funsec mailing list archives
Re: Quarantine your infected users spreading malware
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Mon, 20 Feb 2006 17:55:16 -0500
On 2/20/06, Gadi Evron <ge () linuxbox org> wrote:
"You don't approve? Well too bad, we're in this for the species boys and girls. It's simple numbers, they have more and every day I have to make decisions that send hundreds of people, like you, to their deaths." -- Carl Jenkins, Starship Trooper, the movie.
I am not sure if punishing users solely on the fact that they dont know anything is such a good idea. Economic reasons aside, no one has tried to teach them. If the ISP loses money when an end user mearly calls,.... their "end user training" on security is probably limited to their ad campaigns: "FUD, buy our product", and a pamphlet buried in literature the end user will never read. We may want to do a good job at trying that road before cutting off the millions of infected machines (and CC wielding customers) even if just for the day(s) it will take them to read and understand the instructions. These days may drive business owners who have done no wrong, out of business. Providing automated cleaning tools, or sandboxing them to a subnet that has a "good worm" in the wild may be novel ideas, but wont stop the majority of compromised boxes. As fergie's emailed article showed earlier about spamming: botnet admin's will just adjust their tactics to stay under the radar. Not all worms spread via 135-139, lots come from 80 and 443. Unless we provide a web browser that does not allow the installation of software, then manage to get around the fact that end users want to install software sometimes, we will always have botnets. Also, you have to consider the legislation that ISP's have to follow (at least here in the states). End users have to sign up for any filtering of data. Some may be willing to do so, but many (including myself) would never sign such an agreement.
There are several such products around and they have been discussed before, but I haven't tried them myself as of yet, so I can't really recommend any of them. Can you?
Patchink has one, a BSD server that quarantines you to the update site when it detects a patch is missing, you update the machine, and voila! you can browse again. Dagon: Do you know what resnet is using for their sandboxing? I think it is custom perl scripts, but am unsure. If you want to check for AV, Firewalls, patches, etc, then verify the health of these apps, you have a lot of work ahead of you. Studying the malware already in the wild would be a good place to start, as they have done much of the legwork IMO
I'll update on these as I find out more on: http://blogs.securiteam.com
securiteam? never heard of them.... do you have a blog there or something? ;-) -JP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Quarantine your infected users spreading malware Gadi Evron (Feb 20)
- Re: Quarantine your infected users spreading malware Dude VanWinkle (Feb 20)