Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue 21 Feb 2006 (08:45 -0500), John Curran wrote: > > At 7:45 AM -0500 2/21/06, John Curran wrote: > > > >From the web site: "Only a selected set of web sites will remain available, > >for example Microsoft update and the websites of several anti-virus software > >companies. The quarantine server tells users what is going on and how this > >problem can be resolved." > > > >One hopes that the Apple web site and online credit form is included in the > >list... ;-) > > Alright, in fairness to MSFT, a pointer to Vista/Longhorn (once available) > and instructions to only enter your Admin password during bona fide sw > installations would also go a long way towards preventing recurrence... > :-) We have added mutlple sites, including on-line banking sites which are appropriate to the Netherlands to the list of reachable sites (we also use this to encourage paying your bills as well as getting people to fix their machines) -- Jim Segrave [EMAIL PROTECTED]
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Jess Kitchen wrote: On Tue, 21 Feb 2006, Gadi Evron wrote: Hi Simon, this is indeed a Windows problem due to Microsoft being a mono-culture in our desktop world. Still, there are botnets constructed from other OS's as well. Also, C&C servers are mostly *nix machines. Does 'mostly *nix' hold true of the fast-flux or throwaway technique recently mentioned? That is a very interesting question, and I will have an answer for you, I hope, soon. Gadi.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue, 21 Feb 2006, Gadi Evron wrote: Hi Simon, this is indeed a Windows problem due to Microsoft being a mono-culture in our desktop world. Still, there are botnets constructed from other OS's as well. Also, C&C servers are mostly *nix machines. Does 'mostly *nix' hold true of the fast-flux or throwaway technique recently mentioned? Regards, Jess.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
At 7:45 AM -0500 2/21/06, John Curran wrote: > >From the web site: "Only a selected set of web sites will remain available, >for example Microsoft update and the websites of several anti-virus software >companies. The quarantine server tells users what is going on and how this >problem can be resolved." > >One hopes that the Apple web site and online credit form is included in the >list... ;-) Alright, in fairness to MSFT, a pointer to Vista/Longhorn (once available) and instructions to only enter your Admin password during bona fide sw installations would also go a long way towards preventing recurrence... :-) /John
Re: and here are some answers [was: Quarantine your infected users spreading malware]
At 12:26 PM +0100 2/21/06, Jim Segrave wrote: > > > The philosophical discussion aside (latest one can be found under "zotob >> port 445 nanog" on Google), presenting some new technologies that shows >> this *can* be done changes the picture. > >http://www.quarantainenet.nl/ >From the web site: "Only a selected set of web sites will remain available, >for example Microsoft update and the websites of several anti-virus software >companies. The quarantine server tells users what is going on and how this >problem can be resolved." One hopes that the Apple web site and online credit form is included in the list... ;-) /John
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Simon Waters wrote: I've seen 95% quoted - certainly my experience if you go looking for malware in recent Windows desktop machines using IE and Outlook it is pretty much a certainty you'll find it. Most of these tools I was using didn't detect the Sony Rootkit, or other malware, so this will always be an underestimate of the true extent of the problem, unless one uses fingerprinting and packet inspection as the tools of choice for malware detection. This is very much a Windows only problem, it doesn't affect desktop users of other systems at all, possibly in part because they lack critical mass, but also because they have more sensible security models. Largely it is an Outlook and IE problem. Hi Simon, this is indeed a Windows problem due to Microsoft being a mono-culture in our desktop world. Still, there are botnets constructed from other OS's as well. Also, C&C servers are mostly *nix machines. Gadi. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue 21 Feb 2006 (04:15 +0200), Gadi Evron wrote: > > Christopher L. Morrow wrote: > >it's also not just a 'i got infected over the net' problem... where is > >that sean when you need his nifty stats :) Something about no matter what > >you filter grandpa-jones will find a way to click on the nekkid jiffs of > >Anna Kournikova again :( > > > >anyway, someone mentioned the rafts of posts in the archives, it'd be nice > >if this was all just referred there :( > > I quite agree, unless other solutions can be presented, and indeed, 2 > new ones have so far. > > The philosophical discussion aside (latest one can be found under "zotob > port 445 nanog" on Google), presenting some new technologies that shows > this *can* be done changes the picture. http://www.quarantainenet.nl/ It works, we use it. It cuts down on support calls, customers generally react well to it and, at least when using Juniper core routers, it's not too intrusive in the network and will scale to pretty large networks of users. -- Jim Segrave [EMAIL PROTECTED]
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tuesday 21 Feb 2006 06:41, you wrote: > > I've seen more than one estimate that most computers *are* infected by at > least one piece of malware/spyware/etc, (including numbers as high as 90%) I've seen 95% quoted - certainly my experience if you go looking for malware in recent Windows desktop machines using IE and Outlook it is pretty much a certainty you'll find it. Most of these tools I was using didn't detect the Sony Rootkit, or other malware, so this will always be an underestimate of the true extent of the problem, unless one uses fingerprinting and packet inspection as the tools of choice for malware detection. This is very much a Windows only problem, it doesn't affect desktop users of other systems at all, possibly in part because they lack critical mass, but also because they have more sensible security models. Largely it is an Outlook and IE problem.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Mon, 20 Feb 2006 23:54:38 EST, Sean Donelan said: > On the other hand, the number of infected computers never seems to spiral > out of control. I've been wondering, instead of trying to figure out why > some computers get infected, should we be trying to figure out why most > computers don't become infected? I've seen more than one estimate that most computers *are* infected by at least one piece of malware/spyware/etc, (including numbers as high as 90%) and if the site that was tracking 1M new zombies/day is to be believed, they *are* spiraling out of control. And when a significant fraction of all new computers are bought as a virus/worm control method, things *are* out of control: http://www.nytimes.com/2005/07/17/technology/17spy.html?ei=5090&en=5b2b6783f66a7422&ex=1279252800&adxnnl=1&partner=rssuserland&emc=rss&adxnnlx=1121859260-edx1SJD7lWy7D6PMipItjw I suspect that in fact, a *lot* of computers have crud on them, but people's expectations have dropped - as long as the virus doesn't actually kill the host, it's tolerated. If Aunt Matilda is avoiding all this stuff, the most likely reason that Aunt Matilda doesn't get more crudware on her system is because she wouldn't be caught dead visiting non-reputable websites that you're likely to get caught in a drive-by fruiting - and none of her friends would either, so she never gets her e-mail address scraped and used as a target... But we already knew that, and there's no good way to leverage it when everybody who *isn't* an Aunt Matilda *does* visit those kind of sites, or knows people who do... pgpGwIawzSi3A.pgp Description: PGP signature
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Hey, Bill. The vast majority of what I see is based on financial gain. Popping a web+database server, installing a rootkit, and transferring off the day's business transactions is a lot more certain than popping 10K Windows boxes and hoping the users go shopping. Yep, seen it more than once. Check your PHP-based tools, folks. According to the criminals, Internet-wide mayhem would really get in the way of the revenue stream. They need a stable Internet to get the cash. Cleaning out bank accounts is more lucrative than one might suspect. The current record observed by us is approximately US $3M in one take. Most of them are much smaller. That bothers me more, actually. What person with only US $800 to their name has a hope of rapid response to the loss of all their cash? Just to be clear I agree that home users using Windows are at risk for all sorts of nasty things, and they need help. I also didn't want folks to believe that it is a problem related to one OS or demographic. It's a problem of crime, mostly. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue, Feb 21, 2006 at 12:04:17AM -0600, Rob Thomas wrote: > ] true enough. but "auntie jane" doesn't have linux/unix web server(s) > ] or router(s) (other than the one provided by her ISP and managed by > them) > ] and has zero clue about overly permissive machines. > > Agreed. Instead all of her financial records are on those > unix web/database servers, or transit through those routers, > etc. There's a reason why such devices are popular with > the criminals. :( whats the objective? ID theft, fiscal mahem - go for the infrastructure stuff (like you say). lowest visable impact for very high fiscal return. destablize the trust model, perceptions of availability? large zombie packs might be your best bet. (we're not in it for the money, we want social change!) > > -- > Rob Thomas > Team Cymru > http://www.cymru.com/ > ASSERT(coffee != empty);
Re: and here are some answers [was: Quarantine your infected users spreading malware]
[EMAIL PROTECTED] wrote: On Mon, Feb 20, 2006 at 07:49:04PM -0600, Rob Thomas wrote: Hey, Bill. ] wht is the mean-time-to-infection for a stock windows XP system ] when plugged intot he net?... 2-5minutes? you can't get patches ] down that fast. The same case can be made for Linux and Unix-based web servers with vulnerable PHP-based tools. There's also a large number of poorly configured devices such as routers with easily guessed passwords, overly permissive DNS name servers, etc. It's not simply a Windows problem. Thanks, Rob. true enough. but "auntie jane" doesn't have linux/unix web server(s) or router(s) (other than the one provided by her ISP and managed by them) and has zero clue about overly permissive machines. me thinks it is a -much- larger pool that gets taken advantage of wiht a much higher threshold of ignorance about problems. --bill You described it best, and home users are indeed the problem discussed. However, the amount of insecure routers out there is scary by itself. Rob has a lot more data on that than me and I don't doubt what he said. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
] true enough. but "auntie jane" doesn't have linux/unix web server(s) ] or router(s) (other than the one provided by her ISP and managed by them) ] and has zero clue about overly permissive machines. Agreed. Instead all of her financial records are on those unix web/database servers, or transit through those routers, etc. There's a reason why such devices are popular with the criminals. :( -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Mon, Feb 20, 2006 at 07:49:04PM -0600, Rob Thomas wrote: > > Hey, Bill. > > ] wht is the mean-time-to-infection for a stock windows XP system > ] when plugged intot he net?... 2-5minutes? you can't get patches > ] down that fast. > > The same case can be made for Linux and Unix-based web servers with > vulnerable PHP-based tools. There's also a large number of poorly > configured devices such as routers with easily guessed passwords, > overly permissive DNS name servers, etc. > > It's not simply a Windows problem. > > Thanks, > Rob. true enough. but "auntie jane" doesn't have linux/unix web server(s) or router(s) (other than the one provided by her ISP and managed by them) and has zero clue about overly permissive machines. me thinks it is a -much- larger pool that gets taken advantage of wiht a much higher threshold of ignorance about problems. --bill
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Sean Donelan wrote: On Tue, 21 Feb 2006, Christopher L. Morrow wrote: it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :( Give me (or CAIDA) permission to peak inside your networks and I'm sure there are lots of nifty stats we could anonymize :) The big mystery for me has always been the computers that are infected BEFORE they are connected to the network for the first time (according to their owners). Its never repeatable, and never provable, but the computer owner swears it happened. In any case, the home computer is owned by the home user, not the ISP or an employer or a media company. If you make something attractive enough to the user, he will find a way to get it on his computer no matter how many roadblocks you try to put in the way. An ISP blocking one virus or worm doesn't change the end result. Time after time I've watched, the computers eventually get infected anyway. Although it may appear to take longer or your NIDS may not pick up the final signature. Look at Adlex, Motive, Arbor, ISS, Microsoft and other vendors for ideas I've used over several years and they are now selling. On the other hand, the number of infected computers never seems to spiral out of control. I've been wondering, instead of trying to figure out why some computers get infected, should we be trying to figure out why most computers don't become infected? Comment only on last paragraph: Many *home* computers do, quite a few *corporate* do as well, in my experience. Even if they didn't the numbers we face are significant enough. -- http://blogs.securiteam.com/ "Out of the box is where I live". -- Cara "Starbuck" Thrace, Battlestar Galactica.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue, 21 Feb 2006, Christopher L. Morrow wrote: > it's also not just a 'i got infected over the net' problem... where is > that sean when you need his nifty stats :) Something about no matter what > you filter grandpa-jones will find a way to click on the nekkid jiffs of > Anna Kournikova again :( Give me (or CAIDA) permission to peak inside your networks and I'm sure there are lots of nifty stats we could anonymize :) The big mystery for me has always been the computers that are infected BEFORE they are connected to the network for the first time (according to their owners). Its never repeatable, and never provable, but the computer owner swears it happened. In any case, the home computer is owned by the home user, not the ISP or an employer or a media company. If you make something attractive enough to the user, he will find a way to get it on his computer no matter how many roadblocks you try to put in the way. An ISP blocking one virus or worm doesn't change the end result. Time after time I've watched, the computers eventually get infected anyway. Although it may appear to take longer or your NIDS may not pick up the final signature. Look at Adlex, Motive, Arbor, ISS, Microsoft and other vendors for ideas I've used over several years and they are now selling. On the other hand, the number of infected computers never seems to spiral out of control. I've been wondering, instead of trying to figure out why some computers get infected, should we be trying to figure out why most computers don't become infected?
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Tue, 21 Feb 2006 04:15:25 +0200, Gadi Evron said: > The philosophical discussion aside (latest one can be found under "zotob > port 445 nanog" on Google), presenting some new technologies that shows > this *can* be done changes the picture. OK. The tech exists, or can be made to exist. The unanswered question is still "How do you get a disinterested ISP to be interested in it?" The horse has been led. Now make him drink the kook-aid. pgp8KlluahPOX.pgp Description: PGP signature
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Christopher L. Morrow wrote: it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :( anyway, someone mentioned the rafts of posts in the archives, it'd be nice if this was all just referred there :( I quite agree, unless other solutions can be presented, and indeed, 2 new ones have so far. The philosophical discussion aside (latest one can be found under "zotob port 445 nanog" on Google), presenting some new technologies that shows this *can* be done changes the picture. I believe it was actually Randy Bush's idea in that last thread, to use such software. Gadi.
Re: and here are some answers [was: Quarantine your infected users spreading malware]
On Mon, 20 Feb 2006, Rob Thomas wrote: > > Hey, Bill. > > ] wht is the mean-time-to-infection for a stock windows XP system > ] when plugged intot he net?... 2-5minutes? you can't get patches > ] down that fast. > > The same case can be made for Linux and Unix-based web servers with > vulnerable PHP-based tools. There's also a large number of poorly > configured devices such as routers with easily guessed passwords, > overly permissive DNS name servers, etc. > > It's not simply a Windows problem. it's also not just a 'i got infected over the net' problem... where is that sean when you need his nifty stats :) Something about no matter what you filter grandpa-jones will find a way to click on the nekkid jiffs of Anna Kournikova again :( anyway, someone mentioned the rafts of posts in the archives, it'd be nice if this was all just referred there :(
Re: and here are some answers [was: Quarantine your infected users spreading malware]
Hey, Bill. ] wht is the mean-time-to-infection for a stock windows XP system ] when plugged intot he net?... 2-5minutes? you can't get patches ] down that fast. The same case can be made for Linux and Unix-based web servers with vulnerable PHP-based tools. There's also a large number of poorly configured devices such as routers with easily guessed passwords, overly permissive DNS name servers, etc. It's not simply a Windows problem. Thanks, Rob. -- Rob Thomas Team Cymru http://www.cymru.com/ ASSERT(coffee != empty);
Re: and here are some answers [was: Quarantine your infected users spreading malware]
> Edward W. Ray wrote: > >IMHO, a user should have to demonstrate a minimum amount of expertise and > >have a up-to-date AV, anti-spyware and firewall solution for their PCs. > > The mostly-user ISP's will have to eventually do something or end up > being either regulated, spending more and more and more on tech support > and/OR abuse personnel, or written down as blackhat AS's. > > Gadi. if i may to borrow a bit more from the "licensed to net" analogy... are vendors being let off scott free and leaving the burden of responsibility to the consumer? ISPs are the roads (likley toll) and they should not be forced to create barriers, speed bumps, and control mthods for poor drivers who are sold crap for vechiles. wht is the mean-time-to-infection for a stock windows XP system when plugged intot he net?... 2-5minutes? you can't get patches down that fast. i'm begining to think that botnet like structures are in fac t the wave of the future. ... and instead of trying to irradicate them, we should be looking at ways to use botnet like structures for adding value to an increasingly more connected mesh of devices. ... of course YMMV - but i'm not persuaded that botnet.hivemind constructs are -NOT- inherently evil... they can be turned that way, but if there is a value to such things, we ought to be able to use them for our own purposes. --bill (who really has better things todo, but slugs are still in bed...)
and here are some answers [was: Quarantine your infected users spreading malware]
Edward W. Ray wrote: IMHO, a user should have to demonstrate a minimum amount of expertise and have a up-to-date AV, anti-spyware and firewall solution for their PCs. That is why we have hundreds of millions of bots in the wild. The mostly-user ISP's will have to eventually do something or end up being either regulated, spending more and more and more on tech support and/OR abuse personnel, or written down as blackhat AS's. Some PRODUCTS, PRO and AGAINST links from people on quarantining of infected users, thanks to all those who shared so far! Products so far (haven't tried or verified them myself): http://www.rommon.com/sandbox.html http://www.forescout.com/index.php?url=products§ion=counteract Other: Eric Gauthier's Ethernet-oriented quarantine system (from NANOG in 2003): http://www.nanog.org/mtg-0402/gauthier.html Other choice papers from Jose's blog: http://www.iab.org/documents/docs/2003-10-18-edge-filters.html http://www.csl.sri.com/users/linda/bibs/publications/mmsm2005.pdf http://www.csl.sri.com/papers/sri-csl-2005-03/ http://www.cs.wfu.edu/~fulp/Papers/iiaw05t.pdf http://www.icir.org/vern/worm04/porras.pdf http://www.icir.org/vern/worm04/xiong.pdf http://www.cs.rpi.edu/research/pdf/05-01.pdf Gadi.
