By Peter Piazza

Infection Vectors
Laptops may be the primary culprits, because they are often less protected than hardened corporate networks, are typically on broadband connections, and are used in an environment where safe security practices are easily neglected. Other risks arise when patching problems leave vulnerabilities to be exploited.

Laptops. David Kennedy, senior risk analyst for the Cybertrust Corporation, hears of many bot incidents from colleagues who are involved in remediation efforts and directly from the companies whose systems are infected. What he finds is that most of the companies had many of the proper defenses—such as patches and up-to-date antivirus signatures—in place on their networks. That raises the question: How did the bot enter the network?

Kennedy says the most frequent method of infection was from someone who took a notebook home, hooked it up to a cable modem or DSL connection, became infected, and then brought the notebook back to work. Once the employee connected the laptop directly to the corporate network, it bypassed the firewalls and antivirus scans that might have detected and blocked a bot. That allowed the bot to spread via internal networks, despite the outer defenses of the corporation.

Trend Micro’s Hughes agrees that if you attached a laptop to a home network that was inadequately protected and then became infected, as soon as you connected that laptop to the company’s network, it could start spreading an infection if the proper procedures were not in place at the company (more on solutions below).

Perhaps the greatest threat to network security is the so-called “zero-day” attack, in which a worm exploits a previously unknown software flaw before anyone can create a patch. Precisely this scenario occurred in December, when attackers found a new way to exploit a hole in certain graphics files; it took Microsoft more than a week to release a patch.

In the case of Zotob, within two days after Microsoft announced the discovery of a new critical vulnerability and patch, exploits had already appeared that targeted that vulnerability, and two days later, a worm was born. Since exploits come out so quickly, “it’s really important to keep up-to-date with patches for the operating system,” says Hughes.

But with a large system, patching takes time. Sources at Finland-based antivirus company F-Secure, which saw the worm first and called it Zotob, tell the story of how one company, with more than 20,000 workstations and some 1,500 servers, was infected despite its efforts to patch all its machines quickly.

The day after Zotob appeared, the company had already installed the patch that Microsoft had created when it announced the vulnerability, but one critical server could not be rebooted during business hours, and the patch could not take effect until that was done. The reboot was scheduled for after-office hours.

However, by 4:30 p.m., the company saw the first signs of infection, when unusual traffic was noticed by automated sensors on the network. Company administrators later discovered that a laptop connected to the network had carried the infection from the user’s home network. By 9:00 p.m., more than 500 of the company’s computers were infected.

Since mobile users plugging laptops into corporate networks can be a major cause of bot infections, companies need to better protect those machines. In addition, in the event that a laptop does get infected, companies must have ways of preventing that malicious code from spreading from the laptop to the corporate network. Experts say there are several strategies that will help.

Protecting laptops. Companies should make sure that any laptops that are to be connected to the network have properly configured firewalls as well as current antivirus signatures. In addition, mobile users need to be taught the importance of safe-computing measures (such as not opening file attachments in e-mails). By following safe-computing policies, users can cut off the main entry point of bot infections.

Shutting doors. In addition to educating users and strengthening laptop protections, the company must fortify the network internally. Shutting doors to the network is an effective first step toward blocking attacks. For example, many worms take advantage of the specialized rules, known as protocols, standard to all computers that define the ways in which computers transmit data. One example of a protocol is NetBIOS, which allows applications to communicate across computers, Skoudis says.

Not all of these protocols need to be in place, however, meaning that certain kinds of communications need not be allowed between computers. Skoudis notes that many organizations have finally begun to block these oft-unneeded protocols at the perimeter of their networks, and even within the network whenever possible. The more that organizations block unnecessary protocols, the less vulnerable they will be to getting hit by the most common worms—and that will reduce the opportunity for the accompanying bots as well.

A company can only go so far in curtailing the functionality of its network, however. For example, Zotob, like many other worms, spread via port 445, which is used for a file-sharing protocol. Blocking access to this port via a firewall can reduce the risk of infection by many worms. Unfortunately, experts say, that’s not always practical, because keeping port 445 open is sometimes a business necessity.

IPS.Where ports cannot be shut off, intrusion prevention systems can be useful in keeping bots out. LURHQ’s Stewart says that organizations that cannot turn off unneeded protocols because their functionality is important to business operations absolutely need to use IPS on their networks.

“You might not be able to live without Windows networking, for example, and that port is a primary vector,” Stewart says, “so in those cases you’re going to have to deploy things like intrusion prevention devices so that you can still allow the good traffic through and then log any worm attempts.”

IDS. Despite the technologies and tools available to lock down networks, in the arms race against bots and viruses, network administrators are always on the defensive—and even the best measures may not keep out every infection. Therefore, experts say, networks need intrusion detection systems (IDSs) in place to prevent bots and worms from functioning and spreading.

IDSs are extremely effective at detecting bot-related traffic, says Trend Micro’s Hughes. That’s because bot masters typically send a message to their botnets to find another vulnerable host so that they can increase the size of the botnets they command.

“They don’t do this once every minute; it’s usually hundreds every second, so you see a large amount of traffic,” he says, enough to suddenly and completely clog even the fastest Internet connection. With IDS in place, this traffic can be immediately noticed and terminated.

Outbound access. Bots similarly need to communicate with their masters, so blocking outbound avenues of communication can prevent bots from contacting IRC channels or sending out sensitive information such as passwords. Firewalls can block outbound access from unknown programs or unusual ports, says Hughes.

Skoudis says that putting up this kind of roadblock is common sense, and he suggests an additional method. Computers on an internal network should not be allowed to send packets directly to the Internet, he says, but rather should go through some centralized proxy servers because these are easier to monitor and protect, and create chokepoints for inappropriate traffic as well.

Better patching. Thom Bailey, director of product management with Symantec, says that given the importance of keeping systems patched, many companies are looking for an automated approach—what Bailey calls the “thermostat approach.”

“The problem with that approach is that it misses a very critical piece in any patch-management discipline, and that is testing,” he says. Testing, Bailey says, can take as long as 60 days in a large network.

“We’ve had a lot of customers who have had a bad experience because they’re looking for that thermostat approach” but have done more harm than good when an untested patch damaged a system, he says.

Virtualization. There are no easy answers to this dilemma. But Symantec and other companies are looking at innovative techniques to streamline the process. One of these techniques is virtualization, in which specialized software replicates a network environment. Patches can be tested against this virtual environment without having to worry about crashing the real network, Bailey explains. This means the patch can be tested and rolled out to the network in a much shorter time than before.

Replication. Some well-heeled companies set up identical sets of servers that are synchronized with the working, production-environment servers. These, Bailey says, can be patched so that the systems can be switched at the flip of a switch. However, the obvious costs of such a plan include not only the price of duplicate servers, but also the technology needed to ensure that data on the two sets of servers is replicated in real time and consistently.

Access control. Networks need to segregate “clean” from “dirty” computers; that is, those that are known to be infection-free from those that are coming in from outside and are potentially contaminated. Hughes reiterates that laptops are often implicated here.

“If you were to get infected and then come inside, as soon as you started up your computer, it would start spreading inside your organization,” he says. Vetting computers before they are allowed onto corporate networks can prevent that harmful scenario from occurring.

Many companies have technologies that can do this vetting. “Cisco and other vendors are pushing network access control,” or NAC, says Hughes. “Companies that have that were ahead of the game on this, because a good NAC function will check a system for infections before it allows access to a network.” Microsoft is building a type of NAC called network access protection (NAP) into Vista, the newest release of the Windows operating system, as well as Longhorn, its updated Windows Server software.

These types of solutions validate that any computers that connect to a network meet a set of minimum requirements. “Network access control will make sure machines can’t connect to the network until patch levels are where they’re supposed to be and virus scanning is up to date,” says Stewart.

Symantec’s Bailey says that his company recently acquired Sygate, an acquisition which brought technology for interrogating and quarantining computers that plug into a network. In explaining how this kind of technology works, he gives the example of a sales rep who has been out of the office for a long time, and whose laptop may harbor a worm or bot. When the laptop is plugged in, it is immediately interrogated by a machine on the main network before it is allowed to fully connect, he explains.

“There’s a set security policy which indicates that in order to get onto this production environment, I need to have the following things done. That could be I need to have the latest antivirus definitions, I need to have file and print sharing turned off, I need to have certain parameters in Symantec or the Windows XP firewall enabled here or there, or I need to ensure I have the following software installed for any type of compliance with HIPAA or Sarbanes-Oxley,” he says, referring to regulations that affect the way that healthcare and financial organizations protect data.

If the laptop is found to be out of step with a given security policy, it’s pulled off the network and put into quarantine, and then is provisioned accordingly. Then, the machine is reinterrogated and, if it is it fully in compliance, can safely connect to the network.

Asimov’s three rules for robots were meant to ensure that any automated assistants remain in our service, incapable of doing us harm. Today that concern is as much science as fiction.

For us to stay ahead of the bad guys, we need to understand how bots work and what their limitations are. Then we can take steps to ensure that bots are blocked where they are not wanted or needed, and maintain our position as their masters and not their victims.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.