two factors at work, but people only tend to focus on the first:

1) Security through obscurity
2) Security through diversity

One reason Linux doesn't get attacked is because it's "obscure" -- few people use it on the desktop. (Servers are another matter, but we're talking botnets at the moment.) If roles were reversed and Linux were used on the majority of desktops, it's possible that it would be nearly as vulnerable.

But remember that the roles will never be fully reversed. Even if only a small percentage of desktops are moved to Linux, everybody benefits. Call it the desktop of "herd immunity." Imagine if Windows, OSX and Linux each had 33% of the market. In this situation, the damage any one attack could cause is dramatically reduced, regardless of which OS is attacked. It doesn't matter which one is more secure: all benefit from the mere presence of the others.

This is, of course, ignoring the diversity within Linux itself.

Re:Yeah...

[Creepy]

From what I heard, the military reversed its policy on SECURED USB [wikipedia.org] drives, but most USB drives are unsecured, which is kinda like having sex without a condom or sharing a needle - the more you do it, the higher chance you'll come down with a disease. While a secured drive isn't going to guarantee you won't get an infection, it does improve the odds.

Incidentally, all of the botnet outbreaks at my work that I know of were from people bringing in unsecured rootkit infected USB Fobs, which led to a company-wide ban that still includes secured FOBs. They've also completely isolated VPN connections so the only way to access the environment is with tools like Remote Desktop Connection or web (e.g. no local file access or printing, which we used to be able to do). They've also disabled most file sharing programs and remote access programs inside the firewall (ftp, sftp, ssh, telnet, torrents, etc).