Re: what can be done with botnet C&C's? (fwd)

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 8/14/06, Jonathan Glass (gm) <jonathan.glass () gmail com> wrote:
> Peter Besenbruch wrote:
> > I keep hitting reply, and not posting to the list.
> >
> >
> > -------- Original Message --------
> >
> > Valdis.Kletnieks () vt edu wrote:
> >> On Sun, 13 Aug 2006 08:32:16 EDT, Dude VanWinkle said:
> >>> When I worked at a university, the students were always getting
> >>> compromised till we implemented sandboxing. People DHCP'ing into the
> >>> network were placed in a subnet by themselves till a scan revealed
> >>> that they had:
> >>> 1: up to date AV
> >>> 2: up to date patches
> >>> 3: a Functioning firewall
> >>
> >> OK, I'll bite - if you detect a functioning firewall, how do you scan for
> >> up to date patches and A/V?  Seems like you'd have to have at least a
> >> stub
> >> client on the machine to answer the "What patchlevel you at?" query.
> >
> > I would also like to know how Mac and Linux machines were differentiated
> > from the Windows machines. It can't just be on the basis of user agent
> > strings. Would it be Javascript trickery on logging on to the network?
> > Flash objects, Java, ActiveX? Was it a simple ban on everyone, unless
> > they ran a secured Windows system, and everyone else be damned (as
> > insecure)? Do you just give the users of alternate OSes a fixed IP?
> >
> >> (And this is the sort of thing that is easy to force install in a
> >> corporate
> >> environment where you own the machine.  It's also easy to do if you're a
> >> regular ISP, and you can get away with saying "If you don't like it,
> >> go to
> >> another ISP".  It's a can of worms when you don't own the machine, and
> >> you're
> >> a de facto monopoly because the student lives in the dorms - a Hobson's
> >> choice "install this or don't get net access" doesn't make you many
> >> friends...)
> >
> > Sandboxing suspicious activity might work better. If a student got
> > nailed a few times, the hassle of getting reconnected might force
> > changes in on-line behavior.
> >
>
> As I understand it, the system Mr. VanWinkle mentioned is primarily
> aimed at finding the low-hanging fruit of unpatched/backdoor'd systems
> before letting them on the public (Residential) network.  There is no
> good way of remotely testing for patches if the student has followed the
> recommended best practices and enabled their windows firewall with no
> exceptions allowed.
>
> A component of this system is the concept of a sandbox where a host is
> totally isolated from the rest of campus, and the other hosts in the
> sandbox.  If the system has multiple issues, they get disabled and a
> school employee must visit them and verify the system is clean before
> they can be re-enabled.
>
> This fall, the students will be presented with the option of installing
> a host-based intrusion prevention and managed AV package to complement
> this scanning system.
>
> Other OSs get flagged as such (as well as Nessus + NMAP can determine)
> and the student moves on.  The whole scanning/registering system takes <
> 5 minutes from start to finish (I don't know how long exactly...depends
> on how fast the student can click I guess).


Hey man!

Was anything ever done with passive vulnerability flagging? I seem to
remember that someone was looking into checking to see if the network
traffic generated made by a service would be indicative of their patch
levels but never heard anything after I left :-(

-JP

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/