The fine people at the FBI are recommending people call their ISP for home computer technical support, even though most ISPs don't sell home computers, operating system software or application software.
http://www.fbi.gov/page2/june07/botnet061307.htm
First, if you believe your computer has been compromised, do not call
the FBI directly. You should contact your Internet service provider.
They can help you determine if your computer has been infected, and
what steps to take to restore it. We are not in a position to provide
technical assistance.
BTW, 1 million compromised computers is probably a low estimate.
Besides the 'call your ISP for technical help' blunder, there's actually more useful info, believe it or not, in the press release linked in the article:
The FBI aren't claiming only 1 million infected machines, they're saying that this particular sweep involves up to a million botted hosts.
It seems to me that the larger inference is that law enforcement are taking the botnet problem more seriously, which is what a lot of folks in the operational community have been advocating for a long time. While one aspect of the messaging is questionable, it seems to me that active national-level LEO involvement in this problem-space would be welcomed by many.
It's just a first step, and those are always the hardest to take.
Its great to see FBI agents and the DOJ taking more interest in the problem of Bots and computer intrusions. I'm especially happy to see some arrests. The focus on home-grown bad guys was also good, instead
of pointing the finger at some random other country. There are more than
enough bad guys in more than enough countries to go around. If US law enforcement makes any progress at home, each other country can work on
their native bad guys.
Unfortunately, most FBI agents probably have about as much control over the FBI press office as most ISP security engineers have over their marketing departments. While FBI agents may be working with ISP security engineers, I suspect the FBI press office didn't bothered to vet or coordinate its press release with ISPs before issuing it. We've
all cringed at one time or another at what our respective marketing
teams come up with.
The fine people at the FBI are recommending people call their ISP for
home computer technical support, even though most ISPs don't sell
home computers, operating system software or application software.
No, the ISPs merely sell the channel through which the home computers
get infected with worms and viruses, and through which the home
computers vomit the reults of those infections.
The biggest reason that we are making no progress against zombies is
that everyone wants them to be someone else's problem. I entirely
agree that the prime responsibility lies with the computer vendors and
particularly with operating system vendors, such as one near Seattle,
that year after year ship easily compromised software. Whenever
someone tries to ask me a Windows question, I tell them to call
Microsoft and demand they support the software they sell.
But ISPs are not wholly without responsibility. If one of your
customers reloaded Windows from CD and then needed to download all of
the patches, do you provide a way for them to do it without getting
re-wormed before the download is done?
Windows patches and updates are copyrighted intellectual property of Microsoft, and can not be re-distributed without written permission of Microsoft. Microsoft currently does not have an authorized way for general public ISPs to redistribute Microsoft updates except by a connection to the Internet. Institutional licenses, such as available for
universities, are not licensed to ISPs.
Since many Microsoft patches are only legally available via the Internet, and an ISP can not predict which servers Microsoft will use to distribute Microsoft patches, ISPs must enable essentially full Internet access which includes access for most worms.
I have been down this road several times with Microsoft legal. And if
an ISP wants to obey the law, there isn't a good answer for ISPs. If the ISP says to hell with the law, there are several technical options for redistributing Microsoft updates. If Microsoft changed its licensing policies for ISPs, there are several technical options for redistributing
Microsoft updates.
Since many Microsoft patches are only legally available via the Internet, and an ISP can not predict which servers Microsoft will use to distribute Microsoft patches, ISPs must enable essentially full Internet access which includes access for most worms.
<snip>
May I recommend developing an in house method for allowing the customer only access to your servers (web, dns, proxy, etc), and then apply filters for everything else except for tcp/80. If you wanted to be additionally paranoid, you could even allow only established tcp/80 connections back to the customer.
Once updated, customer could establish contact to have filters removed, or an automated web process you be created.
It's a ton of work, and there are any number of ways to do it. A lot depends on your network. It can be done, though.
Since many Microsoft patches are only legally available via
the Internet, and an ISP can not predict which servers
Microsoft will use to distribute Microsoft patches, ISPs must
enable essentially full Internet access which includes access
for most worms.
Has anybody tried a firewalling solution in which unpatched PCs are only
able to access a special ISP-operated forwarding nameserver which is
configured to only reply with A records for a list of known Microsoft
update sites? And then have this specially patched nameserver also
trigger the firewall to open up access to the addresses that it returns
in A records?
According to Microsoft, their list of "trusted sites" for MS Update is
*.update.microsoft.com and download.windowsupdate.com. Even if they have
some sort of CDN (Content Delivery Network) with varying IP addresses
based on topology or load, this is still predictable enough for a
software solution to provide a temporary walled garden.
You don't need to make copies of their patch files. You don't need MS to
provide an out-of-band list of safe IP addresses. As long as you are
able to divert a subscriber's traffic through a special firewalled
garden, an ISP can implement this with no special support from MS. Wrap
this up with a GUI for your support-desk people to enable/disable the
traffic diversion and you have a low-cost solution. You can even
leverage the same technology to deal with botnet infestations although
you would probably want a separate firewalled garden that allows access
to a wider range of sites known to be safe, i.e. Google, Yahoo, ISP's
own pages, etc.
I went down that road several times, and there are many issues with what you have described which won't work for how Microsoft distributes its updates and patches; and with the user. Microsoft has enabled Windows with enough features, users can infect their machine with only TCP/80.
Please review the archives for details from several years ago, and at
some point you will end up needing to violate the written Microsoft licenses.
Its not a technical problem (although engineers seem to like to think everything is), its a legal issue with Microsoft's lawyer and licenses.
It would place more of the burden on the source of the problem.
Hopefully, it would also allow Micr0$0ft to assist the people
unfortunate enough to have purchased their products overcome
the problems created by that decision, but, that might be asking
too much.
Its not a technical problem (although engineers seem to like to think
everything is), its a legal issue with Microsoft's lawyer and licenses.
I realize it's not a technical problem, although I suspect there are
some technical twiddles that could help, e.g., persuading Microsoft to
put the update servers in their own ASN to make it easier to put them
in a sandbox. And I realize that Microsoft's combination of arrogance
and naivete can make them painful to deal with.
So I guess I'm glad that the FBI has told people to call their ISPs,
to remind ISPs that doing nothing is not costless, and to provide an
incentive to keep pushing on MS and other providers of problem
software to do something about it.
I realize it's not a technical problem, although I suspect there are
some technical twiddles that could help, e.g., persuading Microsoft to
put the update servers in their own ASN to make it easier to put them
in a sandbox. And I realize that Microsoft's combination of arrogance
and naivete can make them painful to deal with.
If you have Akamai servers, the IPs will be on your network (and of
course shared with many other sites). You'd have to limit access with a
limited DNS server (since few will use or even know IPs to visit) that
only gives out DNS for certain hosts/domains.
MS does not single-source. Users going to Windows Updates can and will be directed to a number of places, including Akamai, and Microsoft itself, depending on time of day, phase of moon, and whim of the content owner.
In general, creating a sandbox where a computer can only reach $UPDATE_SERVER is very, very difficult. And, as much as I hate to admit it, MS OSes are not the only ones that can be compromised (he types on his black MacBook).
That said, the majority of compromised computers do run some flavor of Redmond-Ware. (One can argue about the underlying cause - market share, quality of software, virus writer's preference, whatever - but the fact still stands that most compromised computers run Windows.) So getting a "windows update sandbox" would be very useful.
That said, the majority of compromised computers do run some flavor of
Redmond-Ware. (One can argue about the underlying cause - market share,
quality of software, virus writer's preference, whatever - but the fact
still stands that most compromised computers run Windows.) So getting a
"windows update sandbox" would be very useful.
8<----------------------------------------------------------------
Microsoft Windows Server Update Services
Microsoft Windows Server Update Services (WSUS) enables information
technology administrators to deploy the latest Microsoft product updates
to computers running the Windows operating system. By using WSUS,
administrators can fully manage the distribution of updates that are
released through Microsoft Update to computers in their network.
----------------------------------------------------------------->8
Which is used in large organizations to deploy patches with ease.
Requires some AD mumbojumbo of course.
Really the information is out there, google knows, so can you
Read the Microsoft license agreement for WSUS, the information is out there. It works for institutional license holders, but not for public
ISPs.
Small ISPs without legions of lawyers may not worry about stuff like this, but unfortunately large ISPs have too. Its not a technical issue. If the Microsoft lawyers said ok, the engineers could come up with lots of ways to do this. I asked Microsoft's lawyers multiple times. But as always, you should consult with your own legal advisor.
I keep hoping one day Microsoft will announce something like WSUS for ISPs. But its been several years.
In general, creating a sandbox where a computer can only reach
$UPDATE_SERVER is very, very difficult.
I believe it. Perhaps we could help Microsoft make it easier. The
sandbox doesn't have to include all their servers, just enough of
them to service the sandboxed users.
And, as much as I hate to admit it, MS OSes are not the only ones
that can be compromised (he types on his black MacBook).
If we can get sandboxes for MS and Apple, we FreeBSD users are willing
to take our chances.
There's a major problem with this - End-users won't take nicely to being
restricted from going to specific websites, and will more than likely go to
another ISP rather than to patch their computer as they see no benefit of
patching themselves. We see the benefit of the patches, they don't
nessasarily.
Not to single anyone out but there will more than likely always be a careless
(and/or clueless) ISP who doesn't care if over half their network is wormed,
the customers from the ISPs who are cracking down on infected machines will
simply go over to the ISP who doesn't care as there would be "less hassle".
What needs to be done is ALL ISPs accross the board need to clean up their
networks, thus cornering the lazy end-users into cleaning up their machines.
To be honest: There's too few ISPs that would want to take up the
responsibility of filtering worm'd customers, and as well, the instant an ISP
starts filtering, they may even set themselves up for a lawsuit of the
customer saying "I paid for the service, why aren't I getting it?!"
And reguarding Microsoft and their patching licences:
Those patches may be their precious "legal property" but it's their hording of
legal rights that's damaging hundreds of thousands of computers. Microsoft is
currently abusing their market share standings and giving insufficient patch
distribution, (i.e. offline distibution) Therefore Microsoft should be held
accountable for every computer that becomes infected with worms due to
insufficient patching. To me, it sounds like Microsoft wants the power, but
doesn't want the responsibility that comes with the power of great market
share. It is time Microsoft be forced to take that responsibility.
Maybe I'm totally off-base, but I could've sworn I read something somewhere in the last year or so about Microsoft working with some or genning up a program to work with SPs in order to offer this functionality to their customers, if they so choose?
And reguarding Microsoft and their patching licences:
Those patches may be their precious "legal property" but it's their hording of
legal rights that's damaging hundreds of thousands of computers. Microsoft is
currently abusing their market share standings and giving insufficient patch
distribution, (i.e. offline distibution) Therefore Microsoft should be held
accountable for every computer that becomes infected with worms due to
insufficient patching. To me, it sounds like Microsoft wants the power, but
doesn't want the responsibility that comes with the power of great market
share. It is time Microsoft be forced to take that responsibility.
Regulation targeting software-vendors and service-providers has little
effect as it is an attempt to disrupt the money-flow somewhere in the
middle. It's usually more efficient to "attack" the source. I.e.
authorities must hold computer users responsible and make them pay every
penny (or millions;) it costs to investigate and clean up their mess.
Mainstream OS'es as we know them would have been unsellable in today's
market if users, ever since the internet was commercialised, had been
held responsible.
