How To Avoid a Botnet Infection? 396
Taco Cowboy writes "Two of the networks in the company I work for have been zombified by different botnets. They are taken off the grid as we speak. We thought we had taken precautions against infection, such as firewall and anti-viral programs, but for some reasons we have failed. Is there any list of precautionary steps available?" I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.
Yeah... (Score:5, Insightful)
...I'm going to go ahead and guess the general answer most people around here are going to give.
Linux or OSX.
AmIright?
No (Score:5, Insightful)
Stop letting users use your computers or just accept that shit happens was my suggestion. Windows, OS X, or linux. If users touch it, they'll fuck it up.
Re: (Score:2, Funny)
Stop letting users use your computers
Yes! While we're on it, lets fire all the people in the company! They just bring expenses and fuck things up!
The new meme "Terry Childs approach" (Score:5, Insightful)
the only way to secure the system- is don't let anyone into the system
Re: (Score:3, Insightful)
the only way to secure the system- is don't let anyone into the system
Where is my "+1 insightful" when I need it??!
Re: (Score:3, Funny)
having dinner with Capt Obvious.
The real way to be sure (Score:5, Funny)
Re:No (Score:5, Informative)
So make it a persistent state. Every computer lab on campus had a 'deep freeze' piece of software installed.
You HAD to save your files to your shared drive. If you rebooted the PC, the entire PC was reimaged back to a 'clean' state.
I'm sure such software works for Linux (if not just get a Live CD/LiveUSB).
Disable executable access for anything running on a shared drive and there shouldn't be anyway for them to permanently do any damage.
No matter how they screw a computer up, a reboot will fix it.
Re:No (Score:5, Interesting)
You HAD to save your files to your shared drive. If you rebooted the PC, the entire PC was reimaged back to a 'clean' state.
I love Deep Freeze, Centurion Guard, Drive Shield, etc... but it's not fool proof.
At one of my former employers, we had something like 700 Windows PCs out in various labs and all equipped with Drive Shield. If one of them got infected, reboot and all was well... right?
Well, kind of. Since we were not allowed to automatically reboot these machines (24/7 labs), some of these stayed up for weeks, which opened them up to all sorts of fun stuff. In short, I spent about 200-300 man hours manually rebooting machines, convincing the administration to change the policies on automatic reboots, and working with the guy in charge of our PC lab image to implement security features to protect against this sort of thing in the future (automatic A/V update on boot, for example).
Comparably, it took me about 40 hours to build a Terminal Server and another 60 to build and install Thin Clients to replace a bunch of those machines...
Re: (Score:3, Insightful)
They'll have to install it as a superuser, or else the rootkit will have to exploit a local privilege escalation on the workstation.
Thoughtful selection of your OS/platform can mitigate this risk. (for instance, what if *all* user activities were done in a virtualbox?)
Re: (Score:3, Insightful)
Unfortunately you are probably right.
Re: (Score:2)
Unfortunately you are probably right.
Unfortunately?
Re: (Score:2, Funny)
Re:Yeah... (Score:5, Insightful)
We've been hoping for competent users (and trying to educate people into competence) for decades. Hasn't happened yet - probably because the usual result of your computer getting a virus which wasn't automatically blocked is you have a legitimate excuse to do no work until such time as someone can clean up the mess.
Re:Yeah... (Score:4, Interesting)
Which means the result needs to be an inquiry from Information Security and a measured punishment from HR. "Infosec found that you violated charter 4.b of our computer usage policy, 'clicking the monkey'. You have only one more demerit before termination. Please review our computer usage policies again. Here's a pamphlet."
This is the common reply on /., and while it might work in highly regulated industries, there are lots of industries which aren't highly regulated and the opinion that "dealing with IT security issues is squarely the IT department's problem" goes right to the top.
Arguably they're right. All we're doing by saying "discipline or fire people who won't follow the policies we propose" is making it Somebody Else's Problem.
Re:Yeah... (Score:5, Insightful)
It is definitely the case that incompetence users can cause system compromises. "Ooh, free smilies!"(though, IT should ideally have blocked most of their most common avenues of idiocy.
However, in a world where you can get compromised just by going to a perfectly legitimate website that happens to be running a flash ad with an embedded zero-day of some flavor, the idea that "competence" is going to save you is an unpleasant mixture of naiveté and adherence to the just-world hypothesis [scu.edu].
Competence doesn't hurt, and is always a desirable quality; but it is a near-worthless foundation for a security system. First and foremost, there are many attacks from which competence will not save you. Second, and also pretty important, is that any organization of reasonable size is going to contain people hired for their competence in something other than computer security. The pool of people competent in skill X and computer security is always smaller than the pool of people competent in skill X. Even if the former pool is large enough to fulfil your needs, recruiting from it will cost more than recruiting from the entire skill X pool. Competent users are a nice perk, when they happen; but depending on them is folly.
Re:Yeah... (Score:4, Funny)
Competent users maybe?
As far as "programming errors" go, I'd label "expect competent users" as "#1".
Re:Yeah... (Score:4, Funny)
#1? So what's the error above that?
Re:Yeah... (Score:5, Funny)
Re: (Score:3, Insightful)
But those 90% of incompetents are voters, and vote themselves on.
That's because each and every one of those 90% that are incompetent thinks that there's actually 90% - 1 that are incompetent.
Either that, or they're so boneheaded that they don't realize that _anybody's_ actually incompetent.
That's usually my test for incompetence. If I can't see that 90% of the people trying to do "Activity A" are incompetent, then I have no clue what I'm doing, because I must be one of those 90%.
Re: (Score:2, Interesting)
If you really want to be sure you avoid being part of a botnet, then yes, Windows is not one of the choices you have. It cant be secured, its like going down the rapids in a colander while trying to plug the holes with cabbage.
If you want to mitigate the problem you can add all sorts of defences but you will be owned eventually if you stay on Windows. The question is, is it worth all the money? One thing is sure, its damn expensive to fix Windows up to half-bad.
Re: (Score:3, Insightful)
Thing is, though, *everyone* running Windows treats it as holey, exploitable and generally unsafe. So they apply every security mechanism they can, they bother to audit things, and generally treat it as a dangerous thing that needs attention.
Too many Linux/OSX users sit there th
Re: (Score:2)
So you seriously think malware creators choosing Windows as a target has nothing to do with the fact that almost everyone uses it, and the fact that those running Linux as a desktop know at least something about computers. If the roles were reversed and all the casual and incompetent users would be using Linux, we would see the same amount of malware there. Linux also would be a differently designed, as people need to be able to buy software from stores or download them from the internet, not just from the
Re: (Score:2)
Those comments are incredible, and a good reminder of how many people actually use the web.
Re: (Score:3, Insightful)
Re:Yeah... (Score:5, Interesting)
No. [networkworld.com] That's not sufficient. [lwn.net]
Disallowing USB drives helped the military cut down on infections, though.
How about: users run restricted. Using GPO's: mandatory win updates daily with reboot. Automate patching of commonly-used helpers like flash, shockwave, adobereader, firefox, java. And MS security essentials.
Some rigorous port filters on EVERY machine and iptables rules on routers and l3 switches...a whitelist approach.
Re:Yeah... (Score:5, Informative)
The military has reversed its policy on USB drives - because quite frankly it was throwing out the baby with the bathwater. The restriction was actually preventing work from getting done, a lot of times at my unit we would leave at 3:30pm instead of finishing a project because we had no way to move files from a laptop that was not on the network to one of our machines, and IT help was not available. You're talking about millions of hours of worker productivity lost because IT could not figure out a way to make one of the most useful technologies safe. The USB restriction is precisely the way NOT to conduct security - unless you're lazy and don't care much about your users actually work.
IT people make the common mistake of "the NSA does it that way" + "the NSA is very secure" = "this is a secure way of doing it". You're not the NSA. Look at your users first and tailor the solution around them.
There is no quick answer to this. You can't ask "how to do I prevent bot infections?" any more than you can ask "how can I keep my body healthy?" It's just too general a question. The solution is going to involve assessment of your particular situation, and the combination of the appropriate products and policies.
Re: (Score:3, Funny)
my neck of the No-Go's still bans USB drives...I have to email all my botnet viruses to the training NCO.... like a freaking ape!
Re:Yeah... (Score:4, Interesting)
Yes and no.
In the case of the DoD, I'd be looking closer to the NSA way of doing things than not. Too much risk of a mission critical piece of data leaking or of some critical infrastructure piece in C-cubed being crippled by other things. Seriously.
If you have issues with your users in the context of this- perhaps it's time to re-evaluate your software, hardware, etc. Ease of use will cause problems with security each and every time. No, it doesn't need to be complicated- but ease of use will invariably inject exploit paths where you didn't want them. So, you should only make it as easy as it makes sense to do so in the context of security. For the DoD, I would have thought the problems they were having with USB thumbs would be a red-flag item for the system choices they're making, but apparently not.
Re: (Score:3, Interesting)
From what I heard, the military reversed its policy on SECURED USB [wikipedia.org] drives, but most USB drives are unsecured, which is kinda like having sex without a condom or sharing a needle - the more you do it, the higher chance you'll come down with a disease. While a secured drive isn't going to guarantee you won't get an infection, it does improve the odds.
Incidentally, all of the botnet outbreaks at my work that I know of were from people bringing in unsecured rootkit infected USB Fobs, which led to a company-wid
Re:Yeah... (Score:5, Insightful)
Yep, most people will say that - even though I had one of my machines broken into years ago - even though it was a linux machine... Even though it *should* have been secure, but I had been somewhat lax in keeping it updated, and hence might have left a potential door open for an attacker due to that, simply by believing linux would have been secure enough.
But, yes, that would never stand in the way of most people saying 'linux would solve this'. I think more proactive monitoring and regular application of security fixes, etc. would help.
Another thing that might help, is IF you need to leave users with a web-browser, try and install them in a way that the browsers are properly sandboxed. (yeah, yeah, yeah - I know 'firefox'/'chrome'/'my-other-non-IE-browsers' are safe... Sorry, I've gone past believing that...)
I don't think there is an inherently secure OS / OS distro - at least, not beyond the moment it gets any kind of software that goes beyond its default installation...
Re: (Score:2)
Linux/OS X aren't miracle cures, but frankly you'd have to restrict so much of what users can do in Windows to stop them wrecking stuff, you might as well just give them Linux and save the license fee for Windows.
OpenBSD of course is the real answer, but I don't think we're going to see people moving to OpenBSD any time soon...
Re:Yeah... (Score:5, Interesting)
Yes, that's the general answer. Probably not the correct one.
*NOTHING* short of educating a user, or massively restricting their privileges on a computer can protect from this kind of problem. I worked at a place where we used Windows, and locked everything *really* tight, using a lot of sysinternals software (regmon/diskmon) to figure out where to allow nonprived users to write so that poorly written windows software would work for them. It's easier on Linux and MacOS, but it is still a problem.
Remember - even if it is only the user's account, and not the whole computer that is infected, it can still cause trouble (cleanup is easier though).
I've seen windows boxes go uncracked for years, and I've seen Linux and MacOS boxes cracked within weeks of being set up. With the proper security precautions, security flaws are mostly user based.
That being said, in a networked environment, once one computer behind a firewall gets cracked, the floodgates have been opened, whoever did the cracking just got a firewall bypass.
Re: (Score:2)
There is reason to believe that network topology contributes to the damage done by viruses and malware. If malware gets into the network for marketing and you make it just as difficult for it to get from marketing to the customer service network as it was to get into the marketing network, you have added extra levels of security. There are too many networks that are designed so that once it gets to one machine it has carte blanche to go to any of them. Yes, the Titanic still sank, but compartmentalization w
Re:Yeah... (Score:5, Insightful)
An old boss of mine used to call it the "Soft creamy center security model".
He was also the one who had us implementing packet filtering on each and every individual box. It was some work, but it was worth it.
Compartmentalization is good, if you are smart about it.
Another good analogy is "Defense in depth". Should you have a firewall? Yes. You should also patch regularly, sniff packets with an IDS, packet filter on every machine, run tripwire (or equivalent), have antivirus (on platforms that require it :cough: windows :cough:), seperate users segments from server segments, seperate out a DMZ for services, have a password policy, educate users.
No one of those things is going to protect you fully. All of them together, has a good chance of making you a far less appealing target with a very unsatisfying and sour center, rather than soft and chewy goodness.
-Steve
Re:Yeah... (Score:5, Insightful)
Re:Yeah... (Score:4, Funny)
AmIright?
Urnotrong.
Re: (Score:3, Insightful)
Mod parent to at least +50 insightful. Despite all the bragging that Microsoft and MS fanbois do, the botnets are still constructed with Windows. When that changes, then we can discuss that little issue again.
Meanwhile, migrate to a more secure operating system.
Re: (Score:3, Insightful)
Re:Yeah... (Score:4, Interesting)
There's two factors at work, but people only tend to focus on the first:
1) Security through obscurity
2) Security through diversity
One reason Linux doesn't get attacked is because it's "obscure" -- few people use it on the desktop. (Servers are another matter, but we're talking botnets at the moment.) If roles were reversed and Linux were used on the majority of desktops, it's possible that it would be nearly as vulnerable.
But remember that the roles will never be fully reversed. Even if only a small percentage of desktops are moved to Linux, everybody benefits. Call it the desktop of "herd immunity." Imagine if Windows, OSX and Linux each had 33% of the market. In this situation, the damage any one attack could cause is dramatically reduced, regardless of which OS is attacked. It doesn't matter which one is more secure: all benefit from the mere presence of the others.
This is, of course, ignoring the diversity within Linux itself.
Re: (Score:2)
No - OpenVMS is the ultimate and expensive answer.
Block outbound SMTP (Score:5, Informative)
Your users will be really pissed off but the infection rate will be way down.
Re:Block outbound SMTP (Score:4, Interesting)
If old curmudgeons would get off their plain-text bandwagon we could standardize encrypted email like S/MIME.
Re: (Score:3, Insightful)
In my world, if someone takes the time to add formatting to an email, it's usually to use a really ugly font and add a distracting, busy background that makes my eyes bleed.
Wrong (Score:2)
Re:Yeah... (Score:4, Informative)
Users (Score:3, Interesting)
You'll probably find that most of your problems will go away if you get rid of your users :)
What gets around Firewalls and AVS? (Score:4, Interesting)
So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?
Re:What gets around Firewalls and AVS? (Score:4, Insightful)
Virus writers are constantly trying to find ways to circumvent antivirus programs. Regularly applying updates helps, but you could still be one of the first people hit by a new virus. Once infected some viruses interfere with AV programs so that they can't be removed even by later versions.
Re: (Score:2)
My distributed operating systems course did mention how the biggest security issues are social engineering and I guess this is the case here as well.
Re: (Score:3, Informative)
Think of anti-virus as a vaccination. When you receive a vaccination, it protects you against the specific threat that the vaccination is designed to protect you from. The same holds true for anti-virus software. There is no magical "this program will destroy your computer or steal your personal information" opcode in software, so anti-virus software is designed to detect things it knows to be suspicious. If something is unknown (either because it is new and there aren't virus definition files for it or
Re:What gets around Firewalls and AVS? (Score:5, Interesting)
So my question is: Is firewall and anti-virus really not that effective and if so how do bots get around firewall and anti-virus?
No they're not. Trojans are becoming much more adept at avoiding antivirus (mainly because most antivirus is essentially a glorified "grep for this sequence of bytes", which doesn't work very well with polymorphic infectors) and much better at remaining hidden once installed.
A few years ago it was fairly obvious because an infected computer had all the speed and grace of a slug break-dancing in black treacle and most AV vendors' websites magically stopped working (though actually your browser was being screwed around with) - today that doesn't happen so much.
Short of the major AV vendors drastically upping their game in very short order (difficult - heuristics scanning is the obvious thing to look at but it's tantamount to the halting problem), I can't really see this situation improving much.
Re: (Score:2)
First of all they need a firewall which doesn't block everything.
A decent firewall blocks everything, then allows specific stuff through.
So you block everything - then allow ports 80 & 443 out through a caching proxy, you allow SMTP & IMAP - but only to your own mailservers, etc.
Incoming connections are either redirected to the company servers or completely blocked.
Re: (Score:2)
Re: (Score:2)
My home network consists of myself an my wife. I'd put her on linux but much wrangling with the wireless card in her computer proved fruitless. As a result her windows account is not admin which has pretty much eliminated issues.
This is nothing against my wife. She knows not to click on popups but these days its hard for a non-expert to know how to close some of the fancier attack popups...
Re: (Score:2)
I enjoy bashing Microsoft - but I have been led to believe that they have fixed that little problem. In the days of Win98, my kid asked me to install a game for him. Soon after installing it, he told me that he needed admin privileges just to run the stupid game.
I can't really verify it, but I've been told repeatedly that doesn't happen in Vista and Win7. I do know that while I was testing Win7, everything that I installed ran fine in limited user accounts.
Re: (Score:3, Informative)
Microsoft "fixed it" with Windows 7 and Vista. But in doing so, they broke a lot of older software. A LOT of software was written to require higher privileges than necessary, because almost all users were running as an Administrator by default, and they never put any thought into it. The new security model forces the restrictions on administrator accounts and user accounts alike, and coders finally started coding properly. Most new stuff does run on a proper security model - but there is a lot of old co
Re: (Score:2)
Re: (Score:3, Insightful)
whitelist (Score:3, Interesting)
Re: (Score:2, Interesting)
educate (Score:3, Insightful)
Re: (Score:3, Informative)
teach all the workers about security. disable autorun on all machines. dont let them run as admins. use noscript and adblock and foxit (or similar). update windows and AV regularly...
Education is a red herring. It doesn't work. Non-technical people know how to turn their computer on and do their day's work, and that's about it. If you change a single menu item they are completely lost, even a day after formal training. Constant remedial training costs more and is more time consuming than recovering from an outbreak.
Many (poorly written) enterprise applications won't run properly without admin rights to the PC, so restricting admin access is often not possible. Keeping Windows up-to
block some email attachments and facebook (Score:5, Insightful)
where i work we've been blocking a long list of email attachments like exe's and others. few years ago we also started blocking facebook.
i set it up years ago and don't remember myself. we're all windows and have never been zombified. you can buy all the firewalls you want, but in the end it's still idiots clicking on everything in every email and every link they get sent over facebook and twitter
Re:block some email attachments and facebook (Score:4, Interesting)
Re: (Score:3, Insightful)
Just a decent email filtering solution would probably do what you want, and not look like you were making unilateral decisions. One place I used to work used MessageLabs, which used to report to me just how frequently people were about to receive something dangerous (which for a 20 people company was surprisingly frequently - and more surprising would be the sales people asking to have something taken out of quarantine because 'it might be useful' when it looked pretty obvious it was spam/scam/malware).
If y
XP (Score:5, Interesting)
Let me guess, all the computers are using xp. I work at a computer repair depot and i see alot of this on XP computers and rarely on vista/Windows 7 with uac turned on *sure its a pain but once everything is installed the user should never even see uac pop up. But i would guess if anything the computers are out of date for their OS patchs
In an ideal world... (Score:5, Interesting)
That being so, there are a few things to do: At present, our good buddies at Adobe are among the most popular and exciting vectors for infection. Where possible, ensure that neither Flash, nor shockwave, nor Acrobat are installed. Where not possible, make sure that they are kept up to date. Yes, this means updating all the bloody time and WSUS won't help(useful tip, with some poking around, you can find a utility from adobe, an
Assuming that user pushback isn't excessive, stripping executables and
Re: (Score:2)
Software Restriction Policies.
The details are quite complex, Microsoft will have to tell you more [microsoft.com]; but you can substantially ruin joe script kiddie's day(as well as pissing off users, and making life miserable for your IT minions, which is why so many people don't use them). In a nutshe
Re:In an ideal world... (Score:5, Informative)
In the K-12 district for which I work, there have ~600 staff (teachers/non-teachers), ~7800 student users and about 3000 workstations + notebooks. We're a Windows (XP for educational software product requirements) shop and run AD. In the past two years we've reigned in administrative users [even I, the sysadmin, run as a limited user on my workstation] and implemented a fairly detailed SRP White Listing. These two changes alone greatly reduced not only issues with crap-ware infections, but greatly reduced technician support time requirements.
The vast majority of our users [excluding the students who can no longer run proxy software] Do. Not. Fucking. Hate. Us. You would be surprised how happy people are when their computers "just work" and don't require cleaning/futzing every couple weeks.
I /cannot/ recommend enough budgeting time to investigate what SRP can do for your network.
Re: (Score:3, Informative)
and SRP stands for?
Software Restriction Policies. It allows you to white list applications at the binary executable level. It is a feature of the Group Policy Object (GPO) infrastructure that is part of Microsoft's Active Directory (AD).
Is it really necessary to ask? (Score:5, Insightful)
#1. Don't allow users to be Admins of their own machines. I know in this day and age it's harder to push this one on people, but the ultimate reality is that if the user can't infect the system then they aren't going to get very far.
#2. Managed, host-based firewalls on each of the machines that have rules for incoming and outgoing. This can be any number of centrally managed tools. if you're on XP, your best solution is likely something from say Symantec, Mcafee, or whichever company you want to use. I know with SEP you can manage the firewall portions and prevent worms from auto spreading.
#3. Transparent, Layer 7 filtering at the network edge. Whether you want to use a proxy or a firewall for this is up to you. Juniper makes some pretty nice layer 7 devices for this purpose.
#4. NAC/NAP. Again, useful technologies--prevent systems from communicating on the network that don't register as having proper updates or AV settings.
These are just some basics, there's probably something entirely different based on the specific method these worms are using to spread. Perhaps a centrally managed website policy that locks systems down a bit more is all that's needed? Maybe keeping things more up-to-date, such as rolling out Windows 7 desktops with IE8?
Re: (Score:3, Interesting)
I second that, with some additions.
1- You can't trust users to be honest, nor working, nor knowledgeable. That means educating them is probably a waste. You need to remove admin rights, block all non-controlled data sources. That means USB, CD, FD, Bluetooth, Wifi, card readers....
2- In some cases, you may be able/have to use disk images or remote desktops. You can configure those so the users cannot write anything to the disk image, thus ensuring that the OS and Apps are always clean at boot.
Re: (Score:3, Interesting)
I am not aware of the current state of Microsoft security, but it is possible to set up Unix-type systems with non-writable executable partitions, and non-executable mounts for all writable partitions.
Even that is not 100% proof against malware, but it raises the bar beyond any attack I have seen so far.
Suggestions (Score:5, Informative)
A few suggestions from my experience as a technician:
Re: (Score:2)
Very overkill, unless you have roaming profiles. I've found most people like to be able to save their documents.
But, as you say, it does rock.
Identify the people responsible, sack and sue them (Score:2)
Re: (Score:2)
Anti-virus and firewall (Score:2)
That's precisely the problem, is that enterprise environments often assume using anti-virus and firewall solutions mean they no longer have to be concerned with information security.
It is all too easy to bypass anti-virus detection, and anti-virus products often only protect against known threats. There will always be unknown threats it doesn't protect against.
What you really need is proper sandboxing, but that is a hassle that most people just don't want to deal with.
I hope Taco doesn't work in IT (Score:2, Insightful)
I'd suggest port blocking 80 for any computer that is detected running a web browser, but that might prevent some percentage of legitimate work.
Do you mean web *server*?
The vast, vast, vast majority of companies are going to need port 80 (and 443) opened. I don't know the last time you stepped into a corporate environment, Taco, but that's how you do your timecard, put your vacation time on the calendar, sometimes how you answer email even.
Re: (Score:2)
Made sense to me - although I'm not sure how it'd be done. If a computer runs a web browser then 99%+ of the time it won't need to run a web server, so blocking inbound requests on port 80 would stop it being used as a server. I assume that's important and that it is indicative of zombies, but I could be trusting Taco too much there!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The vast, vast, vast majority of companies are going to need port 80 (and 443) opened.
Never heard of a Squid proxy? Port 3128 is all your workers need.
Admin permissions (Score:2)
If we are talking about XP machines, consider to take away admin permissions from ordinary users. Maybe set up a local admin, that the users know the password for, but let them do their daily work as restricted users.
Re: (Score:3, Funny)
Funny looking at this post and then seeing your signature
Simple (Score:5, Interesting)
Re:Simple (Score:5, Funny)
Looks like you need to block Google as well! http://google.com/safebrowsing/diagnostic?site=google.com [google.com]
Re: (Score:2)
Filtering (Score:3, Interesting)
Sandboxing and VM's in our future ? (Score:4, Interesting)
At what point does it make sense to have your users having to run all that they do on a virtual machine, which if anything gets compromised can just be rolled back without too much fuss?
Also, does it make sense to move a lot of what people do to some sort of hosted app infrastructure (private cloud for example) where the lockdown can occur in an easier and more granular manner as all of the apps are managed by IT only, or is this just a pipe dream that's at least another 10 years away?
Still, in the end it all has to do with your users not practicing safe browsing, double-clicking on attachments that they did not expect, and the likes.
I do like fuzzyfuzzyfungus, magamiako1 and Z34107's suggestions very much, seems fairly practical yet transparent to the users. (wish I had mod points for you guys, but not today!)
But regardless, I guess in some sense any of these solutions seem like they are going to be quite costly and labor-intensive, from a business owner's perspective should those long-term costs not be taken into account when comparing them to deploying a network of machines running Linux or OS-X (and Windows apps inside a VM on those)? Does this all have to do with many corporate apps only working in a Windows network, and with legacy code not being able to be migrated away from a Microsoft-centric platform?
Sorry for sounding naive, but this is not my area of expertise...
English not your first language? (Score:2)
How To Avoid the Infection of Botnet?
By using the common of sense?
Offhand... (Score:2)
1) Only Allow web browsing through an http/https/ftp proxy server(s). The proxy server(s) should include anti-botnet blacklist and be logically have a network firewall between it and the internet..
2) No open direct connections from the internal network to the internet in general by workstations.
3) Don't allow non-corporate workstations on the Corporate LAN. The corp shoudl have a guest LAN that includes internet access for guest and personal devices of employees.
4) Corporate workstations must have up-to-dat
Nuke your boxen regularly (Score:3, Interesting)
In addition to the sound advice already give above, I'd suggest also regularly just re-installing everything.
This sounds scary, but actually has a lot of benefits:
1. It forces you to get good at configuration management and massive deployment
2. You can schedule and apply security & application updates in one hit, hence avoiding cross- or retro-infection, and also ensuring that patches really are applied
3. It forces users to take responsibility for data backup & restore, (or at least makes sure you get your centralised system working reliably and transparently
4. All the crap that people install 'by accident' but then never use vanishes, and the security holes with them)
5. A lot of miscellaneous error reports will also vanish, as stuff that people had broken is reset, (slow PCs, random hangs, network glitches...)
It sounds like a lot of work, but since I've never found any security produce that detects, and then reliably removes, 100% of all known nasties, it's actually the only way to be sure your systems are 100% clean, (albeit probably only briefly). You'll also, ultimately, spend less time. NEVER waste time trying to disinfect a machine - reinstall...
Short answer: You can't. (Score:2)
Long answer: You cannot. (Okay, bad pun.)
Any system that has humans (especially ones that don't follow proper secuity protocols) will always have a chance of a virus appearing. It may be a CEO/VP that insists on being able to run something, or some other app that gains admin prviliges by an exploit.
At best, you might be able to use a whitelist app system or something like DeepFreeze to cut down on damage. However, any rogue program (e.g. bounty hunter viruses) that breaks out of sandboxing can still zombif
Lots of tools but where's the intelligence? (Score:3, Interesting)
Windows isn't going away, Linux and OSX aren't the cure-alls either.
I've seen lots of things tried, locking down the desktop even to the point that Active-X controls couldn't be installed by an end-user. Still, with any XP or Windows 2000 system we had, if you hooked it to the net without some AV or patching applied within 30 minutes you'd have some virus or malware on it. That was on the company Intranet.
I think what needs to happen is that network management tools need to start modeling traffic behavior and start watching for abnormal patterns and requests, likewise the Internet is wide open but there's only certain destinations that you really need to go when at work. IPS goes so far but really you need to start identifying traffic patterns and abnormalities in those patterns. Not just for this kind of exploit but for changes in system behavior as well.
Yes, Port 80 blocks aren't effective, but where is the traffic going? If it's going to Romania or some other place, why is it going there? If your users go to Google, Slashdot and other well known sites, why all of a sudden are they going to ISPs that are known to host botnet controllers?
I think admins and the industry have put too much emphasis on just fixing the O/S and as Windows holes get filled, there will still be millions of XP systems out there to exploit. A lot of this will start to move to the OSX/Linux community as well, it's just a matter of time because those markets will become victims of their own success. Hackers like a challenge and trust me they'll figure a way out to infect OSX and then the malware companies will start rolling out more products to "protect" those systems as well.
Restrict what users can do (Score:3, Informative)
Here's what I'd do.
First, if you're running XP, know that its standalone user account types are horrible. Administrators can do anything, while limited users often can't do enough, and some programs don't function correctly with this account type. I hate to say it, but this is one of those cases where Vista was an improvement. Its standard user accounts are just about right, so if you have the option to upgrade to Windows 7 (or even Vista), consider it. There are certainly downsides, especially where older hardware is concerned, but better non-administrative accounts are a reason to think about it.
If you don't want to do that, then filtering is your next step. First, shore up the browser by making sure its anti-phishing filters are turned on. Another level of filtering/user advising can be performed by McAfee SiteAdvisor (http://www.siteadvisor.com). Its main benefit is that it will place advisory icons next to search engine results, indicating the site's risk. Show these to your users, and teach them what they mean. If you're running Firefox, install AdBlock Plus. That will filter out malware coming in through infected ad servers.
Next, you can use OpenDNS as a DNS filtering solution. This will let you block sites that folks shouldn't be visiting at work...MySpace, Facebook...did I mention MySpace and Facebook.
Next, consider whether or not you need your users to have Flash, since it is yet another avenue for infection. Unfortunately, some sites rely on it for basic functionality, so there may be some reason to leave it in, but if you do, MySpace and Facebook (especially MySpace) should be blocked.
Finally, look at your e-mail, since I'd be willing to bet that malware is coming in by that route. What anti-spam measures is your mail server running? If you aren't sure how well they're working, take a look at the mail your users are receiving daily. And, just in case you aren't doing this, make damn sure users know that their work addresses shouldn't be receiving personal mail, no exceptions. Let the pictures of kittens, puppies, and dancing babies go somewhere else. Put the fear of God in them if nothing else works. Their work addresses are for work, no exceptions.
You're going to have to fight this battle on an ongoing basis, but you can win if you stay aware of what users are doing and restrict the dangerous stuff.
In a Windows network: WSUS + NAP + Vista/7 (Score:3, Informative)
Re: (Score:2)
My First First Post! I'm such a proud Pappa!!! Cigars?
It appears that the news of the delivery was premature
Re: (Score:2)
And no, you don't need Linux to do this despite what I see other people commenting.
Without Linux, malware might be smart enough to also connect through the proxy, using the credentials "helpfully" shared by Internet Explorer.
In Linux, if you enter a proxy password into your browser, only that browser has access to it, not anything else which might also be running on the same PC.