Re: Quarantine your infected users spreading malware
On Thu, Mar 02, 2006 at 07:57:14AM -0500, Robert E. Seastrom wrote: > Jim Segrave <[EMAIL PROTECTED]> writes: > > > You did think of contacting them and asking? You know, e-mail, fax, > > telephone, that sort of thing? > > Yes, we did think of that sort of thing. Those of us with even the > slightest notion of business and profitability constraints promptly > discarded the idea of getting a human into the loop. Ideally you just I think what Jim meant was something else: that if you have questions about the Quarantainenet product, you contact the Quarantainenet people via e-mail, fax or telephone and ask. 'Them' was not referring to actual customers this time. -- Niels Raijer | "But in the pocket of my clothes [EMAIL PROTECTED] | was a single white rose http://www.fusix.nl| for Pierrette..."
Re: Quarantine your infected users spreading malware
Jim Segrave <[EMAIL PROTECTED]> writes: >> On Tue, 28 Feb 2006, Bill Nash wrote: >> >> > The simplest method is to issue a different gateway to a registry of known >> > offenders, forcing their into a restrictive environment that blocks all >> > ports, and uses network translation tricks to redirect all web traffic to >> > a portal. > > You did think of contacting them and asking? You know, e-mail, fax, > telephone, that sort of thing? Yes, we did think of that sort of thing. Those of us with even the slightest notion of business and profitability constraints promptly discarded the idea of getting a human into the loop. Ideally you just automatically add them to the broken stuff database, notify/incent them to fix things (by adding them to the quarantine group), and have them take care of themselves by following the directions found therein, and NOT involving your call center. ---Rob
Re: Quarantine your infected users spreading malware
On Wed 01 Mar 2006 (11:42 -0600), Jack Bates wrote: > > Christopher L. Morrow wrote: > > >agreed, punting this problem to the helpdesk makes the helpdesk manager > >grab his gun(s) and find the security wonk that put a hurtin' on his > >numbers :) Also, it costs lots of money, which isn't generally a good > >plan. > > Do you find that web redirection actually stems the flow of calls to the > helpdesk? We find that anything out of the normal usually results in a > customer calling the helpdesk just because they weren't expecting it. We > found this to be true of email notifications as well. The other issue > is, of course, differing what we are doing with those thousands of > annoying ads that make users believe they are infected. Yes, it reduces, but does not stop the number of calls. More importantly, because the customer can still access sites such as MS update, Norton, McAfee, Housecall etc, even while quarantined, those people who call the helpdesk can get directed to the "how to fix it page" rapidly, so the calls stay shorter. -- Jim Segrave [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On Wed 01 Mar 2006 (16:33 +), Christopher L. Morrow wrote: > > > On Wed, 1 Mar 2006, JP Velders wrote: > > > > > > Date: Tue, 28 Feb 2006 18:50:29 + (GMT) > > > From: Christopher L. Morrow <[EMAIL PROTECTED]> > > > To: nanog@merit.edu > > > Subject: Re: Quarantine your infected users spreading malware > > > > > On Tue, 28 Feb 2006, Jim Segrave wrote: > > > > > > www.quarantainenet.nl > > > > > > It puts them in a protected environment where they can get cleaned up > > > > on-line without serious risk of re-infection. They can pop their > > > > e-mail, reply via webmail, but they can't connect to anywhere except a > > > > list of update sites. > > > > > there was little in the way of 'how' in the link above though :( > > > > Well, it's very much dependant on your own network. > > >From what I know (from presentations of the folk behind Qnet, and > > talks with people actually using it) is that they have a sort of > > "export" module, which allows you to either output the IP's, or parse > > them such that you get a crafted DHCP entry, or special MAC address > > based "alternate VLAN" statement for on a switch etc. > > which is fabulous for those of you with ethernet... without ethernet most > of these solutions fall on their faces and die the horrid death of an > enterprise product :( Now, they say: "Works great on carrier networks"... > my question was "how" and "perhaps with a little less hand-waviness > please?" You could have answered your own questions, for your own network, in the same amount of time as writing these postings to nanog, by asking the company. -- Jim Segrave [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On Tue 28 Feb 2006 (19:29 +), Christopher L. Morrow wrote: > > > On Tue, 28 Feb 2006, Bill Nash wrote: > > > > > The simplest method is to issue a different gateway to a registry of known > > offenders, forcing their into a restrictive environment that blocks all > > ports, and uses network translation tricks to redirect all web traffic to > > a portal. > > > > For cable modems and bridged DSL, you can do this with DHCP, matching > > their MAC address. PPPOE/DSL or similiar, you match on user name. > > Issue RFC1918 space with a gateway to your quarantine network. > > > > The rest is NAT/PAT and w3proxy stunts. You could pull it off with > > something as simple as iptables and squid, after dealing with the DHCP or > > authentication servers (ala Radius) to issue to the correct credentials. > > > > yes, I could dream up a few hundred ways to accomplish this, but the > 'documentation' at the site referenced doesn't address even one way. So, > saying 'it works' and 'it works for carriers' and 'yea us!' is not > helpful, without some example of 'how' :( You did think of contacting them and asking? You know, e-mail, fax, telephone, that sort of thing? The first time I mentioned this company, I said that it is used to put infected customers into a virtual router where all their internet traffic is proxied via a server. which blocks unwanted addresses, answers web requests not to designated servers from an internal service - so going to google.com brings up the page explaining why your account is quarantined. The specifics of connecting it to your network, oddly enough, probably will depend on how your network is built, which is why you might need to contact them. I thought this was a network operator's mailing list, not a spoon-feeding session -- Jim Segrave [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On Wed, 1 Mar 2006, Jack Bates wrote: > Christopher L. Morrow wrote: > > > agreed, punting this problem to the helpdesk makes the helpdesk manager > > grab his gun(s) and find the security wonk that put a hurtin' on his > > numbers :) Also, it costs lots of money, which isn't generally a good > > plan. > > Do you find that web redirection actually stems the flow of calls to the > helpdesk? We find that anything out of the normal usually results in a don't know, we don't do it except for some internal things I think... I just know what our customer support folks do if I screw up and make a bunch of customers call in :)
Re: Quarantine your infected users spreading malware
--On Wednesday, March 01, 2006 11:42:01 -0600 Jack Bates <[EMAIL PROTECTED]> wrote: Do you find that web redirection actually stems the flow of calls to the helpdesk? We find that anything out of the normal usually results in a customer calling the helpdesk just because they weren't expecting it. We found this to be true of email notifications as well. We believe it does help to an extent. But more importantly to us the same system that sent the notices and quarantined the host also is tracking the incident. Its visible to the help desk staff and the security staff, and searching there first when a user contacts us is standard procedure. Prior to this system we were keeping track of suspended machines by hand or via email. In the summer of 2003, when the big windows RPC vulnerability was out, and both Blaster and Welchia happened, we knew right away that we needed a system to track the *hundreds* of suspend/restore requests we were processing. First it was just a tracking system, then it became a full automated notification and suspension system. One of the things we do is send vulnerability notices for large scale OS vulnerabilities. For example, for the Windows Print Spooler vulnerability, MS05-043, we scan our network multiple times a day and send notices to the owners of vulnerable machines. The user/admin then has 24 hours to patch the machine and use the web app to tell us they did. If they don't do so the machine is suspended. Once suspended they can still use the web app to restore themselves. However if we find a machine is still unpatched after we've been told it was patched we immediately suspend it. The other issue is, of course, differing what we are doing with those thousands of annoying ads that make users believe they are infected. Well, once they're quarantined they should stop getting those ads and just get your quarantine notice, so that should be different, right? -David
Re: Quarantine your infected users spreading malware
Christopher L. Morrow wrote: agreed, punting this problem to the helpdesk makes the helpdesk manager grab his gun(s) and find the security wonk that put a hurtin' on his numbers :) Also, it costs lots of money, which isn't generally a good plan. Do you find that web redirection actually stems the flow of calls to the helpdesk? We find that anything out of the normal usually results in a customer calling the helpdesk just because they weren't expecting it. We found this to be true of email notifications as well. The other issue is, of course, differing what we are doing with those thousands of annoying ads that make users believe they are infected. -Jack
Re: Quarantine your infected users spreading malware
On Wed, 1 Mar 2006, JP Velders wrote: > > > Date: Tue, 28 Feb 2006 18:50:29 + (GMT) > > From: Christopher L. Morrow <[EMAIL PROTECTED]> > > To: nanog@merit.edu > > Subject: Re: Quarantine your infected users spreading malware > > > On Tue, 28 Feb 2006, Jim Segrave wrote: > > > > www.quarantainenet.nl > > > > It puts them in a protected environment where they can get cleaned up > > > on-line without serious risk of re-infection. They can pop their > > > e-mail, reply via webmail, but they can't connect to anywhere except a > > > list of update sites. > > > there was little in the way of 'how' in the link above though :( > > Well, it's very much dependant on your own network. > >From what I know (from presentations of the folk behind Qnet, and > talks with people actually using it) is that they have a sort of > "export" module, which allows you to either output the IP's, or parse > them such that you get a crafted DHCP entry, or special MAC address > based "alternate VLAN" statement for on a switch etc. which is fabulous for those of you with ethernet... without ethernet most of these solutions fall on their faces and die the horrid death of an enterprise product :( Now, they say: "Works great on carrier networks"... my question was "how" and "perhaps with a little less hand-waviness please?" > > They have templates for a bunch of things, but whether or not one of > those templates is applicable or even useful in your own network > remains te be seen each and every time. > and none of these so called templates is available or described on their public documentation :( There are a few ways to skin this cat, depending upon architecture one might even work. Without knowing the possible methodologies available it's not helpful :( > The main strength of Qnet is the detection, and even better, the way > of allowing people to clean themselves, and then get back on the net. > Having a helpdesk tell (different) people the same line over and over > again gets tedious. Putting the effort into making a nice explanatory > webpage get so much more "return on investment"... ;) agreed, punting this problem to the helpdesk makes the helpdesk manager grab his gun(s) and find the security wonk that put a hurtin' on his numbers :) Also, it costs lots of money, which isn't generally a good plan.
Re: Quarantine your infected users spreading malware
On Wed, 1 Mar 2006, David Nolan wrote: Yeah, but it's not near as fun as dynamic acls updated via a script monitoring flow logs in real-time. It's definitely easier to implement, though. Interesting... Thats actually basically what we were doing before, but phased out in favor of the URPF & host routes approach. We felt the URPF approach was much cleaner, and more efficient. A routing table lookup is more efficient then a acl processing, particulary if you have significant numbers of rou and solved some problems we were having. It also solved some issues we had, including keeping dynamic acls synchronized betwen two redundant routers (HSRP pairs and/or redundant border routers). I think when he said fun, he meant 'masochistic and nerve wracking, in a vaguely entertaining because we have scripts issuing and removing ACLs from our routing core kind of way.' I've built reactive firewalls before, but even I'd be leery of a reactive ACL implementation. /32 null route injection is far far easier to manage. =) - billn
Re: Quarantine your infected users spreading malware
--On Wednesday, March 01, 2006 07:54:17 -0600 Jack Bates <[EMAIL PROTECTED]> wrote: David Nolan wrote: (*): For anyone who doesn't know, URPF is essentially a way to do automatic acls, comparing the source IP of on an incoming packet to the routing table to verify the packet should have come from this interface. With the right hardware this is significantly cheaper then acl processing. And its certainly easier to maintain. And by injecting a /32 null route into the route table you can cause a host's local router to start discarding all traffic from that IP. Yeah, but it's not near as fun as dynamic acls updated via a script monitoring flow logs in real-time. It's definitely easier to implement, though. Interesting... Thats actually basically what we were doing before, but phased out in favor of the URPF & host routes approach. We felt the URPF approach was much cleaner, and more efficient. A routing table lookup is more efficient then a acl processing, particulary if you have significant numbers of rou and solved some problems we were having. It also solved some issues we had, including keeping dynamic acls synchronized betwen two redundant routers (HSRP pairs and/or redundant border routers). -David
Re: Quarantine your infected users spreading malware
> Date: Tue, 28 Feb 2006 18:50:29 + (GMT) > From: Christopher L. Morrow <[EMAIL PROTECTED]> > To: nanog@merit.edu > Subject: Re: Quarantine your infected users spreading malware > On Tue, 28 Feb 2006, Jim Segrave wrote: > > www.quarantainenet.nl > > It puts them in a protected environment where they can get cleaned up > > on-line without serious risk of re-infection. They can pop their > > e-mail, reply via webmail, but they can't connect to anywhere except a > > list of update sites. > there was little in the way of 'how' in the link above though :( Well, it's very much dependant on your own network. >From what I know (from presentations of the folk behind Qnet, and talks with people actually using it) is that they have a sort of "export" module, which allows you to either output the IP's, or parse them such that you get a crafted DHCP entry, or special MAC address based "alternate VLAN" statement for on a switch etc. They have templates for a bunch of things, but whether or not one of those templates is applicable or even useful in your own network remains te be seen each and every time. The main strength of Qnet is the detection, and even better, the way of allowing people to clean themselves, and then get back on the net. Having a helpdesk tell (different) people the same line over and over again gets tedious. Putting the effort into making a nice explanatory webpage get so much more "return on investment"... ;) Kind regards, JP Velders
Re: Quarantine your infected users spreading malware
David Nolan wrote: (*): For anyone who doesn't know, URPF is essentially a way to do automatic acls, comparing the source IP of on an incoming packet to the routing table to verify the packet should have come from this interface. With the right hardware this is significantly cheaper then acl processing. And its certainly easier to maintain. And by injecting a /32 null route into the route table you can cause a host's local router to start discarding all traffic from that IP. Yeah, but it's not near as fun as dynamic acls updated via a script monitoring flow logs in real-time. It's definitely easier to implement, though. For people utilizing RBE/dhcp combo on Cisco routers, it is also possible to just remove the /32 route that was dynamically created which will kill traffic until the customer requests dhcp again, which will by that time place them in the quarantine. One advantage to temp route removal is that it requires no cleanup. Just make sure you don't wipe out your permanent static routes. -Jack
Re: Quarantine your infected users spreading malware
--On Tuesday, February 28, 2006 14:39:37 -0500 David Nolan <[EMAIL PROTECTED]> wrote: We a couple techniques at Carnegie Mellon, depending on the network scenario. The DHCP based technique outlined above requires no extra infrastructure, just extra configuration, so it is what we use for most of our campus wired networks. We use the same setup as our registration helper network, so our internal name for the DHCP based quarantine system is called QuickReg. An unknown or banned client gets an address in 1918 space and can only access our abuse tracking, patch download and network registration systems. Following up my own post. I know, its always bad ettiquete, but I forgot to mention something. We're also using an active suspension mechanism for these networks to block clients with current valid DHCP leases instantly. We use Unicast Reverse Path Filtering (*) and /32 host routes injected into our OSPF cloud via quagga (ospf routing daemon on a unix server). This means a suspended host loses all network connectivity immediately, until they re-dhcp, at which point they'll have a rfc1918 address and have access to the quarantine network. This also handles the occasional statically configured host. We can also use this system to filter external hosts without having to manipulate border router acls frequently. (*): For anyone who doesn't know, URPF is essentially a way to do automatic acls, comparing the source IP of on an incoming packet to the routing table to verify the packet should have come from this interface. With the right hardware this is significantly cheaper then acl processing. And its certainly easier to maintain. And by injecting a /32 null route into the route table you can cause a host's local router to start discarding all traffic from that IP. -David Nolan Network Software Designer Computing Services Carnegie Mellon University
Re: Quarantine your infected users spreading malware
--On Tuesday, February 28, 2006 14:07:36 -0500 Bill Nash <[EMAIL PROTECTED]> wrote: The simplest method is to issue a different gateway to a registry of known offenders, forcing their into a restrictive environment that blocks all ports, and uses network translation tricks to redirect all web traffic to a portal. For cable modems and bridged DSL, you can do this with DHCP, matching their MAC address. PPPOE/DSL or similiar, you match on user name. Issue RFC1918 space with a gateway to your quarantine network. The rest is NAT/PAT and w3proxy stunts. You could pull it off with something as simple as iptables and squid, after dealing with the DHCP or authentication servers (ala Radius) to issue to the correct credentials. We a couple techniques at Carnegie Mellon, depending on the network scenario. The DHCP based technique outlined above requires no extra infrastructure, just extra configuration, so it is what we use for most of our campus wired networks. We use the same setup as our registration helper network, so our internal name for the DHCP based quarantine system is called QuickReg. An unknown or banned client gets an address in 1918 space and can only access our abuse tracking, patch download and network registration systems. But on our campus wireless network we use a inline filter system we call AuthBridge, based on ebtables and iptables, to filter & redirect any traffic from unknown/banned clients. This system provides a more seamless user experience, but requires a layer-2 aggregation point where you can pass the traffic through the filter host. Because our wireless is a single campus wide layer-2 network this is more feasible for that network. Both of these systems are integrated with CMU's DHCP & DNS Management system, NetReg. (not to be confused with Southwestern University's NetReg. Different systems...) The DHCP helper system is a builtin feature, while the AuthBridge system is an add on. (AuthBridge just went through a complete rewrite to use the standard ebtables/iptables in Linux 2.6, and a public release should be available soon...) For information on NetReg, QuickReg or AuthBridge, see: http://www.net.cmu.edu/netreg http://acs-wiki.andrew.cmu.edu/twiki/bin/view/Netreg/WebHome http://acs-wiki.andrew.cmu.edu/twiki/bin/view/Netreg/NetRegManualDesign#Qui ckReg http://acs-wiki.andrew.cmu.edu/twiki/bin/view/Netreg/AuthBridge (Our abuse tracking system also integrates with NetReg, so going from an external incident report to a machine suspension and email to the user & admins is as simple as dropping an IP and timestamp into a web form...) -David Nolan Network Software Designer Computing Services Carnegie Mellon University
Re: Quarantine your infected users spreading malware
On Tue, 28 Feb 2006, Bill Nash wrote: > > The simplest method is to issue a different gateway to a registry of known > offenders, forcing their into a restrictive environment that blocks all > ports, and uses network translation tricks to redirect all web traffic to > a portal. > > For cable modems and bridged DSL, you can do this with DHCP, matching > their MAC address. PPPOE/DSL or similiar, you match on user name. > Issue RFC1918 space with a gateway to your quarantine network. > > The rest is NAT/PAT and w3proxy stunts. You could pull it off with > something as simple as iptables and squid, after dealing with the DHCP or > authentication servers (ala Radius) to issue to the correct credentials. > yes, I could dream up a few hundred ways to accomplish this, but the 'documentation' at the site referenced doesn't address even one way. So, saying 'it works' and 'it works for carriers' and 'yea us!' is not helpful, without some example of 'how' :( > - billn > > On Tue, 28 Feb 2006, Christopher L. Morrow wrote: > > > > > > > On Tue, 28 Feb 2006, Jim Segrave wrote: > >> > >> www.quarantainenet.nl > >> > >> It puts them in a protected environment where they can get cleaned up > >> on-line without serious risk of re-infection. They can pop their > >> e-mail, reply via webmail, but they can't connect to anywhere except a > >> list of update sites. > > > > there was little in the way of 'how' in the link above though :( > > >
Re: Quarantine your infected users spreading malware
The simplest method is to issue a different gateway to a registry of known offenders, forcing their into a restrictive environment that blocks all ports, and uses network translation tricks to redirect all web traffic to a portal. For cable modems and bridged DSL, you can do this with DHCP, matching their MAC address. PPPOE/DSL or similiar, you match on user name. Issue RFC1918 space with a gateway to your quarantine network. The rest is NAT/PAT and w3proxy stunts. You could pull it off with something as simple as iptables and squid, after dealing with the DHCP or authentication servers (ala Radius) to issue to the correct credentials. - billn On Tue, 28 Feb 2006, Christopher L. Morrow wrote: On Tue, 28 Feb 2006, Jim Segrave wrote: www.quarantainenet.nl It puts them in a protected environment where they can get cleaned up on-line without serious risk of re-infection. They can pop their e-mail, reply via webmail, but they can't connect to anywhere except a list of update sites. there was little in the way of 'how' in the link above though :(
Re: Quarantine your infected users spreading malware
On Tue, 28 Feb 2006, Jim Segrave wrote: > > www.quarantainenet.nl > > It puts them in a protected environment where they can get cleaned up > on-line without serious risk of re-infection. They can pop their > e-mail, reply via webmail, but they can't connect to anywhere except a > list of update sites. there was little in the way of 'how' in the link above though :(
Re: Quarantine your infected users spreading malware
On Thu 23 Feb 2006 (11:18 -0600), Michael Loftis wrote: > > > > --On February 23, 2006 8:02:31 AM -0600 Jack Bates <[EMAIL PROTECTED]> > wrote: > > >We allowed users back online to run Housecall at trendmicro for free so > >they could get cleaned up and save some money. However, the resuspend > >rate was so high, we quickly changed to offline cleanup only. It will > >remain until we perfect our auto defense system. > > > >Customers just want things to work. They don't care if they are infected. > >It's amazing how many customers swear they aren't scanning or sending > >email, and refuse to understand that their computer is capable of doing > >things without them knowing. > > > What doesn't help is the ISPs out there who are complete dolts and first > don't verify reports and second false alarm. They'll cut a user off on a > single complaint without any evidence or verification. Or worse they have > some automated system that false alarms without any way to verify you're > cleaned up. And if you can't get online you can't get cleaned up anyway. > Catch 22. www.quarantainenet.nl It puts them in a protected environment where they can get cleaned up on-line without serious risk of re-infection. They can pop their e-mail, reply via webmail, but they can't connect to anywhere except a list of update sites. It uses honeypots to avoid false positives. In short, it works. -- Jim Segrave [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
--On February 23, 2006 9:09:26 PM +0200 Gadi Evron <[EMAIL PROTECTED]> wrote: I don't really see how any ISP will terminate an account for just one complaint, after all, it's losing money.. We have seen a few good examples of pretty big ISP's who said here how quarantine works for them. Got an example on how ISP's are kicking users out? Speakeasy suspended my service for a week over a single report from someone. The mail never even travelled through or via any of my systems, the header bit that was called in was forged. It took a week to get them to give me the information they'd gotten in complaint. There was a forged Received header (completely fabricated, including the 'Qostfix' MTA) and also a forged HELO or EHLO of a non-existent host when it actually relayed it off onto someone elses MTA. I can't remember the exact ISP...might've been RoadRunner or TW in Toronto, but a friend had her DSL or CableModem suspendded, ended up changing providors. There was an infection, it was cleaned, they were allowed back on, then the ISP either received an old/backlogged complaint or something and they cut them off again,, but the machines were all clean (indeed watching the network for traffic over several days revealede nothing that they claimed to be the problem). -- "Genius might be described as a supreme capacity for getting its possessors into trouble of all kinds." -- Samuel Butler
Re: Quarantine your infected users spreading malware
Michael Loftis wrote: What doesn't help is the ISPs out there who are complete dolts and first don't verify reports and second false alarm. They'll cut a user off on a single complaint without any evidence or verification. Or worse they have some automated system that false alarms without any way to verify you're cleaned up. And if you can't get online you can't get cleaned up anyway. Catch 22. I don't really see how any ISP will terminate an account for just one complaint, after all, it's losing money.. We have seen a few good examples of pretty big ISP's who said here how quarantine works for them. Got an example on how ISP's are kicking users out?
Re: Quarantine your infected users spreading malware
--On February 23, 2006 8:02:31 AM -0600 Jack Bates <[EMAIL PROTECTED]> wrote: We allowed users back online to run Housecall at trendmicro for free so they could get cleaned up and save some money. However, the resuspend rate was so high, we quickly changed to offline cleanup only. It will remain until we perfect our auto defense system. Customers just want things to work. They don't care if they are infected. It's amazing how many customers swear they aren't scanning or sending email, and refuse to understand that their computer is capable of doing things without them knowing. What doesn't help is the ISPs out there who are complete dolts and first don't verify reports and second false alarm. They'll cut a user off on a single complaint without any evidence or verification. Or worse they have some automated system that false alarms without any way to verify you're cleaned up. And if you can't get online you can't get cleaned up anyway. Catch 22.
Re: Quarantine your infected users spreading malware
Heya, Sorry about continuing this thread... I noticed a few people discussing this topic and wondering about new ways to look at quarantining hosts. There's a working group within the US Internet2 community that's been working on a generalized architecture and set of white-papers that our member institutions can share. If you're interested, check out the two drafts that we have so far (SALSA-Netauth working group): Architecture for Automating Network Policy (PDF) http://security.internet2.edu/netauth/docs/internet2-salsa-netauth-architecture-200510.pdf Strategies for Automating Network Policy Enforcement http://security.internet2.edu/netauth/docs/internet2-salsa-netauth-policy-enforcement-200504.html We'd welcome any thoughts, criticism, complaints, praise, etc... Eric :)
Re: Quarantine your infected users spreading malware
Andy Davidson wrote: And they don't care ! How is someone else telling them that they need a virus checker going to change anything ? We allowed users back online to run Housecall at trendmicro for free so they could get cleaned up and save some money. However, the resuspend rate was so high, we quickly changed to offline cleanup only. It will remain until we perfect our auto defense system. Customers just want things to work. They don't care if they are infected. It's amazing how many customers swear they aren't scanning or sending email, and refuse to understand that their computer is capable of doing things without them knowing. -Jack
Re: Quarantine your infected users spreading malware
On 2/23/06, Andy Davidson <[EMAIL PROTECTED]> wrote: > And they don't care ! How is someone else telling them that they > need a virus checker going to change anything ? It's not. That's why services such as AOL integrate it with the system.. Granted, the user has to initially accept it, but it's a virtually painless process.. AOL's software does all the work. If a user has to download each individual program, install it, ensure it's updated, etc., then they tend to ignore the use of such a product. Even mostly-automated updates are a burden for them because messages pop up now and then telling them that they're not up to date, warnings about new outbreaks, etc. Most users don't care one way or the other and it's simpler for them to ignore the whole situation. For something like AVG, yes it's free. But, I don't think that includes allowing an ISP to package it up and distribute it as a value-added feature.. Most companies frown on that sort of thing. I believe even Microsoft's EULA forbids distributing SP2 without strict permission. > -a -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On 21 Feb 2006, at 16:26, Jason Frisvold wrote: Key words there.. "Large Provider" .. I don't think A/V companies have any interest whatsoever in smaller providers.. Just not a big enough customer base I guess... It would be nice to see an A/V provider willing to take that first step and offer something like this to providers, regardless of size. Anti-virus is already offered directly to end users ... for free ! http://free.grisoft.com/ And they don't care ! How is someone else telling them that they need a virus checker going to change anything ? -a
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006 [EMAIL PROTECTED] wrote: > If people actually *knew* how to do this differentiation any better than > flipping the quarter I have in my pocket, we wouldn't be having this > discussion. Yep. Although it should have been obvious, a problem with quarantine systems is most users can't validate an inline "trusted path" if the host or something along the path may have been compromised. Even if it hasn't been totally compromised, the bad guys can impersonate the look and feel of your quarantine system to lead your users down the walled garden path of the bad guy's choosing. If you notify uses by e-mail, the bad guys can make their e-mail look very similar. If you notify users by web page interception, the bad guys can make their web page pop-ups look like your quarantine pages. And so on. So you are quickly back to out-of-band communication paths with the user. A couple of years ago I was a big fan of inline quarantine systems. And for some things it may still work such as initial registration and setup before an user's machine is compromised. But I've changed my mind, or rather the bad guys changed it for me, what the long term effectiveness of inline quarantine systems of compromised systems can be.
Re: Quarantine your infected users spreading malware
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bill Nash wrote: > > > On Tue, 21 Feb 2006, [EMAIL PROTECTED] wrote: > > >>Why not just bypass them and go direct to the unwashed >>masses of end users? Offer them a free windows >>infection blocker program that imposes the quarantine >>itself locally on the user's machine. This program > > > Offering them free software won't work to the levels you want. At first, > you'll get a response, because consumers always jump at free shiny things, > until something happens that makes them not like it anymore, and then > they'll dig in and never use it again. If you want to get this kind of > filtering into your core, you have a need to get this to a compulsory > level for access. > > I don't think there's any disagreement as to the roots of this problem: > - Modern users are generally clueless. > - Most don't have firewalls or even the most basic of protections. > - Getting tools deployed where they need to be most is the hardest. > > With that said.. > > If you're talking about a compulsory software solution, why not, as an > ISP, go back to authenticated activity? Distribute PPPOE clients mated > with common anti-spyware/anti-viral tools. Pull down and update signatures > *every time* the user logs in, and again periodically while the user is > logged in (for those that never log out). Require these safeguards to be > active before they can pass the smallest traffic. > > The change in traffic flow would necessitate some architecture kung fu, > maybe even AOL style, but you'd have the option of selectively picking out > reported malicious/infected users (*cough* ThreatNet *cough*) and routing > them through packet inspection frameworks on a case by case basis. Quite > possibly, you could even automate that and the users would never be the > wiser. - - - From my past discussion at nanog sessions, it appears this sink-hole like process has been extremely helpful for AOL. Maybe Vijay from AOL could chime in and enlighten us or folks could look at the archives. regards, /virendra > > - billn > -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.5 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFD+4sWpbZvCIJx1bcRAq2oAJ4z9xmrBYwppdTpYTtLkNow+N17ZQCeJsnE xr6y99lCbEAnO60SUEtv9Xk= =av1X -END PGP SIGNATURE-
Re: Quarantine your infected users spreading malware
- Original Message Follows - From: [EMAIL PROTECTED] > > Oh geez, here we go again... Search the archives and > > read until you're content. It's a non-thread. This > > horse isn't only dead, it's not even a grease spot on > the road any more. > > Are you saying that the problem of spreading worms > and botnets is fading? Where do you get your data on > this? > > I mean, it's all well and good to express an opinion > but if you want to be believed you have to be prepared > to back it up with data from another source. I'm not saying that at all and that'd be the silliest position to support anyway. We all know better than that. All I was saying is *every* position on the subject was expressed about two months ago in the thread that wouldn't die even in the clear evidence of an exponential decrease in quality of responses on the subject and I don't things have changed significantly since then. No biggie, I can delete when the quality of respones degrades below my threshold of ability to carry on reading... :-) scott
Re: Quarantine your infected users spreading malware
On Tue, Feb 21, 2006 at 07:17:38AM +0200, Gadi Evron wrote: > > [EMAIL PROTECTED] wrote: > >On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed... > > > >[snip] > > > > > >>I'll update on these as I find out more on: http://blogs.securiteam.com > >> > >>This write-up can be found here: > >>http://blogs.securiteam.com/index.php/archives/312 > > > > > >Ah yes, the old self-promotion trick. You know, I get some ads for [EMAIL > >PROTECTED] > >that sound pretty good until I have to click on thier link to get more > >information. > > The information, quite a bit of it, comes before the link. If you'd like > I can send it you you again. Thanks! > > Gadi. It appears the quality of nanog mailing list is becoming on the par with that of Full-Disclosure. James
Re: Quarantine your infected users spreading malware
On 2/21/06, Bill Nash <[EMAIL PROTECTED]> wrote: > Big deal. You're talking about volume licensing at that point, and > offering vendors an opportunity to compete to get on every desktop in your > customer base. That's a big stick to negotiate with, especially if you're > an Earthlink or AOL. Agreed. And with that, the little guys go away. > Yeah, the privacy zealots, of which I'm one, don't have much of a leg to > stand on, since as the direct service provider, you'd be directly within > AUP/Contractually provided rights to do so, under that particular service > model. They can't ding you for being active in your *response* to > complaints about malicious activity sourced from your network, and taking > the time to verify it. So long as you're keeping their personal > information out of the hands of others, they don't have much to bitch > about. Agreed, but without publishing the exact procedures, protocols, etc, they can always complain that something might be happening.. Don't get me wrong, I'm just as much for privacy as most of the "zealots", but there is a point at which there has to be an acceptable risk. > The ISPs win because they've got ready means to tie complaints directly > back to an active customer, AND verify the complaint. Consumers win > because they've got cheap anti-virus they still don't have to do anything > about. The internet wins because ISPs are sharing non-personally > identifying information about naughty behaviour and maybe increasing the > mean TTL for new Windows machines. In the long term, privacy advocates win > because networks have implemented active responses to attacks that > routinely lead to identity theft. I wish everyone had this view. Fixing, or at least patching, this problem would help out a lot in the long run. But there's a lot to be done to handle it. An ISP can deal with it themselves or, more often than not, can ignore it. As I was saying before, if there were some sort of standards body that set forth a best practices guide of some sort, that might go a long way. Education for the end-user is key here too. Educate them to understand what precautions are in place at the ISP level, and what they can do to protect themselves. I think it's gotten better in recent years, despite the increase in viral activity. I think the increase is due to better propogation techniques rather then hordes of dumb users. > The biggest hole I see in this concept is home routers that do NAT > (linksys, linux boxes, etc). While capable of PPPOE, you can't quite > mandate the A/V clients. You still have the option of doing packet > inspection, which is still better than nothing. Hrm.. Unless some sort of shim was required on the end-user computer.. something transparent that merely identified itself in the background to the central authority and verified signatures and the like.. > - billn -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006, Jason Frisvold wrote: On 2/21/06, Bill Nash <[EMAIL PROTECTED]> wrote: If you're talking about a compulsory software solution, why not, as an ISP, go back to authenticated activity? Distribute PPPOE clients mated with common anti-spyware/anti-viral tools. Pull down and update signatures *every time* the user logs in, and again periodically while the user is logged in (for those that never log out). Require these safeguards to be active before they can pass the smallest traffic. Cost prohibitive.. In order to do that you'll need licenses from the AV companies.. Big deal. You're talking about volume licensing at that point, and offering vendors an opportunity to compete to get on every desktop in your customer base. That's a big stick to negotiate with, especially if you're an Earthlink or AOL. The change in traffic flow would necessitate some architecture kung fu, maybe even AOL style, but you'd have the option of selectively picking out reported malicious/infected users (*cough* ThreatNet *cough*) and routing them through packet inspection frameworks on a case by case basis. Quite possibly, you could even automate that and the users would never be the wiser. And then the privacy zealots would be livid.. Silently re-routing traffic like that.. How dare you suggest such a ... wait.. hrm.. The internet basically does this already.. I wonder if the zealots are aware of that.. :) Yeah, the privacy zealots, of which I'm one, don't have much of a leg to stand on, since as the direct service provider, you'd be directly within AUP/Contractually provided rights to do so, under that particular service model. They can't ding you for being active in your *response* to complaints about malicious activity sourced from your network, and taking the time to verify it. So long as you're keeping their personal information out of the hands of others, they don't have much to bitch about. The ISPs win because they've got ready means to tie complaints directly back to an active customer, AND verify the complaint. Consumers win because they've got cheap anti-virus they still don't have to do anything about. The internet wins because ISPs are sharing non-personally identifying information about naughty behaviour and maybe increasing the mean TTL for new Windows machines. In the long term, privacy advocates win because networks have implemented active responses to attacks that routinely lead to identity theft. The biggest hole I see in this concept is home routers that do NAT (linksys, linux boxes, etc). While capable of PPPOE, you can't quite mandate the A/V clients. You still have the option of doing packet inspection, which is still better than nothing. - billn
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006, [EMAIL PROTECTED] wrote: If you're talking about a compulsory software solution, why not, as an ISP, go back to authenticated activity? Distribute PPPOE clients mated with common anti-spyware/anti-viral tools. Pull down and update signatures *every time* the user logs in, and again periodically while the user is logged in (for those that never log out). Require these safeguards to be active before they can pass the smallest traffic. Cost prohibitive.. In order to do that you'll need licenses from the AV companies.. Oddly enough, AOL and several other large providers seem to have no problems advertising some variant on 'free A/V software'. When referring to AOL customers, though, you're talking about a target market that is accustomed to being offered a bundled package, and for lack of a better term, doing what it's told. Largely, AOL users aren't the problem. Comcast, Cox, Adelphia, and similiar providers with raw IP consumers are the problem.[1] A la carte services are all good and well for the end user, but it's a double edged sword in that they're good for the botnet crews, too. I used to sneer at offerings like AOL or Compuserv, because they weren't what I needed. Now, I'm actually kind of glad they exist because some users clearly need the training wheels. This is as much of a social problem as it is a technical one. I'm starting to understand the perspective of a legislative heavy federal government that has to pass laws to protect folks who are pretty much ignorant of the problem. - billn [1] I don't point those out because of specific problems, I point them out to describe service offering styles and network architecture. I have no interest in detailing why provider X sucks, or talking to your lawyers about it.
Re: Quarantine your infected users spreading malware
On Tuesday 21 February 2006 10:26, Jason Frisvold wrote: > On 2/21/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Oddly enough, AOL and several other large providers seem to have no > > problems advertising some variant on 'free A/V software'. > > Key words there.. "Large Provider" .. I don't think A/V companies > have any interest whatsoever in smaller providers.. Just not a big > enough customer base I guess... > > It would be nice to see an A/V provider willing to take that first > step and offer something like this to providers, regardless of size. > No packaging needed, so there's a cost savings there for the vendor. > > I'm not familiar with how this works in AOL land.. Does the end-user > need to subscribe to anything other than AOL? ie, are there any > "hidden" fees? > The problem with discussing AOL and "large provider" in the same sentence is that the complete AOL (connection, desktop, tools, etc) function are AOL controlled (walled garden) so they have the capability of doing much more in that arena that other providers. Secondly, to the best of my knowledge, A/V vendors do make their products available to "any" provider - it is just that small to medium sized ISP's cannot justify the cost/benefit ratio and keep their pricing anywhere near competitive with the "big" boys. At ten copies a month you get little to no discount - at 10,000 copies per month you get quite a cut... -- Larry Smith SysAd ECSIS.NET [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
>No, just $24/month (or whatever it is now) for the whole service. You go to a "keyword" and it > does a web based installation widget. It is free as long as you remain a subscriber. I'm not familiar with how this works in AOL land.. Does the end-user need to subscribe to anything other than AOL? ie, are there any "hidden" fees? -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On 2/21/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Oddly enough, AOL and several other large providers seem to have no problems > advertising some variant on 'free A/V software'. Key words there.. "Large Provider" .. I don't think A/V companies have any interest whatsoever in smaller providers.. Just not a big enough customer base I guess... It would be nice to see an A/V provider willing to take that first step and offer something like this to providers, regardless of size. No packaging needed, so there's a cost savings there for the vendor. I'm not familiar with how this works in AOL land.. Does the end-user need to subscribe to anything other than AOL? ie, are there any "hidden" fees? -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006 10:42:20 EST, Jason Frisvold said: > > On 2/21/06, Bill Nash <[EMAIL PROTECTED]> wrote: > > If you're talking about a compulsory software solution, why not, as an > > ISP, go back to authenticated activity? Distribute PPPOE clients mated > > with common anti-spyware/anti-viral tools. Pull down and update signatures > > *every time* the user logs in, and again periodically while the user is > > logged in (for those that never log out). Require these safeguards to be > > active before they can pass the smallest traffic. > > Cost prohibitive.. In order to do that you'll need licenses from the > AV companies.. Oddly enough, AOL and several other large providers seem to have no problems advertising some variant on 'free A/V software'. pgpGhWd4lHm6z.pgp Description: PGP signature
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006 13:05:35 GMT, [EMAIL PROTECTED] said: > > > How do you differentiate this infection from the ones > > they've been preached to to avoid? > > The same way that people currently differentiate > bad software from good software before they install > something on their machines. If people actually *knew* how to do this differentiation any better than flipping the quarter I have in my pocket, we wouldn't be having this discussion. pgpgniEg3BLLO.pgp Description: PGP signature
Re: Quarantine your infected users spreading malware
On 2/21/06, Bill Nash <[EMAIL PROTECTED]> wrote: > If you're talking about a compulsory software solution, why not, as an > ISP, go back to authenticated activity? Distribute PPPOE clients mated > with common anti-spyware/anti-viral tools. Pull down and update signatures > *every time* the user logs in, and again periodically while the user is > logged in (for those that never log out). Require these safeguards to be > active before they can pass the smallest traffic. Cost prohibitive.. In order to do that you'll need licenses from the AV companies.. > The change in traffic flow would necessitate some architecture kung fu, > maybe even AOL style, but you'd have the option of selectively picking out > reported malicious/infected users (*cough* ThreatNet *cough*) and routing > them through packet inspection frameworks on a case by case basis. Quite > possibly, you could even automate that and the users would never be the > wiser. And then the privacy zealots would be livid.. Silently re-routing traffic like that.. How dare you suggest such a ... wait.. hrm.. The internet basically does this already.. I wonder if the zealots are aware of that.. :) > - billn -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006, [EMAIL PROTECTED] wrote: Why not just bypass them and go direct to the unwashed masses of end users? Offer them a free windows infection blocker program that imposes the quarantine itself locally on the user's machine. This program Offering them free software won't work to the levels you want. At first, you'll get a response, because consumers always jump at free shiny things, until something happens that makes them not like it anymore, and then they'll dig in and never use it again. If you want to get this kind of filtering into your core, you have a need to get this to a compulsory level for access. I don't think there's any disagreement as to the roots of this problem: - Modern users are generally clueless. - Most don't have firewalls or even the most basic of protections. - Getting tools deployed where they need to be most is the hardest. With that said.. If you're talking about a compulsory software solution, why not, as an ISP, go back to authenticated activity? Distribute PPPOE clients mated with common anti-spyware/anti-viral tools. Pull down and update signatures *every time* the user logs in, and again periodically while the user is logged in (for those that never log out). Require these safeguards to be active before they can pass the smallest traffic. The change in traffic flow would necessitate some architecture kung fu, maybe even AOL style, but you'd have the option of selectively picking out reported malicious/infected users (*cough* ThreatNet *cough*) and routing them through packet inspection frameworks on a case by case basis. Quite possibly, you could even automate that and the users would never be the wiser. - billn
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue 21 Feb 2006 (08:45 -0500), John Curran wrote: > > At 7:45 AM -0500 2/21/06, John Curran wrote: > > > >From the web site: "Only a selected set of web sites will remain available, > >for example Microsoft update and the websites of several anti-virus software > >companies. The quarantine server tells users what is going on and how this > >problem can be resolved." > > > >One hopes that the Apple web site and online credit form is included in the > >list... ;-) > > Alright, in fairness to MSFT, a pointer to Vista/Longhorn (once available) > and instructions to only enter your Admin password during bona fide sw > installations would also go a long way towards preventing recurrence... > :-) We have added mutlple sites, including on-line banking sites which are appropriate to the Netherlands to the list of reachable sites (we also use this to encourage paying your bills as well as getting people to fix their machines) -- Jim Segrave [EMAIL PROTECTED]
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Jess Kitchen wrote: On Tue, 21 Feb 2006, Gadi Evron wrote: Hi Simon, this is indeed a Windows problem due to Microsoft being a mono-culture in our desktop world. Still, there are botnets constructed from other OS's as well. Also, C&C servers are mostly *nix machines. Does 'mostly *nix' hold true of the fast-flux or throwaway technique recently mentioned? That is a very interesting question, and I will have an answer for you, I hope, soon. Gadi.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue, 21 Feb 2006, Gadi Evron wrote: Hi Simon, this is indeed a Windows problem due to Microsoft being a mono-culture in our desktop world. Still, there are botnets constructed from other OS's as well. Also, C&C servers are mostly *nix machines. Does 'mostly *nix' hold true of the fast-flux or throwaway technique recently mentioned? Regards, Jess.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
At 7:45 AM -0500 2/21/06, John Curran wrote: > >From the web site: "Only a selected set of web sites will remain available, >for example Microsoft update and the websites of several anti-virus software >companies. The quarantine server tells users what is going on and how this >problem can be resolved." > >One hopes that the Apple web site and online credit form is included in the >list... ;-) Alright, in fairness to MSFT, a pointer to Vista/Longhorn (once available) and instructions to only enter your Admin password during bona fide sw installations would also go a long way towards preventing recurrence... :-) /John
Re: Quarantine your infected users spreading malware
> > When enough > > "votes" have been collected, the registry sends the > > shutdown signal to the end user, thus triggering the > > blocker program to quarantine the user. > > Isn't there a risk of DoS though? What's to prevent someone from > "spoofing" those signals and shutting down other users? The signal would be encoded using a unique key. I would also expect that the choice of listening port would be somehow randomized and registered in the central registry to make it less of a DOS target. > Relative > precautions would need to be taken, but to be sure, the end-user needs > the ability to override the system. Thus leaving us in the same > situation as before. Firewall? I don't need no stinking firewall.. I see no reason why the user needs the ability to override or remove the software. After all, during normal operation it does nothing at all therefore it does not interfere in any way with machine operation. The intent is to make it virtually impossible to remove this software so that a virus or worm cannot remove it either. > Sure it does.. It doesn't need to remove it, per se, but it will need > to know what the infection is so it can give the correct disinfection > instructions.. If the quarantined state keeps open a port 443 connection to a specific trusted webserver run by the group of trusted security researchers then the specifics of combatting the worm can be made available on that site. If necessary the site could upload ActiveX controls to do malware scans or recommend the installation of such software. --Michael Dillon
Re: Quarantine your infected users spreading malware
[EMAIL PROTECTED] wrote: If AV software can protect itself this way, why would anyone build an infection blocker using any less protection? AV software can *try* and protect itself in this and other ways, but that is OT to NANOG. I don't mind discussing it in private though if software protection reversing technology interests you. :) Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: Quarantine your infected users spreading malware
On 2/21/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Why not just bypass them and go direct to the unwashed > masses of end users? Offer them a free windows > infection blocker program that imposes the quarantine > itself locally on the user's machine. This program > would use stealth techniques to hide itself in the > user's machine, just like viruses do. And this program > would do nothing but register itself with an encoded > registry, and listen for an encoded command to activate > itself. Rather like a botnet except with the user's > consent and with a positive goal. Intruiging concept.. Why bother "hiding" itself though? Or is the idea to prevent itself from being removed by malware? > When the community of bot/worm researchers determines > that this machine is infected, they inform the central > registry using their own encoded signal. When enough > "votes" have been collected, the registry sends the > shutdown signal to the end user, thus triggering the > blocker program to quarantine the user. Isn't there a risk of DoS though? What's to prevent someone from "spoofing" those signals and shutting down other users? Relative precautions would need to be taken, but to be sure, the end-user needs the ability to override the system. Thus leaving us in the same situation as before. Firewall? I don't need no stinking firewall.. :) > Unlike antivirus software, the application on the user's > computer does not need to detect malware and it needs > no database updates. It does only one thing and it relies > on the collective intelligence of the anti-malware community. Sure it does.. It doesn't need to remove it, per se, but it will need to know what the infection is so it can give the correct disinfection instructions.. > --Michael Dillon -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
> How do you differentiate this infection from the ones > they've been preached to to avoid? The same way that people currently differentiate bad software from good software before they install something on their machines. --Michael Dillon
Re: Quarantine your infected users spreading malware
> > Offer them a free windows > > infection blocker program that imposes the quarantine > > itself locally on the user's machine. This program > > would use stealth techniques to hide itself in the > > user's machine, just like viruses do. > As the defense is local to the user's machine, the attacker can just > kick it away. How are they going to identify the code to throw away? I believe that the state of the art for AV software is to create randomly named EXE files so that attackers cannot delete the running process, and then the EXE file ensures that the installed program and startup config are not tampered with. If AV software can protect itself this way, why would anyone build an infection blocker using any less protection? --Michael Dillon
Re: and here are some answers [was: Quarantine your infected users spreading malware]
At 12:26 PM +0100 2/21/06, Jim Segrave wrote: > > > The philosophical discussion aside (latest one can be found under "zotob >> port 445 nanog" on Google), presenting some new technologies that shows >> this *can* be done changes the picture. > >http://www.quarantainenet.nl/ >From the web site: "Only a selected set of web sites will remain available, >for example Microsoft update and the websites of several anti-virus software >companies. The quarantine server tells users what is going on and how this >problem can be resolved." One hopes that the Apple web site and online credit form is included in the list... ;-) /John
Re: Quarantine your infected users spreading malware
[EMAIL PROTECTED] wrote: How do you get the unwashed masses of ISPs to join the choir so you can preach to them? Why not just bypass them and go direct to the unwashed masses of end users? Offer them a free windows infection blocker program that imposes the quarantine itself locally on the user's machine. This program would use stealth techniques to hide itself in the user's machine, just like viruses do. And this program would do nothing but register itself with an encoded registry, and listen for an encoded command to activate itself. Rather like a botnet except with the user's consent and with a positive goal. When the community of bot/worm researchers determines that this machine is infected, they inform the central registry using their own encoded signal. When enough "votes" have been collected, the registry sends the shutdown signal to the end user, thus triggering the blocker program to quarantine the user. At this point a friendly helpful webpage pops up and guides the user through the disinfection process. Unlike antivirus software, the application on the user's computer does not need to detect malware and it needs no database updates. It does only one thing and it relies on the collective intelligence of the anti-malware community. This won't stop worms or botnets, but it will slow them down and it will greatly speed the cleanup process. --Michael Dillon Hi Michael, the only problem with that approach is that you think like a defender. As the defense is local to the user's machine, the attacker can just kick it away. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Simon Waters wrote: I've seen 95% quoted - certainly my experience if you go looking for malware in recent Windows desktop machines using IE and Outlook it is pretty much a certainty you'll find it. Most of these tools I was using didn't detect the Sony Rootkit, or other malware, so this will always be an underestimate of the true extent of the problem, unless one uses fingerprinting and packet inspection as the tools of choice for malware detection. This is very much a Windows only problem, it doesn't affect desktop users of other systems at all, possibly in part because they lack critical mass, but also because they have more sensible security models. Largely it is an Outlook and IE problem. Hi Simon, this is indeed a Windows problem due to Microsoft being a mono-culture in our desktop world. Still, there are botnets constructed from other OS's as well. Also, C&C servers are mostly *nix machines. Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: Quarantine your infected users spreading malware
- Original Message - From: <[EMAIL PROTECTED]> Subject: Re: Quarantine your infected users spreading malware Rather like a botnet except with the user's consent and with a positive goal.<< Isn't this pretty much like how they were compromised in the first place? How do you differentiate this infection from the ones they've been preached to to avoid? "Trust me...I won't come in your mouth."
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue 21 Feb 2006 (04:15 +0200), Gadi Evron wrote: > > Christopher L. Morrow wrote: > >it's also not just a 'i got infected over the net' problem... where is > >that sean when you need his nifty stats :) Something about no matter what > >you filter grandpa-jones will find a way to click on the nekkid jiffs of > >Anna Kournikova again :( > > > >anyway, someone mentioned the rafts of posts in the archives, it'd be nice > >if this was all just referred there :( > > I quite agree, unless other solutions can be presented, and indeed, 2 > new ones have so far. > > The philosophical discussion aside (latest one can be found under "zotob > port 445 nanog" on Google), presenting some new technologies that shows > this *can* be done changes the picture. http://www.quarantainenet.nl/ It works, we use it. It cuts down on support calls, customers generally react well to it and, at least when using Juniper core routers, it's not too intrusive in the network and will scale to pretty large networks of users. -- Jim Segrave [EMAIL PROTECTED]
Re: Quarantine your infected users spreading malware
> How do you get the unwashed masses of ISPs > to join the choir so you can preach to them? Why not just bypass them and go direct to the unwashed masses of end users? Offer them a free windows infection blocker program that imposes the quarantine itself locally on the user's machine. This program would use stealth techniques to hide itself in the user's machine, just like viruses do. And this program would do nothing but register itself with an encoded registry, and listen for an encoded command to activate itself. Rather like a botnet except with the user's consent and with a positive goal. When the community of bot/worm researchers determines that this machine is infected, they inform the central registry using their own encoded signal. When enough "votes" have been collected, the registry sends the shutdown signal to the end user, thus triggering the blocker program to quarantine the user. At this point a friendly helpful webpage pops up and guides the user through the disinfection process. Unlike antivirus software, the application on the user's computer does not need to detect malware and it needs no database updates. It does only one thing and it relies on the collective intelligence of the anti-malware community. This won't stop worms or botnets, but it will slow them down and it will greatly speed the cleanup process. --Michael Dillon
Re: Quarantine your infected users spreading malware
> Oh geez, here we go again... Search the archives and read > until you're content. It's a non-thread. This horse isn't > only dead, it's not even a grease spot on the road any more. Are you saying that the problem of spreading worms and botnets is fading? Where do you get your data on this? I mean, it's all well and good to express an opinion but if you want to be believed you have to be prepared to back it up with data from another source. --Michael Dillon
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tuesday 21 Feb 2006 06:41, you wrote: > > I've seen more than one estimate that most computers *are* infected by at > least one piece of malware/spyware/etc, (including numbers as high as 90%) I've seen 95% quoted - certainly my experience if you go looking for malware in recent Windows desktop machines using IE and Outlook it is pretty much a certainty you'll find it. Most of these tools I was using didn't detect the Sony Rootkit, or other malware, so this will always be an underestimate of the true extent of the problem, unless one uses fingerprinting and packet inspection as the tools of choice for malware detection. This is very much a Windows only problem, it doesn't affect desktop users of other systems at all, possibly in part because they lack critical mass, but also because they have more sensible security models. Largely it is an Outlook and IE problem.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Mon, 20 Feb 2006 23:54:38 EST, Sean Donelan said: > On the other hand, the number of infected computers never seems to spiral > out of control. I've been wondering, instead of trying to figure out why > some computers get infected, should we be trying to figure out why most > computers don't become infected? I've seen more than one estimate that most computers *are* infected by at least one piece of malware/spyware/etc, (including numbers as high as 90%) and if the site that was tracking 1M new zombies/day is to be believed, they *are* spiraling out of control. And when a significant fraction of all new computers are bought as a virus/worm control method, things *are* out of control: http://www.nytimes.com/2005/07/17/technology/17spy.html?ei=5090&en=5b2b6783f66a7422&ex=1279252800&adxnnl=1&partner=rssuserland&emc=rss&adxnnlx=1121859260-edx1SJD7lWy7D6PMipItjw I suspect that in fact, a *lot* of computers have crud on them, but people's expectations have dropped - as long as the virus doesn't actually kill the host, it's tolerated. If Aunt Matilda is avoiding all this stuff, the most likely reason that Aunt Matilda doesn't get more crudware on her system is because she wouldn't be caught dead visiting non-reputable websites that you're likely to get caught in a drive-by fruiting - and none of her friends would either, so she never gets her e-mail address scraped and used as a target... But we already knew that, and there's no good way to leverage it when everybody who *isn't* an Aunt Matilda *does* visit those kind of sites, or knows people who do... pgpGwIawzSi3A.pgp Description: PGP signature
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Hey, Bill. The vast majority of what I see is based on financial gain. Popping a web+database server, installing a rootkit, and transferring off the day's business transactions is a lot more certain than popping 10K Windows boxes and hoping the users go shopping. Yep, seen it more than once. Check your PHP-based tools, folks. According to the criminals, Internet-wide mayhem would really get in the way of the revenue stream. They need a stable Internet to get the cash. Cleaning out bank accounts is more lucrative than one might suspect. The current record observed by us is approximately US $3M in one take. Most of them are much smaller. That bothers me more, actually. What person with only US $800 to their name has a hope of rapid response to the loss of all their cash? Just to be clear I agree that home users using Windows are at risk for all sorts of nasty things, and they need help. I also didn't want folks to believe that it is a problem related to one OS or demographic. It's a problem of crime, mostly. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue, Feb 21, 2006 at 12:04:17AM -0600, Rob Thomas wrote: > ] true enough. but "auntie jane" doesn't have linux/unix web server(s) > ] or router(s) (other than the one provided by her ISP and managed by > them) > ] and has zero clue about overly permissive machines. > > Agreed. Instead all of her financial records are on those > unix web/database servers, or transit through those routers, > etc. There's a reason why such devices are popular with > the criminals. :( whats the objective? ID theft, fiscal mahem - go for the infrastructure stuff (like you say). lowest visable impact for very high fiscal return. destablize the trust model, perceptions of availability? large zombie packs might be your best bet. (we're not in it for the money, we want social change!) > > -- > Rob Thomas > Team Cymru > http://www.cymru.com/ > ASSERT(coffee != empty);
Re: and here are some answers [was: Quarantine your infected users spreading malware]
[EMAIL PROTECTED] wrote: On Mon, Feb 20, 2006 at 07:49:04PM -0600, Rob Thomas wrote: Hey, Bill. ] wht is the mean-time-to-infection for a stock windows XP system ] when plugged intot he net?... 2-5minutes? you can't get patches ] down that fast. The same case can be made for Linux and Unix-based web servers with vulnerable PHP-based tools. There's also a large number of poorly configured devices such as routers with easily guessed passwords, overly permissive DNS name servers, etc. It's not simply a Windows problem. Thanks, Rob. true enough. but "auntie jane" doesn't have linux/unix web server(s) or router(s) (other than the one provided by her ISP and managed by them) and has zero clue about overly permissive machines. me thinks it is a -much- larger pool that gets taken advantage of wiht a much higher threshold of ignorance about problems. --bill You described it best, and home users are indeed the problem discussed. However, the amount of insecure routers out there is scary by itself. Rob has a lot more data on that than me and I don't doubt what he said. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
] true enough. but "auntie jane" doesn't have linux/unix web server(s) ] or router(s) (other than the one provided by her ISP and managed by them) ] and has zero clue about overly permissive machines. Agreed. Instead all of her financial records are on those unix web/database servers, or transit through those routers, etc. There's a reason why such devices are popular with the criminals. :( -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Mon, Feb 20, 2006 at 07:49:04PM -0600, Rob Thomas wrote: > > Hey, Bill. > > ] wht is the mean-time-to-infection for a stock windows XP system > ] when plugged intot he net?... 2-5minutes? you can't get patches > ] down that fast. > > The same case can be made for Linux and Unix-based web servers with > vulnerable PHP-based tools. There's also a large number of poorly > configured devices such as routers with easily guessed passwords, > overly permissive DNS name servers, etc. > > It's not simply a Windows problem. > > Thanks, > Rob. true enough. but "auntie jane" doesn't have linux/unix web server(s) or router(s) (other than the one provided by her ISP and managed by them) and has zero clue about overly permissive machines. me thinks it is a -much- larger pool that gets taken advantage of wiht a much higher threshold of ignorance about problems. --bill
Re: Quarantine your infected users spreading malware
[EMAIL PROTECTED] wrote: On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed... [snip] I'll update on these as I find out more on: http://blogs.securiteam.com This write-up can be found here: http://blogs.securiteam.com/index.php/archives/312 Ah yes, the old self-promotion trick. You know, I get some ads for [EMAIL PROTECTED] that sound pretty good until I have to click on thier link to get more information. The information, quite a bit of it, comes before the link. If you'd like I can send it you you again. Thanks! Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Sean Donelan wrote: On Tue, 21 Feb 2006, Christopher L. Morrow wrote: it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :( Give me (or CAIDA) permission to peak inside your networks and I'm sure there are lots of nifty stats we could anonymize :) The big mystery for me has always been the computers that are infected BEFORE they are connected to the network for the first time (according to their owners). Its never repeatable, and never provable, but the computer owner swears it happened. In any case, the home computer is owned by the home user, not the ISP or an employer or a media company. If you make something attractive enough to the user, he will find a way to get it on his computer no matter how many roadblocks you try to put in the way. An ISP blocking one virus or worm doesn't change the end result. Time after time I've watched, the computers eventually get infected anyway. Although it may appear to take longer or your NIDS may not pick up the final signature. Look at Adlex, Motive, Arbor, ISS, Microsoft and other vendors for ideas I've used over several years and they are now selling. On the other hand, the number of infected computers never seems to spiral out of control. I've been wondering, instead of trying to figure out why some computers get infected, should we be trying to figure out why most computers don't become infected? Comment only on last paragraph: Many *home* computers do, quite a few *corporate* do as well, in my experience. Even if they didn't the numbers we face are significant enough. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: Quarantine your infected users spreading malware
On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed... [snip] > I'll update on these as I find out more on: http://blogs.securiteam.com > > This write-up can be found here: > http://blogs.securiteam.com/index.php/archives/312 Ah yes, the old self-promotion trick. You know, I get some ads for [EMAIL PROTECTED] that sound pretty good until I have to click on thier link to get more information. Moderators: doesn't this border on spam?
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue, 21 Feb 2006, Christopher L. Morrow wrote: > it's also not just a 'i got infected over the net' problem... where is > that sean when you need his nifty stats :) Something about no matter what > you filter grandpa-jones will find a way to click on the nekkid jiffs of > Anna Kournikova again :( Give me (or CAIDA) permission to peak inside your networks and I'm sure there are lots of nifty stats we could anonymize :) The big mystery for me has always been the computers that are infected BEFORE they are connected to the network for the first time (according to their owners). Its never repeatable, and never provable, but the computer owner swears it happened. In any case, the home computer is owned by the home user, not the ISP or an employer or a media company. If you make something attractive enough to the user, he will find a way to get it on his computer no matter how many roadblocks you try to put in the way. An ISP blocking one virus or worm doesn't change the end result. Time after time I've watched, the computers eventually get infected anyway. Although it may appear to take longer or your NIDS may not pick up the final signature. Look at Adlex, Motive, Arbor, ISS, Microsoft and other vendors for ideas I've used over several years and they are now selling. On the other hand, the number of infected computers never seems to spiral out of control. I've been wondering, instead of trying to figure out why some computers get infected, should we be trying to figure out why most computers don't become infected?
Re: Quarantine your infected users spreading malware
On 2/20/06, Edward W. Ray <[EMAIL PROTECTED]> wrote: > ISPs should not police users, just like auto manufacturers should not police > drivers. That is what driver's licenses are for. So the state polices the drivers.. Should the state police the internet as well? And how would that be implemented? The ISP will take the brunt of the operational interference anyways as the "police" have no other way of stopping those drivers. And when Joe Drivers gets busted and banned, he'll make up a new identity to use at ISP B. I tend to agree with Gadi that we, the ISPs, need to do at least some blocking. I don't see it happening anytime soon though. There's still way too many ops out there who take something like this as a challenge to their ablility to operate a network when in fact, it's the users who are the problem. I'd rather open up everything and allow a user 100% unfiltered access, but most users don't know what to do with that and don't take proper precautions. So, for residential users I think that a reasonable filter should be applied. Block stuff like Netbios. Implement spoofing filters. Do whatever you can to "protect" the users without impacting their ability to use the internet. For commercial users, offer simple protection, or make sure they know that they will be help responsible for virus activity sourcing from them. Shut down those ports if they become active. I also like the idea of putting infected users in a quarantine. Alert them via an automated process. Give them access to updates, but prevent them from infecting others. I think this is a more than reasonable expectation from end-users. In fact, I'd be more inclined to use an ISP that has safe-guards like this in place. It might even be worth it to put together a best practices guide that lays out the "minimum" requirements for something like this. (It may even exist.. If so, I'd be interested in reading it if someone would be kind enough to provide a link) > Ed Ray Go Go Gadget Flame-Retardent Suit! -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED]
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue, 21 Feb 2006 04:15:25 +0200, Gadi Evron said: > The philosophical discussion aside (latest one can be found under "zotob > port 445 nanog" on Google), presenting some new technologies that shows > this *can* be done changes the picture. OK. The tech exists, or can be made to exist. The unanswered question is still "How do you get a disinterested ISP to be interested in it?" The horse has been led. Now make him drink the kook-aid. pgp8KlluahPOX.pgp Description: PGP signature
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Christopher L. Morrow wrote: it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :( anyway, someone mentioned the rafts of posts in the archives, it'd be nice if this was all just referred there :( I quite agree, unless other solutions can be presented, and indeed, 2 new ones have so far. The philosophical discussion aside (latest one can be found under "zotob port 445 nanog" on Google), presenting some new technologies that shows this *can* be done changes the picture. I believe it was actually Randy Bush's idea in that last thread, to use such software. Gadi.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Mon, 20 Feb 2006, Rob Thomas wrote: > > Hey, Bill. > > ] wht is the mean-time-to-infection for a stock windows XP system > ] when plugged intot he net?... 2-5minutes? you can't get patches > ] down that fast. > > The same case can be made for Linux and Unix-based web servers with > vulnerable PHP-based tools. There's also a large number of poorly > configured devices such as routers with easily guessed passwords, > overly permissive DNS name servers, etc. > > It's not simply a Windows problem. it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :( anyway, someone mentioned the rafts of posts in the archives, it'd be nice if this was all just referred there :(
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Hey, Bill. ] wht is the mean-time-to-infection for a stock windows XP system ] when plugged intot he net?... 2-5minutes? you can't get patches ] down that fast. The same case can be made for Linux and Unix-based web servers with vulnerable PHP-based tools. There's also a large number of poorly configured devices such as routers with easily guessed passwords, overly permissive DNS name servers, etc. It's not simply a Windows problem. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
RE: Quarantine your infected users spreading malware
-Original Message- From: Gadi Evron [mailto:[EMAIL PROTECTED] Sent: Monday, February 20, 2006 7:35 PM To: [EMAIL PROTECTED] Cc: nanog@merit.edu Subject: Re: Quarantine your infected users spreading malware Frank Bulk wrote: > We're one of those user/broadband ISPs, and I have to agree with the > other commentary that to set up an appropriate filtering system > (either user, port, or conversation) across all our internet access > platforms would be difficult. Put it on the edge and you miss the > intra-net traffic, put it in the core and you need a box on every > router, which for a larger or graphically distributed ISPs could be cost-prohibitive. I have a question here, do you have repeat offenders in your abuse desk who are of the malware-sort rather than bad people? Can these be put in a specific group? FB> Most of the repeat offenders tend to be people who lack the ability to choose website judiciously, to put it kindly. But when we encourage them to get a pop-up blocker, update their antivirus (either the whole program or definitions), and install a firewall (Windows XP or cheap NAT router), the problem usually fades away. Most "just didn't know" that their computer was spewing forth spam or viruses, being used as a proxy, or part of some kind of botnet. > In relation to that ThreatNet model, we just could wish there was a > place we could quickly and accurately aggregate information about the > bad things our users are doing -- a combination of RBL listings, > abuse@, SenderBase, MyNetWatchman, etc. We don't have our own traffic > monitoring and analysis system in place, and even if we did, I'm > afraid our work would still be very reactionary. > > And for the record, we are one of those ISPs that blocks ports 139 and > 445 on our DSLAM and CMTS, and we've not received one complaint, but > I'm confident it has cut down on a host of infections. Would you happen to have statistics on how far it did/didn't help reduce abuse reports, tech support calls, etc.? FB> We don't look at the logs for entries regarding ports 139/445, but when we last looked it was a few unique IP addresses per day. And due our size, we have no idea how much it reduced abuse reports. It's been in place for several years. > > Frank Gadi.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
> Edward W. Ray wrote: > >IMHO, a user should have to demonstrate a minimum amount of expertise and > >have a up-to-date AV, anti-spyware and firewall solution for their PCs. > > The mostly-user ISP's will have to eventually do something or end up > being either regulated, spending more and more and more on tech support > and/OR abuse personnel, or written down as blackhat AS's. > > Gadi. if i may to borrow a bit more from the "licensed to net" analogy... are vendors being let off scott free and leaving the burden of responsibility to the consumer? ISPs are the roads (likley toll) and they should not be forced to create barriers, speed bumps, and control mthods for poor drivers who are sold crap for vechiles. wht is the mean-time-to-infection for a stock windows XP system when plugged intot he net?... 2-5minutes? you can't get patches down that fast. i'm begining to think that botnet like structures are in fac t the wave of the future. ... and instead of trying to irradicate them, we should be looking at ways to use botnet like structures for adding value to an increasingly more connected mesh of devices. ... of course YMMV - but i'm not persuaded that botnet.hivemind constructs are -NOT- inherently evil... they can be turned that way, but if there is a value to such things, we ought to be able to use them for our own purposes. --bill (who really has better things todo, but slugs are still in bed...)
Re: Quarantine your infected users spreading malware
Frank Bulk wrote: We're one of those user/broadband ISPs, and I have to agree with the other commentary that to set up an appropriate filtering system (either user, port, or conversation) across all our internet access platforms would be difficult. Put it on the edge and you miss the intra-net traffic, put it in the core and you need a box on every router, which for a larger or graphically distributed ISPs could be cost-prohibitive. I have a question here, do you have repeat offenders in your abuse desk who are of the malware-sort rather than bad people? Can these be put in a specific group? In relation to that ThreatNet model, we just could wish there was a place we could quickly and accurately aggregate information about the bad things our users are doing -- a combination of RBL listings, abuse@, SenderBase, MyNetWatchman, etc. We don't have our own traffic monitoring and analysis system in place, and even if we did, I'm afraid our work would still be very reactionary. And for the record, we are one of those ISPs that blocks ports 139 and 445 on our DSLAM and CMTS, and we've not received one complaint, but I'm confident it has cut down on a host of infections. Would you happen to have statistics on how far it did/didn't help reduce abuse reports, tech support calls, etc.? Thanks! Frank Gadi.
RE: Quarantine your infected users spreading malware
We're one of those user/broadband ISPs, and I have to agree with the other commentary that to set up an appropriate filtering system (either user, port, or conversation) across all our internet access platforms would be difficult. Put it on the edge and you miss the intra-net traffic, put it in the core and you need a box on every router, which for a larger or graphically distributed ISPs could be cost-prohibitive. In relation to that ThreatNet model, we just could wish there was a place we could quickly and accurately aggregate information about the bad things our users are doing -- a combination of RBL listings, abuse@, SenderBase, MyNetWatchman, etc. We don't have our own traffic monitoring and analysis system in place, and even if we did, I'm afraid our work would still be very reactionary. And for the record, we are one of those ISPs that blocks ports 139 and 445 on our DSLAM and CMTS, and we've not received one complaint, but I'm confident it has cut down on a host of infections. Frank -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gadi Evron Sent: Monday, February 20, 2006 3:41 PM To: nanog@merit.edu Subject: Quarantine your infected users spreading malware Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population. It is becoming more and more obvious that the answer may not be at the ISP's doorstep, but the ISP's are indeed a critical part of the solution. What their eventual role in user safety will be I can only guess, but it is clear (to me) that this subject is going to become a lot "hotter" in coming years. Aunty Jane (like Dr. Alan Solomon (drsolly) likes to call your average user) is your biggest risk to the Internet today, and how to fix the user non of us have a good idea quite yet. Especially since it's not quite one as I put in an Heinlein quote below. Some who are user/broadband ISP's (not say, tier-1 and tier-2's who would be against it: "don't be the Internet's Firewall") are blocking ports such as 139 and 445 for a long time now, successfully preventing many of their users from becoming infected. This is also an excellent first step for responding to relevant outbreaks and halting their progress. Philosophy aside, it works. It stops infections. Period. Back to the philosophy, there are some other solutions as well. Plus, should this even be done? One of them has been around for a while, but just now begins to mature: Quarantining your users. Infected users quarantine may sound a bit harsh, but consider; if a user is indeed infected and does "spread the joy" on your network as well as others', and you could simply firewall him (or her) out of the world (VLAN, other solutions which may be far better) letting him (or her) go only to a web page explaining the problem to them, it's pretty nifty. As many of us know, handling such users on tech support is not very cost-effective to ISP's, as if a user makes a call the ISP already losses money on that user. Than again, paying abuse desk personnel just so that they can disconnect your users is losing money too. Which one would you prefer? Jose (Nazario) points to many interesting papers on the subject on his blog: http://www.wormblog.com/papers/ Is it the ISP's place to do this? Should the ISP do this? Does the ISP have a right to do this? If the ISP is nice enough to do it, and users know the ISP might. Why not? This (as well as port blocking) is more true for organizations other than ISP's, but if they are indeed user/broadband ISP's, I see this as both the effective and the ethical thing to do if the users are notified this might happen when they sign their contracts. Then all the "don't be the Internet's firewall" debate goes away. I respect the "don't be the Internet's firewall issue", not only for the sake of the cause but also because friends such as Steven Bellovin and other believe in them a lot more strongly than I do. Bigger issues such as the safety of the Internet exist now. That doesn't mean user rights are to be ignored, but certainly so shouldn't ours, especially if these are mostly unaffected? I believe both are good and necessary solutions, but every organization needs to choose what is best for it, rather than follow some pre-determined blueprint. What's good for one may be horrible for another. "You don't approve? Well too bad, we're in this for the species boys and girls. It's simple numbers, they have more and every day I have to make decisions that send hundreds of people, like you, to their deaths." -- Carl Jenkins, Starship Trooper, the movie. I don't think the second part of the quote is quite right (to say the le
RE: Quarantine your infected users spreading malware
ISPs hold the relevent data to contact the users. This needs a feedback loop, in that ISPs need to know which traffic leaving their networks is misbehaviour somewhere else. Between firewall logs, IDS logs, netflow headers, apache logs, whatever. It's all there. It just needs to be used. - billn On Mon, 20 Feb 2006, Edward W. Ray wrote: And I have a solution for bad drivers; required all manufacturers to fix the steering wheel so that acknowledged "bad" drivers cannot turn the wheel to make turns, change lanes, etc. Or perhaps limit the mph to 35 max and deny them access to freeways. ISPs should not police users, just like auto manufacturers should not police drivers. That is what driver's licenses are for. IMHO, a user should have to demonstrate a minimum amount of expertise and have a up-to-date AV, anti-spyware and firewall solution for their PCs. Drivers are required to have licenses, registration and insurance in order to drive said vehicle, why not something similar for PCs. You would have to get the whole world to agree on that one, so it may be difficult to implement. But the US,EU, Japan, Australia should take the lead and implement something like this. Ed Ray
and here are some answers [was: Quarantine your infected users spreading malware]
Edward W. Ray wrote: IMHO, a user should have to demonstrate a minimum amount of expertise and have a up-to-date AV, anti-spyware and firewall solution for their PCs. That is why we have hundreds of millions of bots in the wild. The mostly-user ISP's will have to eventually do something or end up being either regulated, spending more and more and more on tech support and/OR abuse personnel, or written down as blackhat AS's. Some PRODUCTS, PRO and AGAINST links from people on quarantining of infected users, thanks to all those who shared so far! Products so far (haven't tried or verified them myself): http://www.rommon.com/sandbox.html http://www.forescout.com/index.php?url=products§ion=counteract Other: Eric Gauthier's Ethernet-oriented quarantine system (from NANOG in 2003): http://www.nanog.org/mtg-0402/gauthier.html Other choice papers from Jose's blog: http://www.iab.org/documents/docs/2003-10-18-edge-filters.html http://www.csl.sri.com/users/linda/bibs/publications/mmsm2005.pdf http://www.csl.sri.com/papers/sri-csl-2005-03/ http://www.cs.wfu.edu/~fulp/Papers/iiaw05t.pdf http://www.icir.org/vern/worm04/porras.pdf http://www.icir.org/vern/worm04/xiong.pdf http://www.cs.rpi.edu/research/pdf/05-01.pdf Gadi.
RE: Quarantine your infected users spreading malware
And I have a solution for bad drivers; required all manufacturers to fix the steering wheel so that acknowledged "bad" drivers cannot turn the wheel to make turns, change lanes, etc. Or perhaps limit the mph to 35 max and deny them access to freeways. ISPs should not police users, just like auto manufacturers should not police drivers. That is what driver's licenses are for. IMHO, a user should have to demonstrate a minimum amount of expertise and have a up-to-date AV, anti-spyware and firewall solution for their PCs. Drivers are required to have licenses, registration and insurance in order to drive said vehicle, why not something similar for PCs. You would have to get the whole world to agree on that one, so it may be difficult to implement. But the US,EU, Japan, Australia should take the lead and implement something like this. Ed Ray
Re: Quarantine your infected users spreading malware
While i'm not being told to shut up because this is off topic (yet), I'm going to suggest that people interested in continuing this conversation contact me off list and coordinate something ad hoc. The amount of bullshit I've already recieved in response to thinking that this has operational merit when it comes to mitigating both risk and effects is pretty astounding, even by nanog standards. Thanks. - billn On Mon, 20 Feb 2006, Bill Nash wrote: On Tue, 21 Feb 2006, Gadi Evron wrote: Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population. The ISPs will be a part of the solution. However, ISPs fall into two major categories: 1) The ones that read the types of lists that you posted this to 2) The ones that have the problem. You're preaching to the choir, Gadi - and if there's *one* thing I'd like a solution for, it's *that* problem. How do you get the unwashed masses of ISPs to join the choir so you can preach to them? What products that answer this are out there, and how good, in your experience, are they? We discussed this here before non-conclusively and stayed on philosophy, anyone has new experience on the subject? Let's be clear in what we're addressing. Are we talking about an en masse quarantine of IP addresses sending the worm traffic, or identifying the C&C<->payload conversations and applying blocks accordingly? Where are the anti-virus and software firewall vendors in this conversation? To be plain, this obviously isn't a problem you can solve with some border filters. The complexity, and fallout, from trying to put those kinds of filtering in is just too great. It's cumbersome to manage manually and operational impact is too great. If we're going to philosophize about solutions, let's throw some ideas out. Where do concepts like ThreatNet fit into this notion? (http://ali.as/threatnet/) To save some reading, the idea behind ThreatNet is to establish a closed threat sharing network with trusted peers, sharing information about malcontents doing things on your network that they shouldn't be. If you can positively identify SSH brute force sources, port scan patterns, worm traffic, spam sources, etc, and report them to trusted peers in a collaborative fashion, it becomes easier to support intelligent and rapid traffic filtering concepts in your network designs, where appropriate, even if it's something as simple as putting together a business case for filtering entire netblocks or regions. (Yes, I write my own analyzers, and yes, I'm involved peripherally with this project.) ThreatNet is still pretty nascent, but conceptually it's got merit. I'll bring up MainNerve again since they're the only vendor I've worked with that's got tools for selectively filtering known troublemakers. As a potential solution, I bring both of these items up because they provide the ability to take good, distributed intelligence gathering and apply them to your network in a precision manner, if at all, in accordance with any unique policies you may have. The problem, as I see it, is that even if one ISP sees the bad behaviour, there's no communication amongst the community (that I can see) to relay or collate the history. It's like playing Mom off against Dad because they never talk to each other. For coming up with clear patterns of abuse and shenanigans, we're suffering from collective myopia because we're ignoring an aspect of of our favorite big ass communications medium. Or I'm completely off base, in which case tell me to shut up and I'll go back into my code coma. - billn
Re: Quarantine your infected users spreading malware
On Tue, 21 Feb 2006, Gadi Evron wrote: Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population. The ISPs will be a part of the solution. However, ISPs fall into two major categories: 1) The ones that read the types of lists that you posted this to 2) The ones that have the problem. You're preaching to the choir, Gadi - and if there's *one* thing I'd like a solution for, it's *that* problem. How do you get the unwashed masses of ISPs to join the choir so you can preach to them? What products that answer this are out there, and how good, in your experience, are they? We discussed this here before non-conclusively and stayed on philosophy, anyone has new experience on the subject? Let's be clear in what we're addressing. Are we talking about an en masse quarantine of IP addresses sending the worm traffic, or identifying the C&C<->payload conversations and applying blocks accordingly? Where are the anti-virus and software firewall vendors in this conversation? To be plain, this obviously isn't a problem you can solve with some border filters. The complexity, and fallout, from trying to put those kinds of filtering in is just too great. It's cumbersome to manage manually and operational impact is too great. If we're going to philosophize about solutions, let's throw some ideas out. Where do concepts like ThreatNet fit into this notion? (http://ali.as/threatnet/) To save some reading, the idea behind ThreatNet is to establish a closed threat sharing network with trusted peers, sharing information about malcontents doing things on your network that they shouldn't be. If you can positively identify SSH brute force sources, port scan patterns, worm traffic, spam sources, etc, and report them to trusted peers in a collaborative fashion, it becomes easier to support intelligent and rapid traffic filtering concepts in your network designs, where appropriate, even if it's something as simple as putting together a business case for filtering entire netblocks or regions. (Yes, I write my own analyzers, and yes, I'm involved peripherally with this project.) ThreatNet is still pretty nascent, but conceptually it's got merit. I'll bring up MainNerve again since they're the only vendor I've worked with that's got tools for selectively filtering known troublemakers. As a potential solution, I bring both of these items up because they provide the ability to take good, distributed intelligence gathering and apply them to your network in a precision manner, if at all, in accordance with any unique policies you may have. The problem, as I see it, is that even if one ISP sees the bad behaviour, there's no communication amongst the community (that I can see) to relay or collate the history. It's like playing Mom off against Dad because they never talk to each other. For coming up with clear patterns of abuse and shenanigans, we're suffering from collective myopia because we're ignoring an aspect of of our favorite big ass communications medium. Or I'm completely off base, in which case tell me to shut up and I'll go back into my code coma. - billn
Re: Quarantine your infected users spreading malware
scott, these are all just gadi's self-promotion ads. i recommend procmail. randy
Re: Quarantine your infected users spreading malware
> > Oh geez, here we go again... Search the archives and > > read until you're content. It's a non-thread. This > > horse isn't only dead, it's not even a grease spot on > > the road any more. :-( > > I quite agree, which is why I trived to cover the > philosophical part from both sides. Now, how about some > solutions that came about since our last discussion that > was nothing BUT philosophy? You can't get there from here. scott
Re: Quarantine your infected users spreading malware
Scott Weeks wrote: - Original Message Follows - From: Gadi Evron <[EMAIL PROTECTED]> Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population. Some who are user/broadband ISP's (not say, tier-1 and tier-2's who would be against it: "don't be the Internet's Firewall") are blocking ports such as 139 and 445 for a long time now, successfully preventing many of their users from becoming infected. This is also an excellent first step for responding to relevant outbreaks and halting their progress. Philosophy aside, it works. It stops infections. Period. Back to the philosophy, there are some other solutions as well. Plus, should this even be done? Oh geez, here we go again... Search the archives and read until you're content. It's a non-thread. This horse isn't only dead, it's not even a grease spot on the road any more. :-( I quite agree, which is why I trived to cover the philosophical part from both sides. Now, how about some solutions that came about since our last discussion that was nothing BUT philosophy?
Re: Quarantine your infected users spreading malware
[EMAIL PROTECTED] wrote: On Mon, 20 Feb 2006 23:40:48 +0200, Gadi Evron said: Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population. It is becoming more and more obvious that the answer may not be at the ISP's doorstep, but the ISP's are indeed a critical part of the solution. What their eventual role in user safety will be I can only guess, but it is clear (to me) that this subject is going to become a lot "hotter" in coming years. The ISPs will be a part of the solution. However, ISPs fall into two major categories: 1) The ones that read the types of lists that you posted this to 2) The ones that have the problem. You're preaching to the choir, Gadi - and if there's *one* thing I'd like a solution for, it's *that* problem. How do you get the unwashed masses of ISPs to join the choir so you can preach to them? What products that answer this are out there, and how good, in your experience, are they? We discussed this here before non-conclusively and stayed on philosophy, anyone has new experience on the subject? Thanks.
Re: Quarantine your infected users spreading malware
On Mon, 20 Feb 2006 23:40:48 +0200, Gadi Evron said: > Many ISP's who do care about issues such as worms, infected users > "spreading the love", etc. simply do not have the man-power to handle > all their infected users' population. > > It is becoming more and more obvious that the answer may not be at the > ISP's doorstep, but the ISP's are indeed a critical part of the > solution. What their eventual role in user safety will be I can only > guess, but it is clear (to me) that this subject is going to become a > lot "hotter" in coming years. The ISPs will be a part of the solution. However, ISPs fall into two major categories: 1) The ones that read the types of lists that you posted this to 2) The ones that have the problem. You're preaching to the choir, Gadi - and if there's *one* thing I'd like a solution for, it's *that* problem. How do you get the unwashed masses of ISPs to join the choir so you can preach to them? pgpUmKafoFaYu.pgp Description: PGP signature
Re: Quarantine your infected users spreading malware
- Original Message Follows - From: Gadi Evron <[EMAIL PROTECTED]> > Many ISP's who do care about issues such as worms, > infected users "spreading the love", etc. simply do not > have the man-power to handle all their infected users' > population. > Some who are user/broadband ISP's (not say, tier-1 and > tier-2's who would be against it: "don't be the > Internet's Firewall") are blocking ports such as 139 and > 445 for a long time now, successfully preventing many of > their users from becoming infected. This is also an > excellent first step for responding to relevant outbreaks > and halting their progress. > > Philosophy aside, it works. It stops infections. Period. > > Back to the philosophy, there are some other solutions as > well. Plus, should this even be done? Oh geez, here we go again... Search the archives and read until you're content. It's a non-thread. This horse isn't only dead, it's not even a grease spot on the road any more. :-( scott
Quarantine your infected users spreading malware
Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population. It is becoming more and more obvious that the answer may not be at the ISP's doorstep, but the ISP's are indeed a critical part of the solution. What their eventual role in user safety will be I can only guess, but it is clear (to me) that this subject is going to become a lot "hotter" in coming years. Aunty Jane (like Dr. Alan Solomon (drsolly) likes to call your average user) is your biggest risk to the Internet today, and how to fix the user non of us have a good idea quite yet. Especially since it's not quite one as I put in an Heinlein quote below. Some who are user/broadband ISP's (not say, tier-1 and tier-2's who would be against it: "don't be the Internet's Firewall") are blocking ports such as 139 and 445 for a long time now, successfully preventing many of their users from becoming infected. This is also an excellent first step for responding to relevant outbreaks and halting their progress. Philosophy aside, it works. It stops infections. Period. Back to the philosophy, there are some other solutions as well. Plus, should this even be done? One of them has been around for a while, but just now begins to mature: Quarantining your users. Infected users quarantine may sound a bit harsh, but consider; if a user is indeed infected and does "spread the joy" on your network as well as others', and you could simply firewall him (or her) out of the world (VLAN, other solutions which may be far better) letting him (or her) go only to a web page explaining the problem to them, it's pretty nifty. As many of us know, handling such users on tech support is not very cost-effective to ISP's, as if a user makes a call the ISP already losses money on that user. Than again, paying abuse desk personnel just so that they can disconnect your users is losing money too. Which one would you prefer? Jose (Nazario) points to many interesting papers on the subject on his blog: http://www.wormblog.com/papers/ Is it the ISP's place to do this? Should the ISP do this? Does the ISP have a right to do this? If the ISP is nice enough to do it, and users know the ISP might. Why not? This (as well as port blocking) is more true for organizations other than ISP's, but if they are indeed user/broadband ISP's, I see this as both the effective and the ethical thing to do if the users are notified this might happen when they sign their contracts. Then all the "don't be the Internet's firewall" debate goes away. I respect the "don't be the Internet's firewall issue", not only for the sake of the cause but also because friends such as Steven Bellovin and other believe in them a lot more strongly than I do. Bigger issues such as the safety of the Internet exist now. That doesn't mean user rights are to be ignored, but certainly so shouldn't ours, especially if these are mostly unaffected? I believe both are good and necessary solutions, but every organization needs to choose what is best for it, rather than follow some pre-determined blueprint. What's good for one may be horrible for another. "You don't approve? Well too bad, we're in this for the species boys and girls. It's simple numbers, they have more and every day I have to make decisions that send hundreds of people, like you, to their deaths." -- Carl Jenkins, Starship Trooper, the movie. I don't think the second part of the quote is quite right (to say the least), but I felt bad leaving it out, it's Heinlein after all... anyone who claims he is a fascist though will have to deal with me. :) This isn't only about users, it's about the bad guys and how they out-number us, too. They have far better cooperation to boot. There are several such products around and they have been discussed here on NANOG before, but I haven't tried them myself as of yet, so I can't really recommend any of them. Can you? I'll update on these as I find out more on: http://blogs.securiteam.com This write-up can be found here: http://blogs.securiteam.com/index.php/archives/312 Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
