[Dshield] Zombie Prevention : May I Sample Some Opinion?

Nicholas Albright wiretapp at shadowserver.org
Wed Nov 16 00:44:59 GMT 2005

You said you didn't want a book, so I'll summarize and this post the book below it, incase you want to read. 

P2P is evil! Bittorrent has its place, but .torrent files should always be downloaded from the program authors website, never from TorrentSearch or simular. 

Stay away from the word "FREE" unless you've checked the company out with the BBB. Stay away from online porn sites. Use your local adult book store instead. Stay away from online game rooms like "TexasHold'em"  Stay out of Yahoo Chat channels, and NEVER click a link from a trusted or untrusted source. 

Turn off unneeded services. Use network tools like netstat regularly. Use a rootkit hunter. Enable "hidden extentions" so you can see files labeled sexygirl.gif.exe or yourpassword.doc.com

I agree with all your statements about browser/antivirus/strong passwords. The only thing i would mention is use a strong system based firewall, in addition to the "hardware" one.

Okay, now for the book...and more.:)

Here is what I outline for my friends and family:

Don't get your stuck into thinking a "hardware" (router with software) firewall will protect them. System side firewalls are simply a must too. They will protect internal networks, very true of users have wireless routers or more than one pc. A lot of ratware will travel across the internal network, which means double down time. 

If they do have wireless, enable WEP or WPA with even simple five character ascii passwords. 

Use strong passwords (everywhere!) and be sure you have an administrator password. If the user is willing, set all user accounts as "user" and create a "super user" account to install applications.

Turn off unneeded windows services as well (ftp, iis, plug-n-pray :), etc)
Along the same lines, if you want to download music, do it the legal way, it will save the user money in the long run. Use iTunes or simular services. 

Run and review syslogd for windows, (a free one is here: http://www.kiwisyslog.com/products.htm)

Run RootKit Revealer (http://www.sysinternals.com/Utilities/RootkitRevealer.html) and


Spybot (http://www.safer-networking.org/en/download)

Ad-aware (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5)

Antivirus (We use BitDefender here, they have a free demand scanner, or you could use AVG for free as well)
AVG: http://free.grisoft.com/freeweb.php
BitDefender: http://www.bitdefender.com/PRODUCT-14-en--BitDefender-8-Free-Edition.html

Everything pasted above is FREE, so be sure to instruct your users what good "FREE" software is. 

Skim or better yet, READ the EULA, if there is mention about installing third party software, "with or without you knowing" --- Take your business elsewhere.

Create Startup Bios passwords,and disable auto boot of CD and Floppys if someone could be suspected of installing keyloggers. 

Avoid "warez", porn sites, and "free online games" like online poker. (Not that all of these are bad, but better safe than sorry)

Enable "hidden extentions" so you can see files labeled sexygirl.gif.exe or yourpassword.doc.com

Current exploits for Firefox/Mozilla are being patched quicker than Internet Explorer but very few I know are actually updating. Using an alternative browser is no good unless you update. Also consider taking it one step further and using Opera (Free) (http://www.opera.com) its less known and emulates IE by default.

Run netstat -a (or netstat -ao for XP users) and verify any ESTABLISHED or LISTENING connections. I do this several times a day, but I play with ratware *CONSTANTLY*, once or twice a week is probably enough for regular users.
Regularly view the contents of the hosts file to be sure there has been no unauthorized additions. 

Finally, Create a recovery plan, incase the infection happens, on CDR burn Anti Virus, Anti-Spyware tools. Every month or so waste another CD by downloading the newest versions. Advanced users should get LinuxDefender. (http://www.bitdefender.com/site/LinuxDefender-Mirrors.html)  Not-so-Advanced should get ERD Commander (http://www.winternals.com/products/repairandrecovery/erdcommander2002.asp)

Hope someone can build on this!

Oh..by the way, none of this is copyright, please reword it, use it how it is, whatever it takes to help. :) 

On Tuesday 15 November 2005 09:22, David Cary Hart wrote:
> Over the past week or so, I have received an increasing number of
> contacts from "average" users regarding zombie prevention. Time for some
> content on our site.
> Some things like up-to-date patching, firewall and a virus scanner with
> CURRENT definitions seem obvious. I'd like to sample some opinion on the
> following and solicit any other ideas that you may have:
>         Even a single home computer might benefit from a reasonably
>         priced home router which enables you to create a simple hardware
>         firewall.
>         Get rid of Internet Explorer. Alternatives such as Firefox or
>         Mozilla are safer.
>         Use strong passwords; at least eight characters including a
>         combination of letters and numbers.
>         Do NOT experiment with running servers of any kind on Windows
>         workstations.
> What's the thinking du jour on p2p, IM, IRC and BitTorrent? Help me out
> here, folks, without creating a thesis, what are some of the basics that
> I am overlooking?

Nicholas Albright
Shadowserver Network Security Administrator
Website: HTTP://www.shadowserver.org
Email: wiretapp at shadowserver.org
-NOTE- This email should be signed digitally -NOTE-

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20051115/401f5a78/attachment.bin

More information about the list mailing list