[nsp-sec] [SPAM] RE: 1Million Botnet Ips

Smith, Donald Donald.Smith at qwest.com
Mon Jul 7 18:10:04 EDT 2008 


Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Nicholas Ianelli [mailto:ni at cert.org] 
> Sent: Monday, July 07, 2008 3:58 PM
> To: Smith, Donald
> Cc: Yonglin ZHOU; Stephen Gill; nsp-security NSP
> Subject: Re: [nsp-sec] [SPAM] RE: 1Million Botnet Ips
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Ah, the age old problem: what to do with infected systems.
> 
> Best case scenario - user needs to completely wipe and reinstall their
> OS, then restore their personal data from backup (after attempting to
> verify that those files aren't infected).

That would cost us thousands of customers and millions of dollars.
While I understand enterprises using this approach it is difficult for
most broadband customers.

> 
> To address your specific question, from a provider standpoint dealing
> with large scale infections from the same malware on your network
> (totally ignoring the liability question) - while this is not 
> a blanket
> statement, the short answer is yes.
> 
> One would need to analyze each piece of malware to determine how it
> installed itself on the end host. In many cases a white/clean 
> executable
> could be written that users could run that would then remove 
> that piece
> of malware from the end system (totally ignoring the 
> liability question).

Instead of writting the white/clean exe we usually depend on commercial
vendors.
We prefer the AV we provide our customers but in cases where that
doesn't remove it we are willing to recommend other 3rd party tools. We
test the removal process on a live infected system that is quartined in
our walled garden. 


> 
> In some cases, if you have your own sinkhole, one may be able 
> to issue a
> "remove" command to the bot and effectively remove that 
> particular piece
> of malware from the the compromised system (without actual analysis of
> the malware, you won't know if there is a routine that unsecures the
> system even further prior to complete removal).
> 
> |> When we provide bot-infected IP list to ISPs, they ask for
> |> effective clean tools. They said the end user usually have not
> |> ability to completely clean the computer by thmeselves thought they
> |> know it is compromised.
> |
> | I would change this request a bit. Is there a tool that 
> works on this
> | one specific version of this bot. I realize some customers may have
> | multiple infections so I am not asking for something that will clear
> | all possible infections just this one specific malware;)
> 
> 
> Nick
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (MingW32)
> 
> iD8DBQFIcpF9i10dJIBjZIARCGWzAJkBguL1fs2RI17WV0ySVy3oOWmm5QCgpIRA
> eE/D+tGopFmaVTlHRBjiLjQ=
> =1u2x
> -----END PGP SIGNATURE-----
> 


This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.

More information about the nsp-security mailing list