ISIS » Viruses

Q&A with ISIS: Dealing with virus-prone users

dan — Fri, 30 May 2008 22:23:17 +0000

Here’s a little quickie someone asked me today. Note it didn’t look like the person asking had the computers on a domain, so I gave only the simple answers.

Q: I have two illiterate users on my network and they click on everything they see. They also insist on installing random software. I can’t give them a guest account because that interferes with certain software they need to use. I would like to give them ‘computer administrator’ accounts (they’re on an XP pro machine) but still make sure they can’t infect the machine with all sorts of malware. Any suggestions? To reiterate, all I want to do is control they software they install, etc. They still need to be able to create files, have access to already installed software, etc.

A: Unfortunately, the best way to handle this situation is to bite the bullet and do exactly what you say you don’t want to: remove them from the Administrators group and put them in a limited account. No other way around it. Getting them out of the Administrators group won’t interrupt their ability to use already installed software or create files in directories they have permission to write to, but it will prevent them from installing [most] software.

I always suggest installing SiteAdvisor. It’s a free browser extension that attempts to warn you when you’re at a bad website. I like it because it passively trains users to recognize bad websites. You can also have them use OpenDNS to block access to certain classes of websites.

Re-imaging nightly is a possibility, but overkill I think. You can do it with Deep Freeze or Norton Ghost.

I know there are better solutions out there, I just didn’t have the time to remember all of them. Anyone care to help this guy out in the comments?

Storm Worm IP List and Country Distribution Statistics

aleksey — Mon, 19 May 2008 21:19:26 +0000

Due to a recent need for creation of fresh blacklist, we have collected and analyzed 16,000+ unique Storm bot IPs over 2 days. Our results confirm some of the findings of this recent paper regarding size of the Storm botnet. It estimates that the Storm botnet’s size is 5,000 – 6,000 unique IPs (lower bound) and 45,000 – 80,000 upper bound.

The majority of infected machines are located in USA, Russia, Mexico, India, Turkey, Brazil and Poland (in that order). The complete list is here. A partial list of top results is below.

United States 1716
Russian Federation 1177
Mexico 869
India 699
Turkey 609

Brazil 453
Poland 427
Viet Nam 366
Korea, Republic of 362
Morocco 330
France 325
Romania 281
Ukraine 235

We have also analyzed the IP distribution per Autonomous System. Most IPs belong to TTnet Autonomous System, Uninet S.A. de C.V., Vietnam Posts and Telecommunications, SBC Internet Services and BHARTI BT INTERNET LTD. A complete list is here and partial top results are shown below.

TTnet Autonomous System 838
Uninet S.A. de C.V. 792
Vietnam Posts and Telecommunications (VNPT) 605
SBC Internet Services 420
BHARTI BT INTERNET LTD. 362
Itissalat Al-MAGHRIB 330
Comcast Cable Communications, Inc. 269
Polish Telecom’s commercial IP network 260
MTU-Intel Moscow region network 255
National Internet Backbone 235
Romania Data Systems S.A. 222

The IPs were collected by running a Storm bot client in a controlled environment. Also, keep in mind that resolving IPs to their AS numbers and countries using publicly available information in an automated way does not always give an answer (hence the “__UNKNOWN__”’s in the complete lists).

Malware MD5: 8d743df03e17526bddba57a3c7c366ca

Interesting Storm Links:
Sudosecure
Storm Spam wiki
Chasing Storm Into 2008 – Trend Labs

Chinese CNO anyone?

dan — Fri, 18 Jan 2008 19:35:38 +0000

While I’ve been sitting at home, sick for the last few days, I’ve been trying to keep my mind at least somewhat sharp by watching some light videos here and there. The usual stuff, some TED, some 30 Rock, and I came across this gem I thought many people on this list might be interested in:

Crouching Powerpoint, Hidden Trojan: An analysis of targeted attacks from 2005 to 2007
Presented by Maarten Van Horenbeeck of the SANS ISC at the 24th Chaos Communication Congress
http://events.ccc.de/congress/2007/Fahrplan/events/2189.en.html

See the links at the bottom for presentation materials including a PDF, video, and analysis of actual targeted exploits. I highly recommend the video, the torrent was extremely fast.

Enjoy

Detecting Botnet Membership

Brad Schonhorst — Sat, 21 Apr 2007 03:03:36 +0000

More and more often we hear about botnets being responsible for a larger piece of Internet crime today. Botnets are complex systems and there are many different approaches to combating the problem. I decided to take a look at some of the more recent techniques to discover bot malware infection from network traffic. I came across two particularly interesting methods of identifying infected machines. One is to look at the most often used command and control technique – IRC channels – and try to determine ‘evil’ channels which provide commands for zombie machines. Another idea is to look for DNS Black List lookups, which may be performed by bots to test that an IP address is not listed before using it to send spam. Attached is a short presentation I gave for the ISIS computer lab.

Botnet Membership Detection within the Network