Quarantine your infected users spreading malware

many isp’s who do care about issues such as worms, infected users “spreading the love”, etc. simply do not have the man-power to handle all their infected users’ population.

it is becoming more and more obvious that the answer may not be at the isp’s doorstep, but the isp’s are indeed a critical part of the solution. what their eventual role in user safety will be i can only guess, but it is clear (to me) that this subject is going to become a lot “hotter” in coming years.

aunty jane (like dr. alan solomon (drsolly) likes to call your average user) is your biggest risk to the internet today, and how to fix the user non of us have a good idea quite yet. especially since it’s not quite one as i put in an heinlein quote below.

some who are user/broadband isp’s (not say, tier-1 and tier-2′s who would be against it: “don’t be the internet’s firewall”) are blocking ports such as 139 and 445 for a long time now, successfully preventing many of their users from becoming infected. this is also an excellent first step for responding to relevant outbreaks and halting their progress.

philosophy aside, it works. it stops infections. period.

back to the philosophy, there are some other solutions as well. plus, should this even be done?

one of them has been around for a while, but just now begins to mature: quarantining your users.

infected users quarantine may sound a bit harsh, but consider; if a user is indeed infected and does “spread the joy” on your network as well as others’, and you could simply firewall him (or her) out of the world (vlan, other solutions which may be far better) letting him (or her) go only to a web page explaining the problem to them, it’s pretty nifty.

as many of us know, handling such users on tech support is not very cost-effective to isp’s, as if a user makes a call the isp already losses money on that user. than again, paying abuse desk personnel just so that they can disconnect your users is losing money too.

which one would you prefer?

jose (nazario) points to many interesting papers on the subject on his blog.

this (as well as port blocking) is more true for organizations other than isp’s, but if they are indeed user/broadband isp’s, i see this as both the effective and the ethical thing to do if the users are notified this might happen when they sign their contracts. then all the “don’t be the internet’s firewall” debate goes away.

i respect the “don’t be the internet’s firewall” issue, not only for the sake of the cause but also because friends such as steven bellovin and others believe in them a lot more strongly than i do. bigger issues such as the safety of the internet exist now. that doesn’t mean user rights are to be ignored, but certainly so shouldn’t ours, especially if these are mostly unaffected?

i believe both are good and necessary solutions, but every organization needs to choose what is best for it, rather than follow some pre-determined blueprint. what’s good for one may be horrible for another.

“you don’t approve? well too bad, we’re in this for the species boys and girls. it’s simple numbers, they have more and every day i have to make decisions that send hundreds of people, like you, to their deaths.” — carl jenkins, starship trooper, the movie.
i don’t think the second part of the quote is quite right (to say the least), but i felt bad leaving it out, it’s heinlein (even if not original) after all… anyone who claims he is a fascist though will have to deal with me. :)
this isn’t only about users, it’s about the bad guys and how they out-number us, too. they have far better cooperation to boot.

there are several such products around and they have been discussed before, but i haven’t tried them myself as of yet, so i can’t really recommend any of them. can you?

i’ll update on these as i find out more here on the blogs: http://blogs.securiteam.com/

this write-up can be found here: http://blogs.securiteam.com/index.php/archives/312

gadi evron,

  • Michael Dillon

    You will never succeed in getting enough ISPs to quarantine users. But if you build a Windows application that imposes a quarantine, uses virus/bot stealth techniques to hide itself, and is remotely triggered by a trusted channel, then you have a chance of getting enough coverage to hurt the botnet operators.

    The application needs to hide itself because the botnet operators will try to remove it. If you have some kind of central registry which knows the end user’s secret key then you can securely trigger the “infection blocker” application. Each trusted researcher will also have a key that allows them to submit IP addresses to the registry for blocking. When enough votes have been receieved for an IP address, the registry triggers the quarantine.

    At this point the quarantine app guides the user through a cleanup process. To support this it would be good to allow access to one website that can be dynamically updated.

    Most people will be happy to install an app that helps prevent them from SPREADING an infection further. This is not the same as antivirus software because it works after the infection and the intelligence is all in the network of trusted researchers.

  • sunshine

    That sounds like a good idea, however, any application that runs locally can be potentially “kicked” aside by the attacker.

  • Jess Kitchen

    It’s interesting to see the kickback from defenders of the end-to-end philosophy.

    Sure, policing at the border may well be too heavy-handed – but why not at least prevent your users from further infecting each other at the broadband aggregation level?

    This happens a lot given that the almost default /16 scanning behaviour in most malware often results in more ‘local’ infections due to adjacent customers falling within a sizeable portion of the wider netblock.

    Implement filters. Make the customers aware. Recommend suitable workarounds for Exchange type users that may legitimately need availability of the usual suspects — job done.

    We junk a lot of this type traffic towards the customers from the network and log attempts inbound from the customer with a threshold on the logging amount.

    It works well for us, and the customer is more often than not very grateful for the heads up.

    Of course when all network services get centralised on port 80 this solution ceases to work but that’s a problem for another day. ;)

  • John Hardin

    (totally OT, but you hit one of my sore spots…)

    {quote from Starship Troopers, the movie}

    > it’s Heinlein after all


    About the only thing that movie can honestly say came from Heinlein are names of some of the characters and the name of the movie itself. It’s a crying shame that Virginia Heinlein couldn’t keep them from associating that wast of film with her husband’s good name…

  • sunshine

    Well, it’s associated and I’ll be damned if I let anyone dissuade me from one of my favorite religious wars. OS wars and Language wars are passe.

    Nice to meet another hard core fan, though!

  • Pingback: Security@spamalertz.com » Blog Archive » Quarantine your infected users spreading malware