The BotNet Came Calling

By Roger on September 24, 2004 11:08 PM |

There is a writeup in todays ISC diary about a botnet found on a corporations network across 40 sites. I highly recommend reading it.

The question is how do you avoid it. The company in question failed to follow good practices by not noticing when their antivirus failed to update. It also sounds like they relied on their computers going to symantec's liveupdate server rather than using an internal system or using VDTM. That sounds like another mistake.

What else can you do? Monitor for P2P installation (banning it should already be company policy). Prevent users from being admin? That just doesn't fly. Limit outbound activity to the firewall to specifically allowed ports? Great idea, already done it. I suppose an internal IDS/IPS as well as segmenting internal networks so not everyone can talk to everyone would help also. Patching should also help. The article doesn't state how GaoBot spread within the network. Its either not patching or improperly secured file shares (ie wide open or weak passwords).

When half the company subverts firewall security by going home with a laptop and hooking it up to an untrusted network, you never know what surprises you are going to find when they bring the computer back in.

Categories

General

About this Entry

This page contains a single entry by Roger published on September 24, 2004 11:08 PM.

JPG-GDI Vuln- Your Time is Up was the previous entry in this blog.

GDI Scan Tool is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Subscribe to feed Subscribe to this blog's feed
Add to Google
Please contact me by leaving a comment where appropriate. Otherwise, you can click here to reveal an email address for me.
Got Backups? Get Safe Online Remember Rick Rescorla Powered by Movable Type 4.2-en

Search