Re: [Full-disclosure] Quarantine your infected users spreading malware

[Dana Hudes <dhudes () hudes org>]

Even done in the most well-meaning manner this is still computer trespass 
unless it is permitted by the subscriber agreement for an ISP and done by 
that ISPs staff. 

I am all in favor of reducing newbie zombies. the only way I can see to do 
so is to get the user to consent to the upgrade. Microsoft has some role 
in this by making automatic updates enabled by default.
Blacklisting such infected machines until they are cleaned up is one 
approach but if they are using dynamically assigned address they disappear 
and reappear on another address. Meanwhile a legitimate user on another, 
clean and secured, machine connects and gets that banned IP address.

clearly the ISP knows who is infected and who is not. Notifying those 
people is a real problem given the amount of phishing and viruses claiming 
to be a notice from your ISP (and rather stupidly not trying to figure out 
who your ISP really is). The model for notification is that used by credit 
card companies. They call you up and tell you to call customer service 
about some charges. this assures you are in fact talking to whom you 
think and they of course identify you.


On Wed, 27 Jul 2005, 499nag wrote:

> There is a method used in my network to fix this kind of situations and this
> is called the Spread & Patch system were some machines controlled by me
> searches the network for common flaws and patch them with microsoft updates
> therefore reducing the number of newbie zombies.
>
>
> ----- Original Message -----
> From: "Gadi Evron" <ge () linuxbox org>
> To: <bugtraq () securityfocus com>; <full-disclosure () lists grok org uk>
> Sent: Monday, February 20, 2006 10:40 PM
> Subject: [Full-disclosure] Quarantine your infected users spreading malware
>
>
> > Many ISP's who do care about issues such as worms, infected users
> > "spreading the love", etc. simply do not have the man-power to handle
> > all their infected users' population
> >
> > It is becoming more and more obvious that the answer may not be at the
> > ISP's doorstep, but the ISP's are indeed a critical part of the
> > solution. What their eventual role in user safety will be I can only
> > guess, but it is clear (to me) that this subject is going to become a
> > lot "hotter" in coming years.
> >
> > Aunty Jane (like Dr. Alan Solomon (drsolly) likes to call your average
> > user) is your biggest risk to the Internet today, and how to fix the
> > user non of us have a good idea quite yet. Especially since it's not
> > quite one as I put in an Heinlein quote below.
> >
> > Some who are user/broadband ISP's (not say, tier-1 and tier-2's who
> > would be against it: "don't be the Internet's Firewall") are blocking
> > ports such as 139 and 445 for a long time now, successfully preventing
> > many of their users from becoming infected. This is also an excellent
> > first step for responding to relevant outbreaks and halting their
> progress.
> > Philosophy aside, it works. It stops infections. Period.
> >
> > Back to the philosophy, there are some other solutions as well. Plus,
> > should this even be done?
> >
> > One of them has been around for a while, but just now begins to mature:
> > Quarantining your users.
> >
> > Infected users quarantine may sound a bit harsh, but consider; if a user
> > is indeed infected and does "spread the joy" on your network as well as
> > others', and you could simply firewall him (or her) out of the world
> > (VLAN, other solutions which may be far better) letting him (or her) go
> > only to a web page explaining the problem to them, it's pretty nifty.
> >
> > As many of us know, handling such users on tech support is not very
> > cost-effective to ISP's, as if a user makes a call the ISP already
> > losses money on that user. Than again, paying abuse desk personnel just
> > so that they can disconnect your users is losing money too.
> >
> > Which one would you prefer?
> >
> > Jose (Nazario) points to many interesting papers on the subject on his
> > blog: http://www.wormblog.com/papers/
> >
> > Is it the ISP's place to do this? Should the ISP do this? Does the ISP
> > have a right to do this?
> >
> > If the ISP is nice enough to do it, and users know the ISP might. Why not?
> >
> > This (as well as port blocking) is more true for organizations other
> > than ISP's, but if they are indeed user/broadband ISP's, I see this as
> > both the effective and the ethical thing to do if the users are notified
> > this might happen when they sign their contracts. Then all the "don't be
> > the Internet's firewall" debate goes away.
> >
> > I respect the "don't be the Internet's firewall issue", not only for the
> > sake of the cause but also because friends such as Steven Bellovin and
> > other believe in them a lot more strongly than I do. Bigger issues such
> > as the safety of the Internet exist now. That doesn't mean user rights
> > are to be ignored, but certainly so shouldn't ours, especially if these
> > are mostly unaffected?
> >
> > I believe both are good and necessary solutions, but every organization
> > needs to choose what is best for it, rather than follow some
> > pre-determined blueprint. What's good for one may be horrible for another.
> >
> > "You don't approve? Well too bad, we're in this for the species boys and
> > girls. It's simple numbers, they have more and every day I have to make
> > decisions that send hundreds of people, like you, to their deaths." --
> > Carl Jenkins, Starship Trooper, the movie.
> > I don't think the second part of the quote is quite right (to say the
> > least), but I felt bad leaving it out, it's Heinlein after all... anyone
> > who claims he is a fascist though will have to deal with me. :)
> > This isn't only about users, it's about the bad guys and how they
> > out-number us, too. They have far better cooperation to boot.
> >
> > There are several such products around and they have been discussed
> > before, but I haven't tried them myself as of yet, so I can't really
> > recommend any of them. Can you?
> >
> > I'll update on these as I find out more on: http://blogs.securiteam.com
> >
> > This write-up can be found here:
> > http://blogs.securiteam.com/index.php/archives/312
> >
> > Gadi.
> >
> > --
> > http://blogs.securiteam.com/
> >
> > "Out of the box is where I live".
> > -- Cara "Starbuck" Thrace, Battlestar Galactica.
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/