[nsp-sec] [SPAM] RE: 1Million Botnet Ips

[Yonglin ZHOU]

Hey all,

I suddenly get a rough idea, but not directly solve the problems:

Two senarios:

1) When I first get touch computer it is a Mid-range computer consist of a
centrual UNIX host and many terminals. When we finish a programm, we deliver
it to the host to execute and when we log off the terminal restore as 'new'.


2) And in many Net Cafes, they use network harddisk and alll the computers
have no stand alone hard disk but can boot up through the network. Follwoing
the OS, the PC can also loads games and other applicatoins. But when the PC
rebooted, it will be clean again.

Then the Idea:

ISPs provide several distributed  and functional HOST machine, working like
the UNIX host and the network harddisk. Users computer is customerized which
can initially boot up through network and load applications remotely. The
user data is kept in local disk. When boot up, the PC could working
independly unless it needs to load more applicaions or commuinicate with
internet. When shutdown, the applications all be cleaned, including the
malware process, and  only user data left.

Is it worthy to try? at least to consider.

Y.L

On 7/8/08, Smith, Donald <Donald.Smith at qwest.com> wrote:
>
>
>
> Security through obscurity WORKS against some worms and ssh attacks:)
> Donald.Smith at qwest.com giac
>
> > -----Original Message-----
>
> > From: Nicholas Ianelli [mailto:ni at cert.org]
> > Sent: Monday, July 07, 2008 3:58 PM
> > To: Smith, Donald
> > Cc: Yonglin ZHOU; Stephen Gill; nsp-security NSP
> > Subject: Re: [nsp-sec] [SPAM] RE: 1Million Botnet Ips
> >
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Ah, the age old problem: what to do with infected systems.
> >
> > Best case scenario - user needs to completely wipe and reinstall their
> > OS, then restore their personal data from backup (after attempting to
> > verify that those files aren't infected).
>
>
> That would cost us thousands of customers and millions of dollars.
> While I understand enterprises using this approach it is difficult for
> most broadband customers.
>
>
> >
> > To address your specific question, from a provider standpoint dealing
> > with large scale infections from the same malware on your network
> > (totally ignoring the liability question) - while this is not
> > a blanket
> > statement, the short answer is yes.
> >
> > One would need to analyze each piece of malware to determine how it
> > installed itself on the end host. In many cases a white/clean
> > executable
> > could be written that users could run that would then remove
> > that piece
> > of malware from the end system (totally ignoring the
> > liability question).
>
>
> Instead of writting the white/clean exe we usually depend on commercial
> vendors.
> We prefer the AV we provide our customers but in cases where that
> doesn't remove it we are willing to recommend other 3rd party tools. We
> test the removal process on a live infected system that is quartined in
> our walled garden.
>
>
>
> >
> > In some cases, if you have your own sinkhole, one may be able
> > to issue a
> > "remove" command to the bot and effectively remove that
> > particular piece
> > of malware from the the compromised system (without actual analysis of
> > the malware, you won't know if there is a routine that unsecures the
> > system even further prior to complete removal).
> >
> > |> When we provide bot-infected IP list to ISPs, they ask for
> > |> effective clean tools. They said the end user usually have not
> > |> ability to completely clean the computer by thmeselves thought they
> > |> know it is compromised.
> > |
> > | I would change this request a bit. Is there a tool that
> > works on this
> > | one specific version of this bot. I realize some customers may have
> > | multiple infections so I am not asking for something that will clear
> > | all possible infections just this one specific malware;)
> >
> >
> > Nick
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.6 (MingW32)
> >
> > iD8DBQFIcpF9i10dJIBjZIARCGWzAJkBguL1fs2RI17WV0ySVy3oOWmm5QCgpIRA
> > eE/D+tGopFmaVTlHRBjiLjQ=
> > =1u2x
> > -----END PGP SIGNATURE-----
> >
>
>
>
> This communication is the property of Qwest and may contain confidential or
> privileged information. Unauthorized use of this communication is strictly
> prohibited and may be unlawful.  If you have received this communication
> in error, please immediately notify the sender by reply e-mail and destroy
> all copies of the communication and any attachments.
>



-- 
-------[CNCERT/CC]-----------------------------------------------
Zhou, Yonglin              【周勇林】
CNCERT/CC, P.R.China       【国家计算机网络应急技术处理协调中心】
Tel: +86 10 82990355  Fax: +86 10 82990399  Web: www.cert.org.cn
Finger Print: 9AF3 E830 A350 218D BD2C  2B65 6F60 BEFB 3962 1C64
-----------------------------------------------[CNCERT/CC]-------