Re: Quarantine your infected users spreading malware

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 2/20/06, Gadi Evron <ge () linuxbox org> wrote:
> "You don't approve? Well too bad, we're in this for the species boys and
> girls. It's simple numbers, they have more and every day I have to make
> decisions that send hundreds of people, like you, to their deaths." --
> Carl Jenkins, Starship Trooper, the movie.

I am not sure if punishing users solely on the fact that they dont
know anything is such a good idea. Economic reasons aside, no one has
tried to teach them. If the ISP loses money when an end user mearly
calls,.... their "end user training" on security is probably limited
to their ad campaigns: "FUD, buy our product", and a pamphlet buried
in literature the end user will never read.

We may want to do a good job at trying that road before cutting off
the millions of infected machines (and CC wielding customers) even if
just for the day(s) it will take them to read and understand the
instructions. These days may drive business owners who have done no
wrong, out of business.

Providing automated cleaning tools, or sandboxing them to a subnet
that has a "good worm" in the wild may be novel ideas, but wont stop
the majority of compromised boxes. As fergie's emailed article showed
earlier about spamming: botnet admin's will just adjust their tactics
to stay under the radar. Not all worms spread via 135-139, lots come
from 80 and 443. Unless we provide a web browser that does not allow
the installation of software, then manage to get around the fact that
end users want to install software sometimes, we will always have
botnets.

Also, you have to consider the legislation that ISP's have to follow
(at least here in the states). End users have to sign up for any
filtering of data. Some may be willing to do so, but many (including
myself) would never sign such an agreement.

> There are several such products around and they have been discussed
> before, but I haven't tried them myself as of yet, so I can't really
> recommend any of them. Can you?

Patchink has one, a BSD server that quarantines you to the update site
when it detects a patch is missing, you update the machine, and voila!
you can browse again.

Dagon: Do you know what resnet is using for their sandboxing? I think
it is custom perl scripts, but am unsure.

If you want to check for AV, Firewalls, patches, etc, then verify the
health of these apps, you have a lot of work ahead of you. Studying
the malware already in the wild would be a good place to start, as
they have done much of the legwork IMO

> I'll update on these as I find out more on: http://blogs.securiteam.com

securiteam? never heard of them.... do you have a blog there or something? ;-)

-JP

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.