Quarantine your infected users spreading malware

Many ISP's who do care about issues such as worms, infected users "spreading the love", etc. simply do not have the man-power to handle all their infected users' population.

It is becoming more and more obvious that the answer may not be at the ISP's doorstep, but the ISP's are indeed a critical part of the solution. What their eventual role in user safety will be I can only guess, but it is clear (to me) that this subject is going to become a lot "hotter" in coming years.

Aunty Jane (like Dr. Alan Solomon (drsolly) likes to call your average user) is your biggest risk to the Internet today, and how to fix the user non of us have a good idea quite yet. Especially since it's not quite one as I put in an Heinlein quote below.

Some who are user/broadband ISP's (not say, tier-1 and tier-2's who would be against it: "don't be the Internet's Firewall") are blocking ports such as 139 and 445 for a long time now, successfully preventing many of their users from becoming infected. This is also an excellent first step for responding to relevant outbreaks and halting their progress.

Philosophy aside, it works. It stops infections. Period.

Back to the philosophy, there are some other solutions as well. Plus, should this even be done?

One of them has been around for a while, but just now begins to mature: Quarantining your users.

Infected users quarantine may sound a bit harsh, but consider; if a user is indeed infected and does "spread the joy" on your network as well as others', and you could simply firewall him (or her) out of the world (VLAN, other solutions which may be far better) letting him (or her) go only to a web page explaining the problem to them, it's pretty nifty.

As many of us know, handling such users on tech support is not very cost-effective to ISP's, as if a user makes a call the ISP already losses money on that user. Than again, paying abuse desk personnel just so that they can disconnect your users is losing money too.

Which one would you prefer?

Jose (Nazario) points to many interesting papers on the subject on his blog: http://www.wormblog.com/papers/

Is it the ISP's place to do this? Should the ISP do this? Does the ISP have a right to do this?

If the ISP is nice enough to do it, and users know the ISP might. Why not?

This (as well as port blocking) is more true for organizations other than ISP's, but if they are indeed user/broadband ISP's, I see this as both the effective and the ethical thing to do if the users are notified this might happen when they sign their contracts. Then all the "don't be the Internet's firewall" debate goes away.

I respect the "don't be the Internet's firewall issue", not only for the sake of the cause but also because friends such as Steven Bellovin and other believe in them a lot more strongly than I do. Bigger issues such as the safety of the Internet exist now. That doesn't mean user rights are to be ignored, but certainly so shouldn't ours, especially if these are mostly unaffected?

I believe both are good and necessary solutions, but every organization needs to choose what is best for it, rather than follow some pre-determined blueprint. What's good for one may be horrible for another.

"You don't approve? Well too bad, we're in this for the species boys and girls. It's simple numbers, they have more and every day I have to make decisions that send hundreds of people, like you, to their deaths." -- Carl Jenkins, Starship Trooper, the movie.
I don't think the second part of the quote is quite right (to say the least), but I felt bad leaving it out, it's Heinlein after all... anyone who claims he is a fascist though will have to deal with me.
This isn't only about users, it's about the bad guys and how they out-number us, too. They have far better cooperation to boot.

There are several such products around and they have been discussed here on NANOG before, but I haven't tried them myself as of yet, so I can't really recommend any of them. Can you?

I'll update on these as I find out more on: http://blogs.securiteam.com

This write-up can be found here: http://blogs.securiteam.com/index.php/archives/312

  Gadi.

The ISPs will be a part of the solution. However, ISPs fall into two major
categories:

1) The ones that read the types of lists that you posted this to
2) The ones that have the problem.

You're preaching to the choir, Gadi - and if there's *one* thing I'd like a
solution for, it's *that* problem. How do you get the unwashed masses of ISPs
to join the choir so you can preach to them?

What products that answer this are out there, and how good, in your experience, are they?

We discussed this here before non-conclusively and stayed on philosophy, anyone has new experience on the subject?

Thanks.

Let's be clear in what we're addressing. Are we talking about an en masse quarantine of IP addresses sending the worm traffic, or identifying the C&C<->payload conversations and applying blocks accordingly?

Where are the anti-virus and software firewall vendors in this conversation? To be plain, this obviously isn't a problem you can solve with some border filters. The complexity, and fallout, from trying to put those kinds of filtering in is just too great. It's cumbersome to manage manually and operational impact is too great.

If we're going to philosophize about solutions, let's throw some ideas out. Where do concepts like ThreatNet fit into this notion? (http://ali.as/threatnet/) To save some reading, the idea behind ThreatNet is to establish a closed threat sharing network with trusted peers, sharing information about malcontents doing things on your network that they shouldn't be. If you can positively identify SSH brute force sources, port scan patterns, worm traffic, spam sources, etc, and report them to trusted peers in a collaborative fashion, it becomes easier to support intelligent and rapid traffic filtering concepts in your network designs, where appropriate, even if it's something as simple as putting together a business case for filtering entire netblocks or regions. (Yes, I write my own analyzers, and yes, I'm involved peripherally with this project.) ThreatNet is still pretty nascent, but conceptually it's got merit.

I'll bring up MainNerve again since they're the only vendor I've worked with that's got tools for selectively filtering known troublemakers.

As a potential solution, I bring both of these items up because they provide the ability to take good, distributed intelligence gathering and apply them to your network in a precision manner, if at all, in accordance with any unique policies you may have. The problem, as I see it, is that even if one ISP sees the bad behaviour, there's no communication amongst the community (that I can see) to relay or collate the history. It's like playing Mom off against Dad because they never talk to each other. For coming up with clear patterns of abuse and shenanigans, we're suffering from collective myopia because we're ignoring an aspect of of our favorite big ass communications medium.

Or I'm completely off base, in which case tell me to shut up and I'll go back into my code coma.

- billn

While i'm not being told to shut up because this is off topic (yet), I'm going to suggest that people interested in continuing this conversation contact me off list and coordinate something ad hoc. The amount of bullshit I've already recieved in response to thinking that this has operational merit when it comes to mitigating both risk and effects is pretty astounding, even by nanog standards.

Thanks.

- billn

We're one of those user/broadband ISPs, and I have to agree with the other
commentary that to set up an appropriate filtering system (either user,
port, or conversation) across all our internet access platforms would be
difficult. Put it on the edge and you miss the intra-net traffic, put it in
the core and you need a box on every router, which for a larger or
graphically distributed ISPs could be cost-prohibitive.

In relation to that ThreatNet model, we just could wish there was a place we
could quickly and accurately aggregate information about the bad things our
users are doing -- a combination of RBL listings, abuse@, SenderBase,
MyNetWatchman, etc. We don't have our own traffic monitoring and analysis
system in place, and even if we did, I'm afraid our work would still be very
reactionary.

And for the record, we are one of those ISPs that blocks ports 139 and 445
on our DSLAM and CMTS, and we've not received one complaint, but I'm
confident it has cut down on a host of infections.

Frank

Frank Bulk wrote:

We're one of those user/broadband ISPs, and I have to agree with the other
commentary that to set up an appropriate filtering system (either user,
port, or conversation) across all our internet access platforms would be
difficult. Put it on the edge and you miss the intra-net traffic, put it in
the core and you need a box on every router, which for a larger or
graphically distributed ISPs could be cost-prohibitive.

I have a question here, do you have repeat offenders in your abuse desk who are of the malware-sort rather than bad people? Can these be put in a specific group?

In relation to that ThreatNet model, we just could wish there was a place we
could quickly and accurately aggregate information about the bad things our
users are doing -- a combination of RBL listings, abuse@, SenderBase,
MyNetWatchman, etc. We don't have our own traffic monitoring and analysis
system in place, and even if we did, I'm afraid our work would still be very
reactionary.

And for the record, we are one of those ISPs that blocks ports 139 and 445
on our DSLAM and CMTS, and we've not received one complaint, but I'm
confident it has cut down on a host of infections.

Would you happen to have statistics on how far it did/didn't help reduce abuse reports, tech support calls, etc.?

Thanks!

Frank

  Gadi.

Frank Bulk wrote:

We're one of those user/broadband ISPs, and I have to agree with the
other commentary that to set up an appropriate filtering system
(either user, port, or conversation) across all our internet access
platforms would be difficult. Put it on the edge and you miss the
intra-net traffic, put it in the core and you need a box on every
router, which for a larger or graphically distributed ISPs could be

cost-prohibitive.

I have a question here, do you have repeat offenders in your abuse desk who
are of the malware-sort rather than bad people? Can these be put in a
specific group?

Most of the repeat offenders tend to be people who lack the ability to

choose website judiciously, to put it kindly. But when we encourage them to
get a pop-up blocker, update their antivirus (either the whole program or
definitions), and install a firewall (Windows XP or cheap NAT router), the
problem usually fades away. Most "just didn't know" that their computer was
spewing forth spam or viruses, being used as a proxy, or part of some kind
of botnet.

In relation to that ThreatNet model, we just could wish there was a
place we could quickly and accurately aggregate information about the
bad things our users are doing -- a combination of RBL listings,
abuse@, SenderBase, MyNetWatchman, etc. We don't have our own traffic
monitoring and analysis system in place, and even if we did, I'm
afraid our work would still be very reactionary.

And for the record, we are one of those ISPs that blocks ports 139 and
445 on our DSLAM and CMTS, and we've not received one complaint, but
I'm confident it has cut down on a host of infections.

Would you happen to have statistics on how far it did/didn't help reduce
abuse reports, tech support calls, etc.?

We don't look at the logs for entries regarding ports 139/445, but when

we last looked it was a few unique IP addresses per day. And due our size,
we have no idea how much it reduced abuse reports. It's been in place for
several years.

Frank

  Gadi.

On Mon, 2006-02-20 at 23:40:48 +0200, Gadi Evron proclaimed...

[snip]

I'll update on these as I find out more on: http://blogs.securiteam.com

This write-up can be found here:
Vulnerability Security Testing & DAST | Fortra's Beyond Security

Ah yes, the old self-promotion trick. You know, I get some ads for C1@lis
that sound pretty good until I have to click on thier link to get more
information.

Moderators: doesn't this border on spam?

The information, quite a bit of it, comes before the link. If you'd like I can send it you you again. Thanks!

  Gadi.

How do you get the unwashed masses of ISPs
to join the choir so you can preach to them?

Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the user's machine. This program
would use stealth techniques to hide itself in the
user's machine, just like viruses do. And this program
would do nothing but register itself with an encoded
registry, and listen for an encoded command to activate
itself. Rather like a botnet except with the user's
consent and with a positive goal.

When the community of bot/worm researchers determines
that this machine is infected, they inform the central
registry using their own encoded signal. When enough
"votes" have been collected, the registry sends the
shutdown signal to the end user, thus triggering the
blocker program to quarantine the user.

At this point a friendly helpful webpage pops up
and guides the user through the disinfection process.

Unlike antivirus software, the application on the user's
computer does not need to detect malware and it needs
no database updates. It does only one thing and it relies
on the collective intelligence of the anti-malware community.

This won't stop worms or botnets, but it will slow them down
and it will greatly speed the cleanup process.

--Michael Dillon

consent and with a positive goal.<<

Isn't this pretty much like how they were compromised in the first place? How do you differentiate this infection from the ones they've been preached to to avoid?

"Trust me...I won't come in your mouth."

Hi Michael, the only problem with that approach is that you think like a defender.

As the defense is local to the user's machine, the attacker can just kick it away.

> Offer them a free windows
> infection blocker program that imposes the quarantine
> itself locally on the user's machine. This program
> would use stealth techniques to hide itself in the
> user's machine, just like viruses do.

As the defense is local to the user's machine, the attacker can just
kick it away.

How are they going to identify the code to throw
away? I believe that the state of the art for
AV software is to create randomly named EXE files
so that attackers cannot delete the running process,
and then the EXE file ensures that the installed
program and startup config are not tampered with.

If AV software can protect itself this way, why
would anyone build an infection blocker using
any less protection?

--Michael Dillon

How do you differentiate this infection from the ones
they've been preached to to avoid?

The same way that people currently differentiate
bad software from good software before they install
something on their machines.

--Michael Dillon

Why not just bypass them and go direct to the unwashed
masses of end users? Offer them a free windows
infection blocker program that imposes the quarantine
itself locally on the user's machine. This program
would use stealth techniques to hide itself in the
user's machine, just like viruses do. And this program
would do nothing but register itself with an encoded
registry, and listen for an encoded command to activate
itself. Rather like a botnet except with the user's
consent and with a positive goal.

Intruiging concept.. Why bother "hiding" itself though? Or is the
idea to prevent itself from being removed by malware?

When the community of bot/worm researchers determines
that this machine is infected, they inform the central
registry using their own encoded signal. When enough
"votes" have been collected, the registry sends the
shutdown signal to the end user, thus triggering the
blocker program to quarantine the user.

Isn't there a risk of DoS though? What's to prevent someone from
"spoofing" those signals and shutting down other users? Relative
precautions would need to be taken, but to be sure, the end-user needs
the ability to override the system. Thus leaving us in the same
situation as before. Firewall? I don't need no stinking firewall..

Unlike antivirus software, the application on the user's
computer does not need to detect malware and it needs
no database updates. It does only one thing and it relies
on the collective intelligence of the anti-malware community.

Sure it does.. It doesn't need to remove it, per se, but it will need
to know what the infection is so it can give the correct disinfection
instructions..

AV software can *try* and protect itself in this and other ways, but that is OT to NANOG. I don't mind discussing it in private though if software protection reversing technology interests you.

  Gadi.

> When enough
> "votes" have been collected, the registry sends the
> shutdown signal to the end user, thus triggering the
> blocker program to quarantine the user.

Isn't there a risk of DoS though? What's to prevent someone from
"spoofing" those signals and shutting down other users?

The signal would be encoded using a unique key.
I would also expect that the choice of listening port
would be somehow randomized and registered in the central
registry to make it less of a DOS target.

Relative
precautions would need to be taken, but to be sure, the end-user needs
the ability to override the system. Thus leaving us in the same
situation as before. Firewall? I don't need no stinking firewall..

I see no reason why the user needs the ability to
override or remove the software. After all, during
normal operation it does nothing at all therefore it
does not interfere in any way with machine operation.
The intent is to make it virtually impossible to
remove this software so that a virus or worm cannot
remove it either.

Sure it does.. It doesn't need to remove it, per se, but it will need
to know what the infection is so it can give the correct disinfection
instructions..

If the quarantined state keeps open a port 443 connection
to a specific trusted webserver run by the group of trusted
security researchers then the specifics of combatting the
worm can be made available on that site. If necessary the
site could upload ActiveX controls to do malware scans or
recommend the installation of such software.

--Michael Dillon

Offering them free software won't work to the levels you want. At first, you'll get a response, because consumers always jump at free shiny things, until something happens that makes them not like it anymore, and then they'll dig in and never use it again. If you want to get this kind of filtering into your core, you have a need to get this to a compulsory level for access.

I don't think there's any disagreement as to the roots of this problem:
- Modern users are generally clueless.
- Most don't have firewalls or even the most basic of protections.
- Getting tools deployed where they need to be most is the hardest.

With that said..

If you're talking about a compulsory software solution, why not, as an ISP, go back to authenticated activity? Distribute PPPOE clients mated with common anti-spyware/anti-viral tools. Pull down and update signatures *every time* the user logs in, and again periodically while the user is logged in (for those that never log out). Require these safeguards to be active before they can pass the smallest traffic.

The change in traffic flow would necessitate some architecture kung fu, maybe even AOL style, but you'd have the option of selectively picking out reported malicious/infected users (*cough* ThreatNet *cough*) and routing them through packet inspection frameworks on a case by case basis. Quite possibly, you could even automate that and the users would never be the wiser.

- billn

If you're talking about a compulsory software solution, why not, as an
ISP, go back to authenticated activity? Distribute PPPOE clients mated
with common anti-spyware/anti-viral tools. Pull down and update signatures
*every time* the user logs in, and again periodically while the user is
logged in (for those that never log out). Require these safeguards to be
active before they can pass the smallest traffic.

Cost prohibitive.. In order to do that you'll need licenses from the
AV companies..

The change in traffic flow would necessitate some architecture kung fu,
maybe even AOL style, but you'd have the option of selectively picking out
reported malicious/infected users (*cough* ThreatNet *cough*) and routing
them through packet inspection frameworks on a case by case basis. Quite
possibly, you could even automate that and the users would never be the
wiser.

And then the privacy zealots would be livid.. Silently re-routing
traffic like that.. How dare you suggest such a ... wait.. hrm..
The internet basically does this already.. I wonder if the zealots
are aware of that..