Solved

What is the reasons of spreading viruses in LAN ?

Posted on 2004-04-05
8
482 Views
Last Modified: 2013-12-04
Hi all of security experts !
I work now in microsoft  netowrk that conatins about 800 PCs win2000 and XP and controlled by DC .

I need to know

1.generally what is the reasons of spreading viruses in LAN ?

2.as  technician members we have limited rights in doamin and we about 8 persons , how can we control 800 PCs ? the persons that has administrator rights is the administrator of network .

we have now Blaster virus in the network and it reinfects all PCs
how can we stop its spreading ? we have no antivirus firewall

3.does Remote Assistant need to administrator rights in network ?
4.can administrator make full scan for viruses on  IP range ?

post references if you can please

thanks
0
Comment
Question by:nader alkahtani
  • 4
  • 2
8 Comments
 
LVL 6

Assisted Solution

by:Joseph_Moore
Joseph_Moore earned 200 total points
ID: 10762778
Here are my thoughs on your questions. This will be mostly my opinion, but this is what I do, so I think I have an informed opinion on these topics.
1) Virii spread for lots of reasons, unfortunately. A) Unpatched machines. This is a given. With Windows machines, you MUST stay up-to-date on patches. There is a need to test new patches, and I do feel that you need a couple of machines that get patches the DAY they come out to see if they work or not. But don't do this for all machines. Try the new patches for a few days, and keep an eye on newsgroups/forums (like Bugtraq) and virus sites (like SARC from Symantec) to know of the latest vulnerabilities being released against unpatched machines. Virii have come out 48 hours after a vulnerability has been announced before. Stay up on patches and the forums where vulnerabilities and virii are discussed. When new patches are approved on your test machines (a couple days testing to a week at most is what I do), then roll the patches out to all clients. SUS is an easy way of doing this. Make backups of important machines before patching them, just in case! Be safe when patching, but DO patch.
B) No antivirus software on all nodes; or antivirus software that is NOT updated with the latest definitions; or antivirus software that is installed but is NOT running due to software failure, corruption, it being turned off (I've seen that before!), or a dozen other reasons. People think that since they just HAVE antivirus software they are safe, but when it doesn't run or if the definitions are 2 years old, it does NOT help! Educate users that if they do get a virus OR a antivirus notification (if the antivirus software caught something) to inform someone IMMEDIATELY. The faster you know there might be a bug in the LAN, the better. What also goes with this is notification when something is caught. The antivirus programs can all be configured to alert someone that stuff is going on. Use those alerts. Pay attention to them.
C) Security practices that are not sufficient, like misconfigured firewalls that have open ports that should not be open. Machines that are NOT even firewall protected, that the Internet can access. IDS is a great thing to run that sniffs the traffic and can tell you of a virus moving around the LAN.
D) STUPID E-MAIL PRACTICES!!!!!! Why are users opening file attachments that are .EXE files????? WHAT IS WRONG WITH THEM???!?!?!!!? Come on! If you can't strip out all executible file types before they get to the user mailboxes, then train your users to NOT open the attachments! Sorry, but even I have users who still open e-mailed programs (in ZIP files). Users will do this. And now with many virii sending themselves as ZIP files (a file extension that many places DO allow through), there is an even greater threat. So, I guess this should go in the antivirus section, but I will put it here anyway. Antivirus on all mail servers also, that scans the e-mail before delivery to the user mailboxes. As well as antivirus on the client machines JUST IN CASE. There are so many e-mail virii that have their own mail engines to spread. It's a crazy time we are living in, with e-mail virii!
E) A new one for my company is antivirus scanning on all Proxy servers, to avoid a user getting a trojan downloaded onto their machine from a malatious webpage. Sure, the user workstation antivirus software should catch it, but why not add another layer of security by having the proxy scan?
F) Users. Users are a big reason why virii spread. I know, we can't get rid of them, so we have to lock down, secure, patch, scan, and protect at basically every other point on the LAN so that whatever stupid thing the users do, we have that area covered.

Ok next question.
2)Your Administrator can Delegate Authority to your crew of 8 to do many admin-style tasks, using Group Policy. It just depends on how much power your staff needs, as opposed to how much work the Admin wants to do himself/herself. Compile a lists of tasks you cannot do, present it to the Admin, and remind the Admin that 800 machines need you to do this, unless the Admin wants to handle all of that. Just bury the Admin in numbers, and you will get more power. That is a lot of machines, IMHO.

For Blaster, start here:
http://www.microsoft.com/security/incident/blast.asp
You need to patch all 800 machines. Even 1 unpatched machine can try and spread Blaster, clog up network bandwidth, and continue the cycle of destruction.

3) You can add in Group Policy what users/groups can respond to a Remote Assistance requests. I forget where just now, but I remember seeing it. So, the Admin could add your group of 8 to this GP right.

4) Well, with the right tools, you could do your own scanning even without Administrator-level rights. Some tools (things like Retina from eEye) do need Administrator-level access to be able to scan the Registry of the remote machines, but without Admin rights, it can still tell you a lot. But, that doesn't have to stop you from running a port scan for the MyDoom port 3127 using something like NMAP. If you get a hit on this port, it is probably a MyDoom-infected machine, since that port isn't used for anything in Windows or normal apps. Admin rights make scanning with certain tools a whole lot easier, but there are a lot of tools out there that can give you all kinds of info, and Admin rights are not needed.

Good luck. Hope this helps
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 250 total points
ID: 10763644
*** 1. I agree with JOSEPH_MORE if your question is about why it is possible for the virus to spread, but maybe your questioin is why we have all these vira. Nobody knows, why do we have burglars, hackers, spyware and virus. Well maybe someone like to look at a fire, it's an illness he/she can be cured for, but untill then, maybe he/she starts some fires, just to be able to see it, and know - hey - I did this on my own - chears - chears, or in my opnion, start to see a doctor. The number of vira produced by "normal" people expanded after macros in word could be done in visual basic. That gave a lot of users knowledge about how to make a script.


*** 2. I agrree with JOSEPH_MORE - if you are supposed to do something, you must have the network-permissions to do it.

*** About blaster you have to find out which version of the blaster it is, and do the solution on all computers on the network
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=a&virus=blaster&alt=blaster&key=blaster&payload=&type=&day=&month=&year=&wkday=
But it does'nt help if you don't install a virusscanner on each computer after have it stopped.

Use this free online Trend Housecall scanner to find and clean every known virus/rootkits/backdoors:
http://housecall.trendmicro.com/housecall/start_corp.asp

Some viruses can't be removed by housecall. If so, use the free Trend Micro system cleaner:
http://www.trendmicro.com/download/tsc.asp

If you get's an ActiveX error, when loading the HouseCall web page:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=4317

If you want to secure your company's workstations in the future, consider to purchase OfficeScan:
http://www.trendmicro.com/en/products/desktop/osce/evaluate/features.htm

If you can afford it, you can get an url-scanning engine installed on a server with workstation, server-, email and url-scanning engine from
http://www.trendmicro.com/en/products/global/enterprise.htm

Virus Information Alliance (VIA)
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/virus/via.asp

Review of the best antivirus solutions:
http://www.cnet.com/software/1,11066,0-806174-1202-0,00.html?tag=dir-av&pn=1&ob=3&qt=&qn=&F2=0&F3=0&sm=0

SoftScan puts an end to virus and spam threats from the Internet
http://www.softscan.dk/english/index.asp

*** About a firewall ask your domain administrator to install it immidiately between the internet and the local area network of your servers and computers
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html

*** 3. I agrree with JOSEPH_MORE - if you are supposed to do something, you must have the network-permissions to do it.

*** 4. Administrator can make full scan for viruses with the Trend micro virus suite
http://www.trendmicro.com/en/products/global/enterprise.htm
I'm using it, and did'nt have any of my servers or computers infected since we purchased it about 4 years ago.

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10763650
But this is not all, you also have to protect you against spyware

Spybot:
http://security.kolla.de/index.php

Ad-aware Standard Edition is THE award winning, free*, multicomponent adware detection and removal utility:
http://www.lavasoft.de/software/adaware/

SpyFerret detects & removes spyware
http://www.onlinepcfix.com/spyware/spyware.htm

Bazooka Adware and Spyware Scanner v1.13.01
http://www.kephyr.com/spywarescanner/

Automatic check of your browser for parasites, adware and spyware
http://www.doxdesk.com/parasite/
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 12

Assisted Solution

by:trywaredk
trywaredk earned 250 total points
ID: 10763654
Remember to install new hotfixes from microsoft. It can be done automatically

About Windows Update (SUS)
http://v4.windowsupdate.microsoft.com/en/about.asp

Download and install Microsofts automatic update server (also known as SUS)
http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp
0
 
LVL 12

Assisted Solution

by:trywaredk
trywaredk earned 250 total points
ID: 10763657
After you've done all the above, then test your new security settings:

Sygate free scanning your security: quick, stealth, trojan, tcp, udp, icmp
http://scan.sygatetech.com/

One Usage of the HACKYOURSELF scan: TCP Scan (65534 ports),UDP scan (800+ ports), and Netbios Scan
http://www.hackerwhacker.com/

Shields UP! quickly checks the SECURITY of YOUR computer's connection to the Internet.
https://grc.com/x/ne.dll?bh0bkyd2

Port scan.. Get an instant security analysis now. You dont even need to know your own IP address!
http://www.dslreports.com/scan

How to recover an already compromised system, visit the CERT Coordination Center:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 50 total points
ID: 10765790
Patching your system's is how you will keep from being infected, as joseph pointed out, you'll need the M$ blaster patch. You mentioned you have XP machines.... XP will kindly store a virus for you in System Restore, this is undiesirable, disable system restore. Apply the patch linked above, run a Standalone Virus scanner, McAfee and Norton both offer these, and they can scan you entire lan, one class C subnet at a time.

If you have a M$ network, and no AV.... you are going to get hit with much worse than Blaster... 800 M$ and no av... unheard of... wow
These can get rid of the virus for you...
http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html
http://vil.nai.com/vil/stinger/
Use a program lik GFI network scanner to audit you subnets and see what machines aren't patched, it's best to run as an administrator.
http://www.gfi.com/lannetscan/

You have to keep up with patches... as stated above. M$ makes it easy to schedule these patches daily... But you do need AV also, because of sooo many M$ machines. Some believe (I know I do) that anti-virus companies have been responsible for certain viri, and I'll even bet M$ has had a hand in a few.
Ever wonder why, a virus is launched... but doesn't really do too much? I mean, it spreads like wild-fire (like blaster did) and yet has no real payload... the next itteration does, because someone reverse's the code, and then changes what the virus is intentions are. Remember the one that was directed at the Whithouse web site, it used a Static IP address... not DNS... so the DDOS was easy to avoid... why code a whimpy virus... why not get greedy, get CC numbers, spammers code viri to procure more email address... well thats the theory anyway.
GL!
-rich
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 10765814
Should of linked these... how to turn off system restore so that each time you start your PC it won't reinfect itself
http://securityresponse.symantec.com/avcenter/FixBlast.exe
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now