There is a method used in my network to fix this kind of situations and this is called the Spread & Patch system were some machines controlled by me searches the network for common flaws and patch them with microsoft updates therefore reducing the number of newbie zombies. ----- Original Message ----- From: "Gadi Evron" <ge@xxxxxxxxxxxx> To: <bugtraq@xxxxxxxxxxxxxxxxx>; <full-disclosure@xxxxxxxxxxxxxxxxx> Sent: Monday, February 20, 2006 10:40 PM Subject: [Full-disclosure] Quarantine your infected users spreading malware > Many ISP's who do care about issues such as worms, infected users > "spreading the love", etc. simply do not have the man-power to handle > all their infected users' population > > It is becoming more and more obvious that the answer may not be at the > ISP's doorstep, but the ISP's are indeed a critical part of the > solution. What their eventual role in user safety will be I can only > guess, but it is clear (to me) that this subject is going to become a > lot "hotter" in coming years. > > Aunty Jane (like Dr. Alan Solomon (drsolly) likes to call your average > user) is your biggest risk to the Internet today, and how to fix the > user non of us have a good idea quite yet. Especially since it's not > quite one as I put in an Heinlein quote below. > > Some who are user/broadband ISP's (not say, tier-1 and tier-2's who > would be against it: "don't be the Internet's Firewall") are blocking > ports such as 139 and 445 for a long time now, successfully preventing > many of their users from becoming infected. This is also an excellent > first step for responding to relevant outbreaks and halting their progress. > > Philosophy aside, it works. It stops infections. Period. > > Back to the philosophy, there are some other solutions as well. Plus, > should this even be done? > > One of them has been around for a while, but just now begins to mature: > Quarantining your users. > > Infected users quarantine may sound a bit harsh, but consider; if a user > is indeed infected and does "spread the joy" on your network as well as > others', and you could simply firewall him (or her) out of the world > (VLAN, other solutions which may be far better) letting him (or her) go > only to a web page explaining the problem to them, it's pretty nifty. > > As many of us know, handling such users on tech support is not very > cost-effective to ISP's, as if a user makes a call the ISP already > losses money on that user. Than again, paying abuse desk personnel just > so that they can disconnect your users is losing money too. > > Which one would you prefer? > > Jose (Nazario) points to many interesting papers on the subject on his > blog: http://www.wormblog.com/papers/ > > Is it the ISP's place to do this? Should the ISP do this? Does the ISP > have a right to do this? > > If the ISP is nice enough to do it, and users know the ISP might. Why not? > > This (as well as port blocking) is more true for organizations other > than ISP's, but if they are indeed user/broadband ISP's, I see this as > both the effective and the ethical thing to do if the users are notified > this might happen when they sign their contracts. Then all the "don't be > the Internet's firewall" debate goes away. > > I respect the "don't be the Internet's firewall issue", not only for the > sake of the cause but also because friends such as Steven Bellovin and > other believe in them a lot more strongly than I do. Bigger issues such > as the safety of the Internet exist now. That doesn't mean user rights > are to be ignored, but certainly so shouldn't ours, especially if these > are mostly unaffected? > > I believe both are good and necessary solutions, but every organization > needs to choose what is best for it, rather than follow some > pre-determined blueprint. What's good for one may be horrible for another. > > "You don't approve? Well too bad, we're in this for the species boys and > girls. It's simple numbers, they have more and every day I have to make > decisions that send hundreds of people, like you, to their deaths." -- > Carl Jenkins, Starship Trooper, the movie. > I don't think the second part of the quote is quite right (to say the > least), but I felt bad leaving it out, it's Heinlein after all... anyone > who claims he is a fascist though will have to deal with me. :) > This isn't only about users, it's about the bad guys and how they > out-number us, too. They have far better cooperation to boot. > > There are several such products around and they have been discussed > before, but I haven't tried them myself as of yet, so I can't really > recommend any of them. Can you? > > I'll update on these as I find out more on: http://blogs.securiteam.com > > This write-up can be found here: > http://blogs.securiteam.com/index.php/archives/312 > > Gadi. > > -- > http://blogs.securiteam.com/ > > "Out of the box is where I live". > -- Cara "Starbuck" Thrace, Battlestar Galactica. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
