Quarantine your infected users spreading malware

----- Original Message Follows -----

Many ISP's who do care about issues such as worms,
infected users "spreading the love", etc. simply do not
have the man-power to handle all their infected users'
population.

Some who are user/broadband ISP's (not say, tier-1 and
tier-2's who would be against it: "don't be the
Internet's Firewall") are blocking ports such as 139 and
445 for a long time now, successfully preventing many of
their users from becoming infected. This is also an
excellent first step for responding to relevant outbreaks
and halting their progress.

Philosophy aside, it works. It stops infections. Period.

Back to the philosophy, there are some other solutions as
well. Plus, should this even be done?

Oh geez, here we go again... Search the archives and read
until you're content. It's a non-thread. This horse isn't
only dead, it's not even a grease spot on the road any more.

scott

Scott Weeks wrote:

----- Original Message Follows -----
From: Gadi Evron <ge@linuxbox.org>

Many ISP's who do care about issues such as worms,
infected users "spreading the love", etc. simply do not
have the man-power to handle all their infected users'
population.

Some who are user/broadband ISP's (not say, tier-1 and
tier-2's who would be against it: "don't be the
Internet's Firewall") are blocking ports such as 139 and
445 for a long time now, successfully preventing many of
their users from becoming infected. This is also an
excellent first step for responding to relevant outbreaks
and halting their progress.

Philosophy aside, it works. It stops infections. Period.

Back to the philosophy, there are some other solutions as
well. Plus, should this even be done?

Oh geez, here we go again... Search the archives and read
until you're content. It's a non-thread. This horse isn't
only dead, it's not even a grease spot on the road any more.

I quite agree, which is why I trived to cover the philosophical part from both sides. Now, how about some solutions that came about since our last discussion that was nothing BUT philosophy?

And I have a solution for bad drivers; required all manufacturers to fix the
steering wheel so that acknowledged "bad" drivers cannot turn the wheel to
make turns, change lanes, etc. Or perhaps limit the mph to 35 max and deny
them access to freeways.

ISPs should not police users, just like auto manufacturers should not police
drivers. That is what driver's licenses are for.

IMHO, a user should have to demonstrate a minimum amount of expertise and
have a up-to-date AV, anti-spyware and firewall solution for their PCs.
Drivers are required to have licenses, registration and insurance in order
to drive said vehicle, why not something similar for PCs. You would have to
get the whole world to agree on that one, so it may be difficult to
implement. But the US,EU, Japan, Australia should take the lead and
implement something like this.

Ed Ray

ISPs hold the relevent data to contact the users. This needs a feedback loop, in that ISPs need to know which traffic leaving their networks is misbehaviour somewhere else. Between firewall logs, IDS logs, netflow headers, apache logs, whatever. It's all there. It just needs to be used.

- billn

Edward W. Ray wrote:

IMHO, a user should have to demonstrate a minimum amount of expertise and
have a up-to-date AV, anti-spyware and firewall solution for their PCs.

That is why we have hundreds of millions of bots in the wild.

The mostly-user ISP's will have to eventually do something or end up being either regulated, spending more and more and more on tech support and/OR abuse personnel, or written down as blackhat AS's.

Some PRODUCTS, PRO and AGAINST links from people on quarantining of infected users, thanks to all those who shared so far!

Products so far (haven't tried or verified them myself):
http://www.rommon.com/sandbox.html

Other:
Eric Gauthier's Ethernet-oriented quarantine system (from NANOG in 2003): http://www.nanog.org/mtg-0402/gauthier.html

Other choice papers from Jose's blog:
http://www.iab.org/documents/docs/2003-10-18-edge-filters.html

http://www.csl.sri.com/papers/sri-csl-2005-03/
http://www.cs.wfu.edu/~fulp/Papers/iiaw05t.pdf
http://www.icir.org/vern/worm04/porras.pdf
http://www.icir.org/vern/worm04/xiong.pdf
http://www.cs.rpi.edu/research/pdf/05-01.pdf

  Gadi.

Edward W. Ray wrote:
>IMHO, a user should have to demonstrate a minimum amount of expertise and
>have a up-to-date AV, anti-spyware and firewall solution for their PCs.

The mostly-user ISP's will have to eventually do something or end up
being either regulated, spending more and more and more on tech support
and/OR abuse personnel, or written down as blackhat AS's.

  Gadi.

  if i may
<feedtroll>
  
  to borrow a bit more from the "licensed to net" analogy...
  are vendors being let off scott free and leaving the burden of
  responsibility to the consumer? ISPs are the roads (likley toll)
  and they should not be forced to create barriers, speed bumps,
  and control mthods for poor drivers who are sold crap for vechiles.
  wht is the mean-time-to-infection for a stock windows XP system
  when plugged intot he net?... 2-5minutes? you can't get patches
  down that fast.

  i'm begining to think that botnet like structures are in fac t the
  wave of the future. ... and instead of trying to irradicate them, we should
  be looking at ways to use botnet like structures for adding value to
  an increasingly more connected mesh of devices. ...

  of course YMMV - but i'm not persuaded that botnet.hivemind constructs are
  -NOT- inherently evil... they can be turned that way, but if there is a
  value to such things, we ought to be able to use them for our own
  purposes.

</feedtroll>

--bill (who really has better things todo, but slugs are still in bed...)

Hey, Bill.

] wht is the mean-time-to-infection for a stock windows XP system
] when plugged intot he net?... 2-5minutes? you can't get patches
] down that fast.

The same case can be made for Linux and Unix-based web servers with
vulnerable PHP-based tools. There's also a large number of poorly
configured devices such as routers with easily guessed passwords,
overly permissive DNS name servers, etc.

It's not simply a Windows problem.

Thanks,
Rob.

bmanning@vacation.karoshi.com wrote:

Hey Bill,

  i'm begining to think that botnet like structures are in fac t the
  wave of the future. ... and instead of trying to irradicate them, we should be looking at ways to use botnet like structures for adding value to
  an increasingly more connected mesh of devices. ...

I quite agree, you are more than right. Botnets have proven themselves as a very powerful "construct", if that is how we are to call them. You are more than right.

And indeed, bots were not originally bad entities on the Internet, numbering in the hundreds of millions, DDoSing, spamming, stealing Aunty Jame's credit card and your identity. No, they are very useful for numerous reasons, just very few of which are IRC channel operating related.

Combine them with a distributed environment, and you get very powerful computing engines to do quite a bit of tasks. Point them at a problem, and they will address it as one. Create Akamai, and you will even get some redundancy. I am not saying SETI#Home or Akamai are botnets, but these are some good uses for similar technology, at least in concept.

The distinction should be made when one speaks of botnets as we know them today, for good. As breaking into a machine in order to fix it, as an example, is in no way different than breaking into it in order to spy on it, use it or destroy it. You may eventually cause these anyway, as;
- You don't know how a machine will respond.
- You don't know who else may (ab)use your system.
- You can't know if you won't get sued.
- Etc.

This is an on-going ethical and legal debate in botnet fighting circles. If we see a 1 million hosts botnet just waiting to attack, and we can use the back-door to upload an executable and remove the bot, is that OK?

Aside to it being illegal, you possibly causing the remote machine to crash, triggering some IDS/entering into a log/getting sued/whatever, you will most likely discover that machine coming back infected yet again, or already a member of 30 other botnets with other malware.

We should also remember that when talking of botnets for practical uses, they should probably be addressed as a 'concept' rather than structure. Today's structure looks mostly like a terrorism cell as David Dagon likes to mention, but the structure may vary considerably. Today's IRC based C&C's may be the most prevalent and most useful STILL, but in no way constitute the only way C&C's are run and botnets are constructed.

  of course YMMV - but i'm not persuaded that botnet.hivemind constructs are
  -NOT- inherently evil... they can be turned that way, but if there is a
  value to such things, we ought to be able to use them for our own
  purposes.

burrowing from you with another analogy...
<feedtroll>
So is spam. Spam proved itself to be the most efficient way of selling and advertising ever invented. One could say legalizing and regulating it will bring in incredible amount of good taxes for the different governments, as well as then concentrating only on those who creak the law, such as by using botnets, sending kiddie porn, phishing, etc.
</feedtroll>

  Gadi.

it's also not just a 'i got infected over the net' problem... where is
that sean when you need his nifty stats Something about no matter what
you filter grandpa-jones will find a way to click on the nekkid jiffs of
Anna Kournikova again

anyway, someone mentioned the rafts of posts in the archives, it'd be nice
if this was all just referred there

Christopher L. Morrow wrote:

it's also not just a 'i got infected over the net' problem... where is
that sean when you need his nifty stats Something about no matter what
you filter grandpa-jones will find a way to click on the nekkid jiffs of
Anna Kournikova again

anyway, someone mentioned the rafts of posts in the archives, it'd be nice
if this was all just referred there

I quite agree, unless other solutions can be presented, and indeed, 2 new ones have so far.

The philosophical discussion aside (latest one can be found under "zotob port 445 nanog" on Google), presenting some new technologies that shows this *can* be done changes the picture.

I believe it was actually Randy Bush's idea in that last thread, to use such software.

  Gadi.

OK. The tech exists, or can be made to exist. The unanswered question is
still "How do you get a disinterested ISP to be interested in it?"

The horse has been led. Now make him drink the kook-aid.

ISPs should not police users, just like auto manufacturers should not police
drivers. That is what driver's licenses are for.

So the state polices the drivers.. Should the state police the
internet as well? And how would that be implemented? The ISP will
take the brunt of the operational interference anyways as the "police"
have no other way of stopping those drivers.

And when Joe Drivers gets busted and banned, he'll make up a new
identity to use at ISP B.

I tend to agree with Gadi that we, the ISPs, need to do at least some
blocking. I don't see it happening anytime soon though. There's
still way too many ops out there who take something like this as a
challenge to their ablility to operate a network when in fact, it's
the users who are the problem. I'd rather open up everything and
allow a user 100% unfiltered access, but most users don't know what to
do with that and don't take proper precautions.

So, for residential users I think that a reasonable filter should be
applied. Block stuff like Netbios. Implement spoofing filters. Do
whatever you can to "protect" the users without impacting their
ability to use the internet. For commercial users, offer simple
protection, or make sure they know that they will be help responsible
for virus activity sourcing from them. Shut down those ports if they
become active.

I also like the idea of putting infected users in a quarantine. Alert
them via an automated process. Give them access to updates, but
prevent them from infecting others. I think this is a more than
reasonable expectation from end-users. In fact, I'd be more inclined
to use an ISP that has safe-guards like this in place.

It might even be worth it to put together a best practices guide that
lays out the "minimum" requirements for something like this. (It may
even exist.. If so, I'd be interested in reading it if someone would
be kind enough to provide a link)

Ed Ray

Go Go Gadget Flame-Retardent Suit!

Give me (or CAIDA) permission to peak inside your networks and I'm sure
there are lots of nifty stats we could anonymize

The big mystery for me has always been the computers that are infected
BEFORE they are connected to the network for the first time (according
to their owners). Its never repeatable, and never provable, but the
computer owner swears it happened. In any case, the home computer is
owned by the home user, not the ISP or an employer or a media company. If
you make something attractive enough to the user, he will find a way to
get it on his computer no matter how many roadblocks you try to put in
the way.

An ISP blocking one virus or worm doesn't change the end result. Time
after time I've watched, the computers eventually get infected anyway.
Although it may appear to take longer or your NIDS may not pick up the
final signature. Look at Adlex, Motive, Arbor, ISS, Microsoft and other
vendors for ideas I've used over several years and they are now selling.

On the other hand, the number of infected computers never seems to spiral
out of control. I've been wondering, instead of trying to figure out why
some computers get infected, should we be trying to figure out why most
computers don't become infected?

Sean Donelan wrote:

true enough. but "auntie jane" doesn't have linux/unix web server(s)
  or router(s) (other than the one provided by her ISP and managed by them)
  and has zero clue about overly permissive <service> machines.

  me thinks it is a -much- larger pool that gets taken advantage of
  wiht a much higher threshold of ignorance about problems.

--bill

] true enough. but "auntie jane" doesn't have linux/unix web server(s)
] or router(s) (other than the one provided by her ISP and managed by them)
] and has zero clue about overly permissive <service> machines.

Agreed. Instead all of her financial records are on those
unix web/database servers, or transit through those routers,
etc. There's a reason why such devices are popular with
the criminals.

bmanning@vacation.karoshi.com wrote:

] true enough. but "auntie jane" doesn't have linux/unix web server(s)
] or router(s) (other than the one provided by her ISP and managed by them)
] and has zero clue about overly permissive <service> machines.

Agreed. Instead all of her financial records are on those
unix web/database servers, or transit through those routers,
etc. There's a reason why such devices are popular with
the criminals.

  whats the objective? ID theft, fiscal mahem - go for the
  infrastructure stuff (like you say). lowest visable impact
  for very high fiscal return.
  destablize the trust model, perceptions of availability?
  large zombie packs might be your best bet.
  (we're not in it for the money, we want social change!)

Hey, Bill.

The vast majority of what I see is based on financial gain.
Popping a web+database server, installing a rootkit, and
transferring off the day's business transactions is a lot more
certain than popping 10K Windows boxes and hoping the users go
shopping. Yep, seen it more than once. Check your PHP-based
tools, folks.

According to the criminals, Internet-wide mayhem would really
get in the way of the revenue stream. They need a stable
Internet to get the cash.

Cleaning out bank accounts is more lucrative than one might
suspect. The current record observed by us is approximately US
$3M in one take. Most of them are much smaller. That bothers
me more, actually. What person with only US $800 to their name
has a hope of rapid response to the loss of all their cash?

Just to be clear I agree that home users using Windows are at
risk for all sorts of nasty things, and they need help. I also
didn't want folks to believe that it is a problem related to
one OS or demographic. It's a problem of crime, mostly.

Thanks,
Rob.

I've seen more than one estimate that most computers *are* infected by at least
one piece of malware/spyware/etc, (including numbers as high as 90%) and if the
site that was tracking 1M new zombies/day is to be believed, they *are*
spiraling out of control.

And when a significant fraction of all new computers are bought as a virus/worm
control method, things *are* out of control:

http://www.nytimes.com/2005/07/17/technology/17spy.html?ei=5090&en=5b2b6783f66a7422&ex=1279252800&adxnnl=1&partner=rssuserland&emc=rss&adxnnlx=1121859260-edx1SJD7lWy7D6PMipItjw

I suspect that in fact, a *lot* of computers have crud on them, but people's
expectations have dropped - as long as the virus doesn't actually kill the
host, it's tolerated.

If Aunt Matilda is avoiding all this stuff, the most likely reason that Aunt
Matilda doesn't get more crudware on her system is because she wouldn't be
caught dead visiting non-reputable websites that you're likely to get caught in
a drive-by fruiting - and none of her friends would either, so she never gets
her e-mail address scraped and used as a target...

But we already knew that, and there's no good way to leverage it when everybody
who *isn't* an Aunt Matilda *does* visit those kind of sites, or knows people
who do...