Zombie Report By ISP

twitter writes "Information Week has a summary of a report by Prolexic detailing Zombie activity by ISP, country and population statistics. AOL, the largest provider, had the most zombies but lower rates than others. Fourth largest Earthlink was not in the top 20. The information is gathered from hundreds of customer sites." From the article: "Weinstein went on to say that Prolexic's numbers were actually good news for AOL. 'It's a demonstration that the tools we provide are keeping members safe. Our very aggressive actions -- we provide anti-virus, anti-spyware, and firewall services to our users -- make them measurably safer than those on other ISPs.'"

Turn turn turn ...

[It doesn't come easy]

AOL spins the report as good news because they claim a low rate of 0.54% zombie machines per million subscribers...yeah but...

They are basing that on 21.7 million total subscribers. I wonder what their rate would be if they only counted broadband subscribers?

Re:Turn turn turn ...

[tigerd]

I dont really think an ISP is responsible for zombiemachines. Its the endusers who has the final responsibility. That means your an my grandma...

Re:Still the worst offender

[Anonymous Coward]

But you will block 21 million legitimate users too. If that is acceptable, I don't really want to have anything to do with your company.

A solution

[alvinrod]

No matter how many software or hardware tools an ISP has in place to stop their customers computers from being turned into zombies, the only real way to combat the problem is to educate the end user more.

No amount of firewalls, switching to Mac or Linux, or anything else will stop people from having their computers taken over at the end of the day. Stupid users will always find a way to get infected dispite the best protection available.

Operating a computer should be like operating heavy machinary. You need to pass a test that says you're qualified to do it. Don't want to take the time to learn how to properly use a computer and avoid being just another zombie PC sending me emails about lowering my car payments or free nude pics of celebrities? Then don't use a computer at all.

If you think this is a little irrational, just remember that the financial damages caused by computer viruses are probably in the billions of dollars every year. Imagine how much trouble could be prevented.

Re:Good!

[kiwimate]

No kidding. Comcast.net is ranked #5 in the Top Infected Networks table, and #2 in the Infected US Networks table.

So, let's summarize. If you live in the Philadelphia area, then you're stuck with the monopoly broadband company, and the commensurate extortionate prices, wretched customer service, frequent service interruptions...and now this.

I really loathe Comcast. And you just know there's no way they're going to clean up their act. Why would they? Where's the incentive or threat?

Re:Turn turn turn ...

[It doesn't come easy]

It's a good question. The truth is AOL isn't a real ISP. They are a proprietary system with access to the internet. Might be splitting hairs here but whatever. In any case, AOL has been trying to create an AOL broadband service. Not sure how successful that has been, but AOL does have partnership arrangements with other broadband providers where you connect to the broadband provider and then straight to AOL's system. I wonder how these kind of connections were counted? Probably not as an AOL IP address, cause the IP address would have been assigned to the broadband provider. Looks like another way to fudge the numbers to me...

Re:Still the worst offender

[Anonymous Coward]

But you will block 21 million legitimate users too.

If eBay, playboy.com and espn.com blocked AOL users until AOL got rid of their zombies AOL would make absolute certain that the problem would be solved within 48 hours.

Re:Turn turn turn ...

[-brazil-]

Theoretically, yes. But pragmatically, some relatively simple measures taken by an ISP can greatly reduce end user vulnerability, while sufficiently educating all end users about how not to become infect is simply impossible in the face of most poeple's total lack of concern for the problem.

Re:Good!

[Bonker]

I'd be willing to bet that the majority of the 1st world zombies originate on 'White Label' broadband. The aforementioned Comcast, Cox, SWB DSL... things like that. AOL has the most of any ISP, but I bet the conglomerate of the top 5 cable and dsl bandwidth providers easily dwarfs them.

They're the 'cheap' local providers, not the 'evil' big boys like AOL, so they're what your grandmother will subscribe to when your idiot nephew convinces her she needs an 'Always On' connection to listen to NPR or check her email every five minutes.

Yeah, this *looks* like it's just the industry's problem, but it's not. It's mine and yours. Every time you or I answer 'Well, I need a computer and a cable modem to check my email, right?' with just a 'yeah sure', we're adding to it.

Go buy Grandma that $39.99 firewall from Best Buy, configure it for her, and tell her that she doesn't need to worry about it. It's like the extra deadbolt on her front door. It helps keeps the bad-guys out.

Re:Turn turn turn ...

[Disoculated]

Normally, a true "AOL" brand broadband customer will be tunneled through AOL, otherwise it's parental controls (part of it's selling point) wouldn't work. So they'd show up as being in AOL's network space.

A person who's running AOL on another ISP's network and using the AOL client as a simple TCP app wouldn't (and shouldn't) be considered an AOL zombie for this study, otherwise the zombie would be counted twice.

Stupid AOL

[Andy Dodd]

They had the most zombies but a lower rate than others. They spin this as good.

But according to the post, Earthlink (the fourth largest provider) wasn't even in the top 20, implying that their zombie percentage is far lower than AOL's.

Re:A solution

[99BottlesOfBeerInMyF]

Operating a computer should be like operating heavy machinary. You need to pass a test that says you're qualified to do it.

You need to pass a test because lives are at risk, not bandwidth. Realistically their should be some basic instruction, hopefully provided in schools, but at that same time most computers should be much, much, much, much, much harder to remotely take over and turn into a zombie. Windows is the worst of the bunch, but pretty much all OSs could be a lot easier to use securely. I imagine they would be too, except for the fact that since MS gained their monopoly, innovation has slowed to a crawl. I want default sandboxes for new applications, services off by default, and easy built in standards compliant encryption and authentication schemes.

I agree that there will always be really stupid users that will get their machines taken over and agree to the most ridiculous risks to see the little bunny cartoon, but at least make the user click a button that says "Let this program do anything it wants to my computer" right next to the "run it in a sandbox and give it no access to the internet or my files" button.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:The fundamental zombie problem

[generic-man]

The hostile behavior of self-proclaimed net.gods, looking down upon AOL "lusers" from their Linux "boxen," doesn't help matters any.

If you're upset about end-users ruining your ability to download new packages for your "boxen," then offer to help instead of bitching them out on Slashdot.

Re:Good!

[GigsVT]

It doesn't matter which ISP you use, some idiots somewhere will have some personal grudge against it.

Re:Turn turn turn ...

[ArsenneLupin]

A person who's running AOL on another ISP's network and using the AOL client as a simple TCP app wouldn't (and shouldn't) be considered an AOL zombie for this study, otherwise the zombie would be counted twice.

... but he will still be counted as a subscriber, leading to good per-subscriber infection rates. For fairness' sake AOL should really not count these users as subscribers either, nor the dialup users.

AOL is on crack. Here's why.

[bigtallmofo]

"That's three or four times as many attacks per million subscribers," Weinstein argued. "The numbers show that AOL members are significantly less likely to have been compromised by a zombie. This is actually good news for our users."

Picture that you're a script-kiddie botnet owner looking for more zombie systems. You have a program that someone provided to you that scans netblocks for systems vulnerable to hundreds of various buffer overflow attacks. You get to pick what netblocks the scanner runs on.

Which would you pick:

1. AOL dialup netblocks, where the user's average 48 K/bps connection takes an average of 1 minute to scan and provides you with a wimpy 48 K/bps of DDoS power
2. Comcast Cable Modem netblocks, where the user's average 384 K/bps upstream bandwidth takes an average of 6 seconds to scan and provides you with a beefy 4,000 K/bps downstream DDoS power.

The numbers quoted above should be accurate enough to get the point. AOL hosts take far longer to compromise and provide far less "bang for the buck". No wonder they're compromised a smaller percentage of time.

You gotta be kidding

[Dammital]

"End users just *don't care* [...] a selfish luser attitude"

I don't think that's fair. The end users, for the most part, have been handed a box that was advertised as an appliance: "Plug it in and you're good to go! Surf the net, download music, play games with your chums, get photos from the grandkids!"

Except that it wasn't just an appliance, was it? It was a bug ridden piece of manure that was delivered with known defects, to people who by and large don't have the wherewithal to work around those defects.

This is Microsoft's fault, plainly. Not the poor bastards who were taken in.

Punishing the victim

[Anonymous Coward]

What you're proposing is kind of like insisting that all pedestrians must have black belts in karate and carry big guns. Otherwise, they might get mugged and use valuable police and hospital resources.

It's like saying that everyone has to be a CPA, otherwise they could be the victim of fraud and use valuable police and bank resources.

We have to punish the criminals, not the victims.

Re:AOL is on crack. Here's why.

[Foolomon]

What you're missing is the whole "economies of scale" concept. If someone is "acquiring" a botnet of 10,000 computers that is quite a lot of bandwidth even if all of them are providing a "wimpy 48 K/bps of DDoS power."

Remember: most zombies involved in a DDoS attack are simply opening a connection, sending a malformed request then closing the connection. They aren't playing FPS games or downloading porn, so high bandwidth isn't really required. What is required is a vast diversity in IP address so that the firewall and server are overwhelmed trying to process every incoming request.

Re:The fundamental zombie problem

[RealProgrammer]

>End users just *don't care*.

Not meaning to sound flippant, but you're giving them too much credit.

For most people, that their computer might be part of a world-wide network of zombie slaves to an international cybermob is just not within their ability to fathom.

So no, they don't care, but it's on the level of caring that their Chinese-made desk lamp was made by people who can't read about democracy on MSN. That's not quite it, but the point is it's simply not part of their world.

People call me to fix their "broken" computers. When I remove the viruses and other crap and explain the problem, they *always* express outrage that someone would do that to innocent little them.

Until then they don't care because they don't understand. Anyone who does understand feels violated and tries to do something about it.

Re:Turn turn turn ...

[dekemoose]

Dial-up users are not the typical fare for Zombies, more due to their unpredictable behavior, sometimes they're on the net, sometimes not. However, the ability of a dial-up user to conduct a DoS should not be discounted. I can usually get at least 28.8 on a dial-up, let's call it 14.4 for arguments sake. At the rate you can saturate a T1 with a little over 100 zombies, you can drown out a 10M ethernet feed with a little over 700 zombies, and 3200 zombies will crush a T3. While all the attention is on the destructive power behind broadband users, the majority of users are still on dial-up and they are dangerous too.

Re:Turn turn turn ...

[theCoder]

Yes, I think they do. There are a number of benefits, both in direct savings (less bandwidth used, less of their own customers attacked, better Internet image) and in good relations (assuming it's handled correctly). Most people don't know that much about their computers. And if their ISP called up and helped them clean a virus/worm/trojan/other malware off their PC and made it run better, that customer is probably going to have a more positive view of the ISP. Of course, if the ISP blocks them and doesn't help them get back online, they'll probably have a negative view of the incident.

Firewalling is not the answer.

[Medievalist]

Sure, it's part of the answer, but if you don't keep your software patched up to date no firewall will help you.

See, the point of being connected to the internet is to get email and access external resources. If you visit a web site that exploits your buggy browser, your firewall won't help you. If you click on an email that exploits your buggy mail client, your firewall won't help you.

The primary means of infection for the most prevalent malwares is email. Firewalls don't prevent you from receiving email.

That being said, you still should have a firewall. But keeping your OS and apps patched is even more important.

Even patching+firewalling won't save you if you are stupid enough to run binaries from untrusted sources. A virus checker can help out with that, but it won't save you from brand-new virii.