outbreak.ntli.net

[BBKing]

Quote:

Well first I'd start by identifying whether the OS is capable of hosting the virus

How?

1) Get every customer to keep you updated every time they change computers? You'd need to get down to details of which patch level they had.
2) Port scan every PC on the network (have to ban firewalls first) and try and fingerprint them?
3) Analyse everyone's web traffic and see if you can get it from headers?
4) Employ a team of people to ring up thousands of people a day and ask them?

It's all very well saying this, but I don't think it's actually feasible.

Quote:

At the moment they're just using the system to score points as a "family friendly" ISP that takes its responsibilities seriously bla bla.

This is total poppycock - would you prefer an ISP that didn't take its responsibilities seriously?

It was done partly because we were getting hammered by traffic from worms and viruses, and partly because it became obvious that people don't fix their own PCs. We had to take steps to make them aware of it and how to do it. We could have just banned them, of course, as they were breaking their terms and conditions.

If we wanted to score points as family friendly, surely we'd block porn sites at the proxies and take naughty newsgroups offline, filter all email, etc. Quite what's so bad about trying to stop worms and spam I'm at a loss to understand.

Of course, I'd like to see us encourage Linux use at home by putting out our own distro with remote access tools built in for diagnostics and upgrades, but that's not going to happen, unfortunately.

[KraGorn]

Tell me something here.

Given most (all?) 'botnets' are controlled by IRC and only a vanishingly small percentage of internet users actually use IRC ... no, I have no stats, but I stand by that assertion .. why don't ISPs simply block IRC until a customer asks for it?

I doubt many calls would be made to get it un-blocked.

[Toto]

Quote:

Originally Posted by BBKing

How?

1) Get every customer to keep you updated every time they change computers? You'd need to get down to details of which patch level they had.
2) Port scan every PC on the network (have to ban firewalls first) and try and fingerprint them?
3) Analyse everyone's web traffic and see if you can get it from headers?
4) Employ a team of people to ring up thousands of people a day and ask them?

It's all very well saying this, but I don't think it's actually feasible.



This is total poppycock - would you prefer an ISP that didn't take its responsibilities seriously?

It was done partly because we were getting hammered by traffic from worms and viruses, and partly because it became obvious that people don't fix their own PCs. We had to take steps to make them aware of it and how to do it. We could have just banned them, of course, as they were breaking their terms and conditions.

If we wanted to score points as family friendly, surely we'd block porn sites at the proxies and take naughty newsgroups offline, filter all email, etc. Quite what's so bad about trying to stop worms and spam I'm at a loss to understand.

Of course, I'd like to see us encourage Linux use at home by putting out our own distro with remote access tools built in for diagnostics and upgrades, but that's not going to happen, unfortunately.

Excellent post, some straight talking common sense.

Not too sure about the Linux distro thing thougj, but still, bang on the money.

[Rakhal]

I can certainly vouch for most botnets being controlled via IRC. I adminster an IRC server and I'm always having to kick them off (I hate botnets). However blocking irc isn't that simple, there is no one port that it uses (there is a default one though). And you can be sure that the botnet owners will rapidly change port numbers on you. Better to make sure/encourage people to keep their machines clean. After all, being part of a botnet and ddossing someone may be bad, but having your personal data stolen via a keylogger e.t.c is worse.

I could wish that IRC admins were a little more proactive about booting botnets off their servers. I often see signs of them on varius servers but no-one seems to take action Admittedly my server is a small one (we focus on creative writing) and so when a channel with 100+ weirdly named people turns up on it. it's a bit obvious

[Stuart]

Quote:

Originally Posted by greencreeper

Quote:

Well first I'd start by identifying whether the OS is capable of hosting the virus

Easy to say. Not so easy to do.. I can think of one way they can do it remotely. When you access something with a browser, your browser sends a series of headers that include the platform, OS and browser sending the request. You could (theoretically) check for all Windows PCs this way.

I can think of two problems with this.

• It relies on the application accessing the net actually sending these headers. I am pretty sure that only web browsers do.
  
• It is easy to forge/alter these headers. Opera does this so that it can appear to be Internet Explorer. I am pretty sure virus writers would find a way to use these headers to make it appear the machine being checked is running Linux.

[BBKing]

Quote:

You could (theoretically) check for all Windows PCs this way.

3) It doesn't determine 100% that a particular machine can host the virus - two Windows PCs returning the same string could have one vulnerable, one not, depending on whether patches have been installed. It doesn't have enough information to make a certain judgement.

You could force everyone to run an app that walled-gardens them if they've not got all patches installed, but do we really want that?

The surest way is to identify IPs that are sending traffic that looks like it comes from a virus - specific ports, patterns of scanning etc. This can be duplicated by someone on another OS, but it has to be done deliberately and is effectively malicious (if you know how to exploit a vulnerability and program your Linux box to do it, that'll appear indistinguishable from the original infection).

[Stuart]

Quote:

Originally Posted by BBKing

Quote:

3) It doesn't determine 100% that a particular machine can host the virus - two Windows PCs returning the same string could have one vulnerable, one not, depending on whether patches have been installed. It doesn't have enough information to make a certain judgement.

True, and the only way I can think of (without monitoring ports used and scanning patterns) would be hack into the machine, and check (in the registry) which patches are installed. Of course, this raises a little issue of privacy, and is illegal..

Quote:

You could force everyone to run an app that walled-gardens them if they've not got all patches installed, but do we really want that?

The surest way is to identify IPs that are sending traffic that looks like it comes from a virus - specific ports, patterns of scanning etc. This can be duplicated by someone on another OS, but it has to be done deliberately and is effectively malicious (if you know how to exploit a vulnerability and program your Linux box to do it, that'll appear indistinguishable from the original infection).

Just imagine the situation... Techy people leaving/avoiding AOL because "you have to run their cr*p software", only to join NTL and find they have to run NTL's cr*p software...

BTW, I'm quite happy with the system NTL have in place. Nice to see an ISP actually try and DO something about unpatched users.

[greencreeper]

Quote:

Originally Posted by BBKing

It doesn't determine 100% that a particular machine can host the virus - two Windows PCs returning the same string could have one vulnerable, one not, depending on whether patches have been installed. It doesn't have enough information to make a certain judgement.

Exactly - so why write the software in the first place if they know it (a) cannot work because there's no way to identify infected PCs; and (b) users can leave the garden by downloading patches - no installation necessary.

[Stuart]

Quote:

Originally Posted by greencreeper

Quote:

Exactly - so why write the software in the first place if they know it (a) cannot work because there's no way to identify infected PCs; and (b) users can leave the garden by downloading patches - no installation necessary.

They may not be able to determine which PCs are patched with 100% efficiency, but they can detect machines acting suspiciously (port scanning, bulk emailing etc). I personally think this is a good thing, and, frankly, don't understand why you don't.
5