<<< Date Index >>>     <<< Thread Index >>>

Re: [Full-disclosure] Quarantine your infected users spreading malware



There is a method used in my network to fix this kind of situations and this
is called the Spread & Patch system were some machines controlled by me
searches the network for common flaws and patch them with microsoft updates
therefore reducing the number of newbie zombies.


----- Original Message -----
From: "Gadi Evron" <ge@xxxxxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxxx>
Sent: Monday, February 20, 2006 10:40 PM
Subject: [Full-disclosure] Quarantine your infected users spreading malware


> Many ISP's who do care about issues such as worms, infected users
> "spreading the love", etc. simply do not have the man-power to handle
> all their infected users' population
>
> It is becoming more and more obvious that the answer may not be at the
> ISP's doorstep, but the ISP's are indeed a critical part of the
> solution. What their eventual role in user safety will be I can only
> guess, but it is clear (to me) that this subject is going to become a
> lot "hotter" in coming years.
>
> Aunty Jane (like Dr. Alan Solomon (drsolly) likes to call your average
> user) is your biggest risk to the Internet today, and how to fix the
> user non of us have a good idea quite yet. Especially since it's not
> quite one as I put in an Heinlein quote below.
>
> Some who are user/broadband ISP's (not say, tier-1 and tier-2's who
> would be against it: "don't be the Internet's Firewall") are blocking
> ports such as 139 and 445 for a long time now, successfully preventing
> many of their users from becoming infected. This is also an excellent
> first step for responding to relevant outbreaks and halting their
progress.
>
> Philosophy aside, it works. It stops infections. Period.
>
> Back to the philosophy, there are some other solutions as well. Plus,
> should this even be done?
>
> One of them has been around for a while, but just now begins to mature:
> Quarantining your users.
>
> Infected users quarantine may sound a bit harsh, but consider; if a user
> is indeed infected and does "spread the joy" on your network as well as
> others', and you could simply firewall him (or her) out of the world
> (VLAN, other solutions which may be far better) letting him (or her) go
> only to a web page explaining the problem to them, it's pretty nifty.
>
> As many of us know, handling such users on tech support is not very
> cost-effective to ISP's, as if a user makes a call the ISP already
> losses money on that user. Than again, paying abuse desk personnel just
> so that they can disconnect your users is losing money too.
>
> Which one would you prefer?
>
> Jose (Nazario) points to many interesting papers on the subject on his
> blog: http://www.wormblog.com/papers/
>
> Is it the ISP's place to do this? Should the ISP do this? Does the ISP
> have a right to do this?
>
> If the ISP is nice enough to do it, and users know the ISP might. Why not?
>
> This (as well as port blocking) is more true for organizations other
> than ISP's, but if they are indeed user/broadband ISP's, I see this as
> both the effective and the ethical thing to do if the users are notified
> this might happen when they sign their contracts. Then all the "don't be
> the Internet's firewall" debate goes away.
>
> I respect the "don't be the Internet's firewall issue", not only for the
> sake of the cause but also because friends such as Steven Bellovin and
> other believe in them a lot more strongly than I do. Bigger issues such
> as the safety of the Internet exist now. That doesn't mean user rights
> are to be ignored, but certainly so shouldn't ours, especially if these
> are mostly unaffected?
>
> I believe both are good and necessary solutions, but every organization
> needs to choose what is best for it, rather than follow some
> pre-determined blueprint. What's good for one may be horrible for another.
>
> "You don't approve? Well too bad, we're in this for the species boys and
> girls. It's simple numbers, they have more and every day I have to make
> decisions that send hundreds of people, like you, to their deaths." --
> Carl Jenkins, Starship Trooper, the movie.
> I don't think the second part of the quote is quite right (to say the
> least), but I felt bad leaving it out, it's Heinlein after all... anyone
> who claims he is a fascist though will have to deal with me. :)
> This isn't only about users, it's about the bad guys and how they
> out-number us, too. They have far better cooperation to boot.
>
> There are several such products around and they have been discussed
> before, but I haven't tried them myself as of yet, so I can't really
> recommend any of them. Can you?
>
> I'll update on these as I find out more on: http://blogs.securiteam.com
>
> This write-up can be found here:
> http://blogs.securiteam.com/index.php/archives/312
>
> Gadi.
>
> --
> http://blogs.securiteam.com/
>
> "Out of the box is where I live".
> -- Cara "Starbuck" Thrace, Battlestar Galactica.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/