How to stop malware from spreading in network?

Hello all,

let's say malware bypassed your security software on 1 pc in your home network. How would you go about stopping that malware from spreading to your other computers on your home network?

Would disaing file sharing stop malware from spreading?

 

I thought ComGuards gave an experienced response on network segregation. Simple routers aren't expensive either these days.

 

@ GlobalForce

 

I'll have you know our lad's serious.

 

@ GlobalForce

I'm sure he is

Just found your non links reply interesting

@ wutsup

Disabling file sharing will surely help

 

Malware can't just leap on to other networked computers like stealth ninjas. Maybe with a server process/service, especially a vulnerable one, listening on an open port, then maybe, but otherwise it just doesn't happen.

 

clone, are you com guards on overclock.net?

 

thx for the replies clone, global, and watt

so you can't achieve network segregation with only 1 router correct?( i only have 1 router)

 

Even without a router, if you follow CloneRanger's advice to disable file sharing, you should be okay. Even if you were to enable Windows firewall, no exceptions, you will shield your machine from the others. Your router's LAN-side ports are probably internally hubbed, and the actual firewall functionality exists between the WAN-side interface and the outside world. For instance, I can still see broadcasts from a few other wireless pc's in my household (total of 6 here, 4 are wireless). They are not a threat, but I reject them anyways, so this in itself is enough. The router most likely is only going to completely isolate you from the other machines if you are the only one connected to it, but no worries, just follow CloneRanger's advice, and/or enable Windows firewall, and you'll be fine. There's no need to make things complicated for yourself

 

see http://en.wikipedia.org/wiki/Vlan, overkill on a home network,
I second the post above by wat0114

 

If you want to setup lan segregation I would suggest using DD-WRT, although vlans can be a bit over-kill. Doing this makes life really hard when you want computers to talk to each other. If you're serious about it, then set up a firewall on each machine, and be very strict about incoming ports, but do not forget to narrow down outgoing ports. Outgoing is a little tricker being some applications can use a range of outgoing, but you can monitor the log files to get a feel for the ranges and adjust or just google applications and their respective ports.

Why block outgoing? So the computers that get the virus, do not spread it. Another option is using a non-transparent proxy, so even if you were to get a virus, a low-level virus won't be able to communicate back any stolen information, including your public IP address. I would only suggest a proxy in a work environment, it's a bit of a hassle to use.

And like the earlier poster suggested, disable file sharing if you're not sharing files. Normally you'd only have 1 PC/Server in the house that needs to share files. Simply not having a share doesn't guarantee the services for file sharing have stopped. Easier way is to go to Control Panel > Networking Places, and click "set up a network" continue through file sharing and disable it there, and reboot. Otherwise you can just block the ports with the built in firewall or third party firewall.

 

What is file sharing? How do you turn it off? Is it a service? What happens if you do turn it off? Is 'network neighborhood' the only thing affected? What ports are open/closed? How do ICMP settings effect this? Can you achieve the same thing with ICMP? Is ICMP even something you would manipulate? If file sharing is off (whatever that is), can you still communicate to other compturs on the LAN? If file sharing is off, are there other ports open by default that might pose a risk in a LAN? How can you tell? Can this be done on a per network adapter basis? Is this related to NetBIOS at all?

Sul.

 

Hello wutsup

I'm interested in this too - I wanted to find a way to make sure that friends' machines could connect to my home LAN without in any way communicating with my own connected machines.

I have a Draytek 2820n and happened to notice a VLAN setting in the GUI (I didn't know it was a feature when I bought it!) and have since set this up as per here. AFAIK, by assigning different SSIDs to their own VLANs, I seem to have achieved isolation of various groups of wireless clients - though I really couldn't say whether technically speaking this isolation is 'full'.

I have asked on the Draytek forum regarding just how 'full' the isolation of wireless clients is with my set up, but haven't received any definitive answers - maybe my question was too dumb!

philby

 

Sul, why would you ask those questions when you already know the answers?

Let's put it this way: if nothing is listening as a server on an open port, how would malware get in? It's been proven already in the past by a member - a very knowledgeable one at that - who hasn't posted in several years.

 

Well, the answer being given is pretty vague. Turn off file sharing? What is that exactly? I know, and you know, but the thread has gone this far, wouldn't a simple 'how to do it' sentence finish it nicely

True, mostly. The ports/protocols/services used in the LanManServer service do represent a large amount of LAN surface area. Lets not forget though that XP had more than one service that was better disabled than enabled in a LAN environment. Yes, this translated into ports which were held open. No, I don't have any specifics in mind. But if the answer to how to keep your LAN safe is simply to disable file sharing, at least, for posterity sake, it could also be described how to do so? The lurkers/visitors then would have a starting point

Sul.

 

yea I was serious. And so what if I asked on another forum as well as wilders?

And global, why did you pm me asking if my computer was pre built and if my ISP has changed? You couldve just posted it in one of my threads.

Is you computer pre built? What ISP do you use global? What's your name on overclock.net?

 

For starters, as seen in the attached...

Personally, I wouldn't only disable file sharing and leave it at that, although in reality, all things considered such as patches up to date, it is fine. Enabling Win fw or some other 3rd party supplement is obviously going to bolster the inbound protection considerably. The router is excellent if the one machine is the only one connected to it in the network, but then where does it does that leave the other computers at? probably on a hub by themselves with no hardware fw to shield their Internet connection through the modem.

 

so watt, what you're saying is that if you mutiple computers connected to a router, that only 1 computer will get the benefit of the h/w firewall feature of the router?

 

no, he's thinking of
modem -> hub -> some PCs and a router -> another PC
The last PC will be secured from the others, but the first won't be secured against the internet.

the typical
modem->router->PCs
means all PCs are firewalled against the Internet but not against each other. That's where you use Software firewall and/or VLANs,

 

My thoughts exactly

 

Any services? If you watch tcpview or currports, do you see any ports closing when you disable file sharing in that way?

I haven't messed with this much at all in win7. In XP I messed with such things quite a bit. Perhaps an exploit specialist can test LAN exploits against such things as disabling file sharing, killing the lanmanserver service, the netbios service, the computer browser service, well, there are plenty of other services in vista/7 to check as well. Also modifying the ICMP ports. All of these had different effects on XP. Some made the system more secure at the loss of network usability, others offered decent security while not neutering the network usability.

Sul.

 

I think it's just as it implies, File and printer sharing is disabled. If you look at ports in TCPView, there are some where services are listening, but then look at the remote ports and addresses and you should see in most cases port 0 and computer name as remote address. So how dangerous is that? It's a start, and especially as mentioned if there's nothing exploitable on those local ports listening, it's going to be tough for malware to infiltrate, but I still prefer the added measure of outright blocking with even as simple as Windows fw. I should have emphasized that more, especially being a proponent of them The router is ideal but only as long as one is plugged into the LAN ports. It would be nice to see test results against your scenario by an exploit specialist.

 

I was only trying to offer some ideas he could explore. There are full write ups that offer in depth explanations on port filtering.

File sharing allows windows users to.. share files between computers. They operate off of ports 135-139 UDP and TCP, and port 445 for SMB. Port 445 / SMB is frequently exploited.
http://support.microsoft.com/kb/298804

You can turn off the service, and like a poster above showed, disable the network client that manages the service. If you go to Start > Run > Services.msc, you can click each one and read a description of each. The "Server" service is directly tied to file sharing, stopping it will ensure the service is not actively running. To disable the network client, Start > settings > Control Panel > Network Connections (not places) > right click your LAN Adapter > Properties, and there you will see what the poster has in his screen shot.

By turning off the file and folder sharing, you will be able to browse other's computers that do have it enabled, in return however they will not be able to see yours.

The ICMP protocol is primarily used for ping requests and should continue to work internally. It cane be used more commonly for Denial of Service attacks. There are exploits that take advantage of the ICMP protocol so long as there's a service associated with it to exploit. I would say it's safe to assume the common virus does not use this as a means of transport. TCP/UDP are the most commonly used for communication.

Everybody's computer setup varies vastly, and there is no way for me to tell somebody else what ports they do or do not have open. A fresh install of XP usually has the ports I listed above open. There are games that request you to have open ports (Blizzard updater for instance), so you may want to port scan yourself to see if there are any open ports. You can use a website to scan your public open ports, or use an internal scanner such as nmap (linux) or Zenmap based off of nmap, but for windows.
http://www.nmap.org/zenmap/

Port scanning can be pretty straightforward, but I suggest you read over the guides as the amount of options you're given can be a bit overwhelming when you're just trying to scan your own ports. This product has some bonus features if you want to start scanning ports of others through their firewall, but I would advise against it being most ISPs' TOS forbid it.

NETBIOS is used to resolve DNS names in windows environments. Most current day routers have a DNS service included, voiding the need for NETBIOS. Again viruses do not typically exploit netbios being the attack method varies widely from PC to PC.

DNS names - this is only a name tag for an IP address. In example, most companies assign employees numbers, sometimes you know it sometimes you don't depending on how they want you to clock in for work or retrieve other information. Your employee number is used in HR to separate you from anyone else who may have the same name or same last name etc.. This number can be translated into your name by pulling your record, this is what a DNS server/service does. Google.com is actually 209.85.227.105 for my area. When you go to www.google.com, a DNS server pulls the record for Mr. Google, and gives you back the IP address so your computer can connect. All behind the scenes of course, you'll still see www.google.com. So at your home, instead of remembering the computer IP addresses (which can change if you don't make them static) you remember the DNS name, say Kitchen-PC or Joes-Laptop. Why even bother? This is useful for access file shares on another computer or sharing a printer. Associate it with 1 name, instead of an IP that might change.



Focusing on the services and not the adapter is a better way of guaranteeing you've stopped the open port.

Each PC should have at the least windows firewall enabled (effective since service pack 2), which is a meat and potatoes firewall but you can go in and configure it to block ports. A big problem with it is a lot of applications with elevated privileges (which they all do if you're logged in with an administrative account) can modify the rules and give themselves access. I would suggest something like sygate or zonealarm, there are lots out there to choose from, both have paid/free versions. Paid usually gets you some anti-spyware, which isn't always the best.

I still wouldn't suggest a vlan / lan segregation. However you can achieve this by changing the firmware of your 1 router. Unless you have 1 dedicated server that needs to face the internet to host a website or media, there isn't a need for it. If you plan to create a guest wifi, then a vlan is a great idea to keep it separate. You have options if that's what you want to do, but not turn key.

I'd say most consumer ISPs, give you 1 dynamic IP address, and switching off of the modem will not work. Only 1 PC at a time in that scenario will be able to get online at any time. You would need 2 routers in place, but the problem then is NAT, and you either block all ports on the second level router, or spend a lot of time port forwarding and headaches troubleshooting why certain programs won't work.

Exactly like they suggest, a software firewall is your best bet.


Long reply, so I'm sure it's full of a ton of mistakes :-(

Also, I'm focusing on XP. Windows 7 has a lot more features, and a lot more potential to have more ports open / services running. Again, if you're logged in with an administrator account, there's only so much windows can do to prevent applications from running in an elevated state. Vista / 7 have taken some measures to lower the chances, but I'm sure it's not difficult for a skilled programmer to exploit windows' API, meaning viruses/spyware can maneuver around it.

 

Right, modem wasn't too accurate. These days most ISPs here give out "wlan routers" instead of simple modems, NAT built in. Double NAT isn't really that difficult to set up, I think it's easier than VLAN for a setup like posted above.

Of course in the case I'm describing all PCs will now be firewalled against the internet.

For Windows 7:
open Control Panel\System and Security\Windows Firewall
make sure it's ON, Public and says
"Block all connections to programs that are not on the list of allowed programs".
In the right sidebar click on "allow a program of feature through the FW"
under the "public" column only "Core Networking" should be enabled.
(That's default settings btw if you chose Public initial during setup)

Done

In the case of a network infection you also need to think of MITM attacks, for example a hijacked DNS entry on the router, ARP flooding, wiretrapping...
TSL offers protection against all these threats.

 

Don't be too hard on yourself I just thought I would spur this topic on a bit to include some more specific talk so that viewers who don't know as much might be able to at least see some different ways to turn features on/off, as well as read our different explanations. Each of us comes from a different angle, and translates that into text differently. It is nice for myself when searching answers to find threads with a title like this one that goes beyond "just disable that thing".

Besides, I like to hear others remarks.. never know when you might learn something new.

Sul.