[nsp-sec] [SPAM] RE: 1Million Botnet Ips

Smith, Donald Donald.Smith at qwest.com
Tue Jul 8 11:27:16 EDT 2008 

I have discussed a similar concept with others here in the past.
While I like the idea there are lots of issues with it.

Here are a few of the areas of concern:
Licensing of software. Some customers run unlicensed software. Software licenses are controlled in a variety of ways.
Access to recovery images is usually controlled by the equipment vendors.
Privacy issues.
Mistakes in recovery will be blamed on the ISP. If a customer looses a valuable file in the recovery process even if it was their fault they will blame the ISP and potentially sue the ISP for their loss.
MBR viruses wouldn't be removable without some type of low level formatting.
A large percentage of the infections/malware are downloaded and run by the end users often with the hope of seeing some porn or getting free access to an application. Such end users are likely to be defensive about their infections.

Ultimately I think this could work but a lot of development and risk evaluation would have to take place before a commercial ISP would be willing to try this as a "product" or service for their customers.

Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: Yonglin ZHOU [mailto:yonglin.zhou at gmail.com] 
> Sent: Monday, July 07, 2008 11:05 PM
> To: Smith, Donald
> Cc: Nicholas Ianelli; Stephen Gill; nsp-security NSP
> Subject: Re: [nsp-sec] [SPAM] RE: 1Million Botnet Ips
> 
> Hey all,
> 
> I suddenly get a rough idea, but not directly solve the problems:
> 
> Two senarios:
> 
> 1) When I first get touch computer it is a Mid-range computer 
> consist of a centrual UNIX host and many terminals. When we 
> finish a programm, we deliver it to the host to execute and 
> when we log off the terminal restore as 'new'. 
> 
> 2) And in many Net Cafes, they use network harddisk and alll 
> the computers have no stand alone hard disk but can boot up 
> through the network. Follwoing the OS, the PC can also loads 
> games and other applicatoins. But when the PC rebooted, it 
> will be clean again.
> 
> Then the Idea:
> 
> ISPs provide several distributed  and functional HOST 
> machine, working like the UNIX host and the network harddisk. 
> Users computer is customerized which can initially boot up 
> through network and load applications remotely. The user data 
> is kept in local disk. When boot up, the PC could working 
> independly unless it needs to load more applicaions or 
> commuinicate with internet. When shutdown, the applications 
> all be cleaned, including the malware process, and  only user 
> data left.
> 
> Is it worthy to try? at least to consider.
> 
> Y.L
> 
> 
> On 7/8/08, Smith, Donald <Donald.Smith at qwest.com> wrote:
> 
> 
> 
> 	Security through obscurity WORKS against some worms and 
> ssh attacks:)
> 	Donald.Smith at qwest.com giac
> 	
> 	> -----Original Message-----
> 	
> 	> From: Nicholas Ianelli [mailto:ni at cert.org]
> 	> Sent: Monday, July 07, 2008 3:58 PM
> 	> To: Smith, Donald
> 	> Cc: Yonglin ZHOU; Stephen Gill; nsp-security NSP
> 	> Subject: Re: [nsp-sec] [SPAM] RE: 1Million Botnet Ips
> 	>
> 	
> 	> -----BEGIN PGP SIGNED MESSAGE-----
> 	> Hash: SHA256
> 	>
> 	> Ah, the age old problem: what to do with infected systems.
> 	>
> 	> Best case scenario - user needs to completely wipe 
> and reinstall their
> 	> OS, then restore their personal data from backup 
> (after attempting to
> 	> verify that those files aren't infected).
> 	
> 	
> 	That would cost us thousands of customers and millions 
> of dollars.
> 	While I understand enterprises using this approach it 
> is difficult for
> 	most broadband customers.
> 	
> 	
> 	>
> 	> To address your specific question, from a provider 
> standpoint dealing
> 	> with large scale infections from the same malware on 
> your network
> 	> (totally ignoring the liability question) - while this is not
> 	> a blanket
> 	> statement, the short answer is yes.
> 	>
> 	> One would need to analyze each piece of malware to 
> determine how it
> 	> installed itself on the end host. In many cases a white/clean
> 	> executable
> 	> could be written that users could run that would then remove
> 	> that piece
> 	> of malware from the end system (totally ignoring the
> 	> liability question).
> 	
> 	
> 	Instead of writting the white/clean exe we usually 
> depend on commercial
> 	vendors.
> 	We prefer the AV we provide our customers but in cases 
> where that
> 	doesn't remove it we are willing to recommend other 3rd 
> party tools. We
> 	test the removal process on a live infected system that 
> is quartined in
> 	our walled garden.
> 	
> 	
> 	
> 	>
> 	> In some cases, if you have your own sinkhole, one may be able
> 	> to issue a
> 	> "remove" command to the bot and effectively remove that
> 	> particular piece
> 	> of malware from the the compromised system (without 
> actual analysis of
> 	> the malware, you won't know if there is a routine 
> that unsecures the
> 	> system even further prior to complete removal).
> 	>
> 	> |> When we provide bot-infected IP list to ISPs, they ask for
> 	> |> effective clean tools. They said the end user 
> usually have not
> 	> |> ability to completely clean the computer by 
> thmeselves thought they
> 	> |> know it is compromised.
> 	> |
> 	> | I would change this request a bit. Is there a tool that
> 	> works on this
> 	> | one specific version of this bot. I realize some 
> customers may have
> 	> | multiple infections so I am not asking for 
> something that will clear
> 	> | all possible infections just this one specific malware;)
> 	>
> 	>
> 	> Nick
> 	> -----BEGIN PGP SIGNATURE-----
> 	> Version: GnuPG v1.4.6 (MingW32)
> 	>
> 	> 
> iD8DBQFIcpF9i10dJIBjZIARCGWzAJkBguL1fs2RI17WV0ySVy3oOWmm5QCgpIRA
> 	> eE/D+tGopFmaVTlHRBjiLjQ=
> 	> =1u2x
> 	> -----END PGP SIGNATURE-----
> 	>
> 	
> 	
> 	
> 	This communication is the property of Qwest and may 
> contain confidential or
> 	privileged information. Unauthorized use of this 
> communication is strictly
> 	prohibited and may be unlawful.  If you have received 
> this communication
> 	in error, please immediately notify the sender by reply 
> e-mail and destroy
> 	all copies of the communication and any attachments.
> 	
> 
> 
> 
> 
> -- 
> -------[CNCERT/CC]-----------------------------------------------
> Zhou, Yonglin              【周勇林】
> CNCERT/CC, P.R.China       【国家计算机网络应急技术处理协调中心】
> Tel: +86 10 82990355  Fax: +86 10 82990399  Web: www.cert.org.cn 
> Finger Print: 9AF3 E830 A350 218D BD2C  2B65 6F60 BEFB 3962 1C64
> -----------------------------------------------[CNCERT/CC]------- 
>

More information about the nsp-security mailing list