Forgot your password?
typodupeerror
Security Worms Networking Privacy

Comcast's War On Infected PCs (Or All Customers) 304

Posted by timothy
from the could-go-badly dept.
thadmiller writes "Comcast is launching a trial on Thursday of a new automated service that will warn broadband customers of possible virus infections if the computers are behaving as if they have been compromised by malware. For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus, taking control of the system and using it to send spam as part of a botnet." Update: Jason Livingood of Comcast's Internet Systems Engineering group sent to Dave Farber's "Interesting People" mailing list a more detailed explanation of what this trial will involve.
This discussion has been archived. No new comments can be posted.

Comcast's War On Infected PCs (Or All Customers)

Comments Filter:
  • by Dunkz (901542) on Thursday October 08, 2009 @04:24PM (#29685365)

    As long as they don't act upon this information I don't see any issue with it. I bet most run-of-the-mill users don't know they have the infection and could act upon it if they knew.

    Sounds like a win-win for both Comcast and their customers if it's informational only.

    • by Krneki (1192201)
      Agree, if they do it properly it could be useful service.
      • Re: (Score:2, Insightful)

        by lgw (121541)

        Agree, if they do it properly it could be useful service.

        Except this is comcast we're talking about. They'll probbaly throttle and not notify.

        • by Ken D (100098)

          Yep. Comcast does few things correctly.

          From blocking as "possible spam" me@comcast.net from sending a nearly empty email containing just one URL to me@work.com where I want to use it. WTF?

          To this week's episode where Comcast webmail was totally foobar/frozen after half loading, until I purged every one of the dozen or more comcast related cookies from my browser. They apparently trust the data the client gives them too much, and expect all these cookies to have consistent state.

          • Re: (Score:3, Insightful)

            by fafaforza (248976)

            Who uses their ISP's email service these days?

            • Re: (Score:3, Interesting)

              by Andy Dodd (701)

              This is why I eventually decided it wouldn't be detrimental to me at all to outright block outgoing SMTP at my router - I exclusively use gmail for my email now.

              Unfortunately, precedent says they will act on this by blocking all access if a compromise is detected - Time Warner has a "two strikes and you're out" deal - The first time ANY sort of complaint comes in, you get a temp-block that can be lifted by clicking a URL. Second report, even if it's 1.5 months later, will result in service shutoff until yo

    • by david_thornley (598059) on Thursday October 08, 2009 @04:32PM (#29685507)

      I like the idea a lot, but I don't know that there will be enough information for everybody.

      When my ISP notified me of problems, it took a while to get enough information to figure out what was going on. As it turned out, it wasn't on a Windows box, and it wasn't a virus per se, but rather an inadequate password on an unsecured port. A message like "YOU HAZ BEEN PWNED!!!! HAHA!!" wouldn't have been enough for me to go on.

      Still, the ISP is in an excellent position to watch accounts for bot-like activity, and is likely to be the first one to know.

      My guess would be that those Comcast customers who insist they don't need anti-virus and do know how to surf the Web safely are going to get unexpected notices.

      • by Bakkster (1529253) <.moc.liamg. .ta. .nam.retskkaB.> on Thursday October 08, 2009 @05:16PM (#29686103)

        My guess would be that those Comcast customers who insist they don't need anti-virus and do know how to surf the Web safely are going to get unexpected notices.

        My guess is that those same users will think that the ISP is obviously wrong, and will continue along their merry way, spamming the world.

        Alternatively, they will attempt to fix it by clicking that little banner ad for 'free antivirus' that popped up and told them the same thing...

    • by CopaceticOpus (965603) on Thursday October 08, 2009 @04:38PM (#29685611)

      I agree, and I think it is surprising it has taken this long to launch this service. This is a chance for Comcast to save money on bandwidth, improve their quality of service, and do something good for their users and for the Internet at large. They can do the right thing while increasing profits!

      That being said, I'm sure they can find ways to screw it up. A pop up notice in the user's malware-infected browser is not the way to notify customers.

      • by value_added (719364) on Thursday October 08, 2009 @05:50PM (#29686473)

        A pop up notice in the user's malware-infected browser is not the way to notify customers.

        Notifying anyone of anything was easy when the Windows Messenger service was enabled by default. ;-)

    • by Darkness404 (1287218) on Thursday October 08, 2009 @04:42PM (#29685665)
      No, because this is how the usual user acts.

      Tech: "Ok, you've got a virus"

      User: "But why? I have X protecting me!"

      Tech: "Well, you downloaded these kitten screensavers that appear to have a trojan on them"

      User: "So you're going to remove my kitten screensavers!?!"

      Tech: "Um, well yes."

      User: "But you can't do that!!!"

      Tech: "Well you want the virus gone right?"

      User: "Not if it endangers my kitten screensavers!"

      Tech: "..."

      Add that plus all the scareware floating around with rogue AV software leads to a perfect storm.
      • by sakdoctor (1087155) on Thursday October 08, 2009 @05:45PM (#29686423) Homepage

        That is so true it's painful.

        Many years ago I fixed someones windows installation.
        The user originally complained about a subtle windows annoyance, and a system that was running a bit slow.
        What I found when I started digging, was the most badly infected computer I have EVER seen to date.
        Many of the viruses were craftily avoiding all attempts at removal, so I backed up data only and reinstalled.
        Some of the backup was useless due to an encrypting virus.

        A week later that original annoyance was back. It turns out that on the same day, the user had downloaded kazaa and all the programs they felt were MUST HAVE, and with a combination of screen savers, custom mouse pointers, and other assorted crap recreated the exact same malware+virus infected state.

        So basically everyone from lusers to geeks have in their mind what their ideal system is, and from a fresh install we tweak towards that OS ideal.

        • Re: (Score:3, Interesting)

          Last time I encountered a system that badly infected, after cleaning it I put the free version of a decent AV on the machine and told them that if they tried to download anything dodgy again and the AV cut the connection, not to try to download it again.
          A month later they came back and asked where to download the AV from, because some of their friends' pcs are in similar state and they're sick of getting virus-infected emails from them.

          *happy ending*

      • Re: (Score:3, Funny)

        WTF, you trying to say you hate kittens?
      • by Carbaholic (1327737) on Thursday October 08, 2009 @06:13PM (#29686729)

        I'm sure the conversation would be more like this:

        Tech: "heylo plase tern off your computer and wait for ten seyconds"

        User: "What are you talking about, I'm calling because you say I have a virus"

        Tech: "Dayd you tern off your computer yet?"

        User: "Did you hear anything I just said?"

        Tech: "Comcast tern off not responsible kittens"

        User: "Every word you say makes me angrier and angrier."

        Tech: "Good, resolve glad issue. Bye"

    • by cdrguru (88047) on Thursday October 08, 2009 @04:45PM (#29685711) Homepage

      I bet most run-of-the-mill users don't know they have the infection and could act upon it if they knew.

      The problem is that most customers cannot do anything about their problems, except take the computer to someone that can help them. And because that is going to cost money, most people are going to wait until after Christmas, or after their vacation, or after their vacation after Christmas. Or until hell freezes over.

      Assuming a pop-up of any sort is going to actually inform people is a mistake - almost everyone has some kind of pop-up blocking in effect today and the ones that get through are ignored.

      The right thing to do is contact the person and see if they can explain the activity. No contact, cut off the account. No explaination, cut off the account. It does little good for the other 6 billion people on the planet to let infected computers continue to spew spam and phishing emails.

      • by coolsnowmen (695297) on Thursday October 08, 2009 @05:05PM (#29685959)

        Yeah, Also, because If I got a pop-up that said, "your pc is infected" I would just close it and say "stupid phishers you'll never get me!" So, I'm guessing that pop-ups would be much less effective then a real piece of mail/phone message.

      • by nametaken (610866)

        Or when their ISP tells them they have an infection they'll look at the BestBuy Geek Squad ad right next to it and take their machine in.

        • > ...BestBuy Geek Squad ad right next to it and take their machine in.

          After which there will be no doubt about it being infected.

    • Re: (Score:3, Interesting)

      by Wowsers (1151731)

      Here in the UK one of my previous ISP's claimed my computer was infected with some worm, but how did I find this _lie_ they told me?

      Whilst I was using my internet connection they started to flood my router and pc's open ports with packets. Whilst the router and pc were able to repel their attack on my machine which lasted some minutes, they did not impress me with their accusation and then tactics against my machine, I thought it was under a "genuine" DDOS attack which was saturating my connection.

      To end th

  • IP, FP (Score:3, Insightful)

    by Hognoxious (631665) on Thursday October 08, 2009 @04:25PM (#29685383) Homepage Journal
    Thanks for spelling IP out for us.
    • Re: (Score:2, Insightful)

      by mcgrew (92797) *

      If they just said "IP" many here would think they were referring to Imaginary Property. Spelling out acronyms is a good thing, even if your audience probably knows what the acronym means.

  • by nweaver (113078) on Thursday October 08, 2009 @04:25PM (#29685389) Homepage

    ISPs need to notify their customers. Many customers don't really have email contact from their ISP for various reasons (eg, me!). But injecting a pop-up for notification purposes DOES work.

    Yes, the same technology can be used for evil abuses like ad injection, but this is exactly what SHOULD be done.

    • by i.r.id10t (595143) on Thursday October 08, 2009 @04:27PM (#29685423)

      How many folks ignore popups though?

      I'd think the solution could be more like what they do when they are messing with DNS - identify customers with issues, redirect their DNS queries to a box that puts up a page that describes what is going on, why they are seeing that page instead of google or whatever, and a number to call at the ISP for assistance.

    • Even better would be to give me my choice of notification mechanisms:
      *pop-up
      *email
      *sms
      *robo-phonecall
      *no notification

    • by piojo (995934)

      It seems like a good thing, so long as there's some way to tell Comcast, "No, my PC really isn't infected, I just run a mailing list," or something. I'm not sure opting out would be the right solution, though, because if someone is participating in a botnet, they should be subject to warnings (and eventually being disconnected).

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      How will it be distinguised from the "Your computer is infected?!??!" ads that customers are told to ignore.

    • by MadRocketScientist (792254) on Thursday October 08, 2009 @04:31PM (#29685495)
      I disagree. Using pop-ups as the notification method will likely trigger a new round of malware attacks that look like official Comcast notifications, complete with helpful links to download scanner and removal tools.
      • by garcia (6573) on Thursday October 08, 2009 @04:50PM (#29685771) Homepage

        I disagree. Using pop-ups as the notification method will likely trigger a new round of malware attacks that look like official Comcast notifications, complete with helpful links to download scanner and removal tools.

        When AT&T ran things during the ATTBI days they would routinely shutdown connections for subscribers who had known issues (trojans, etc). It would set their cable modem config file to some dummy one which would only get them to AT&T internal network pages and they'd have to call in to get working again--if they fixed the problem.

        I don't see why that type of thing can't be restarted. Maybe there are just so many infected machines (and based on my webserver logs from Comcast's IP ranges, I'd guess this is true) that their phone staff just wouldn't be able to handle the volume.

      • Really, paper seems to be the best way even though it might take a couple of days. But......knowing Comcast, they will probably just ax you, and tell you about it later.

      • by Idbar (1034346)
        I agreed with you at the beginning. But, on a second thought, pop-ups may also be a good way to catch people that, in fact, click on them.
        I mean, if people click on popups telling you they have a virus (and actually get one), why wouldn't they click on Comcast's window anyways.
        People that don't click on popups or have them blocked, will simply keep ignoring them. It could be annoying though, but may work.
    • by RingDev (879105) on Thursday October 08, 2009 @04:52PM (#29685787) Homepage Journal

      It's really too bad that a cable company doesn't have any other means of communicating with their customers other than the internet. If only some how they could find out where their customers live, which I admit does sound like a startling infringement on their customers' right to privacy, they could convey such a warning with out worrying about web etiquette or spam filters.

      -Rick

      PS: In case your browser doesn't support them, there are sarcasm tags on the proceeding paragraph.

      • by 93 Escort Wagon (326346) on Thursday October 08, 2009 @06:21PM (#29686813)

        It's really too bad that a cable company doesn't have any other means of communicating with their customers other than the internet.

        Hehe, you're watching TV with the family, and at the next commercial break you see a guy in an easy chair, reading the newspaper. He looks up at the camera and says "Hi there Rick! I'm Jim, from Comcast. Enjoying the show? Hey I'm afraid I've got a bit of bad news - it looks like your computer is infected with BugBot32/A."

    • [comcast senses new p2p activity coming from a home IP]
      Comcast Pop: Dear User, you recently installed a networked application. This application is spyware and is probably stealing your credit card information as we speak. For your safety, remove the software and any corrupted media downloaded by it.

    • by Sloppy (14984)

      Many customers don't really have email contact from their ISP for various reasons (eg, me!). But injecting a pop-up for notification purposes DOES work.

      You're not willing to give them an email address, but you're willing to run some program that sits around waiting for them to send you a message, so that it can pop up? Weird.

      I'm assuming, of course, that you didn't actually mean anything nearly as insane as suggesting they should intercept your http traffic and modify some web page to include some javascri

  • It could also indicate software updates (like Linux)
    Bittorrent vis a VPN
    Someone working nights
    Offsite backup

    Theres any number of possible reasons for traffic spikes to a single IP but I'm guessing its more about encrypted Torrents.

    • by IANAAC (692242)
      the summary said "from" and IP address, not "to" an IP address.
    • by hairyfeet (841228)

      You forgot one of my favorites...use it as an excuse to try to force you to buy some rebranded crappy AV 'solution" from them. That is what I had happen a few years back when I was stuck on HughesNet (ZOMG it sucked!) and decided to try the new WISP that had just set up. In the month and a half I had it I must have been 'disconnected because of virus' a good 25+ times. Which at first was almost funny as all I had at the time was a Linux laptop that was locked down tight.

      It finally got to the point that I w

  • For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus taking control of the system

    ... or it could mean someone decided to seed every ISO known to man at the same time.

    I know that's probably not something Comcast is interested in supporting, but it's not against the ToS, so I really hope they aren't going to automate any disconnections (even temporary) based on this.

    • by Kizeh (71312)

      Depends how smart their profiles are. Many worms are distinctly different from bittorrent and any normal use in their scanning of address ranges and attempts to log in or go to known control sites or download known malware packages. I work at a large university and we use netflow info all the time to pinpoint infected machines on campus with a very high accuracy.

  • as someone says above, isn't notifying of possible infections a good thing? I mean enterprise supposedly has better ways to detect it than a normal consumer, especially since comcast in the ISP business?

    Additionally, it's something that not only is good for consumers but good for comcast, assuming they don't use it as false positives to cut off bittorrent users (which I find unlikely to happen anyway).

  • by InMSWeAntitrust (994158) on Thursday October 08, 2009 @04:27PM (#29685413)
    "The new service will eventually be rolled out in the rest of the country, replacing the phone calls Comcast has been using to notify customers to security problems, Opperman said."

    So wait, instead of a personal phone call (which they apparently had been doing before anyway), now it'll be a popup just like the 50 other ones the user sees because he or she's infected with malware to begin with?

    Nice.
    • by dgatwood (11270)

      Or the 50 other popups that say "Your computer is broadcasting an IP address" that everyone ignores because the supposed "virus scanners" install malware?

  • Nice try. (Score:5, Interesting)

    by WiiVault (1039946) on Thursday October 08, 2009 @04:27PM (#29685419)
    Pardon me if I assume that everything Comcast does is anti-consumer unless proven otherwise. Their record certainly reinforces this skepticism. Sounds to me like they are trying yet again to scare people who torrent or use P2P oftware. Of course since they "can't" throttle, they are coming up with new ways to encourage their paying customers to use less of their "unlimited" bandwidth. Thanks for loking out for us Comcast.
  • by silent_artichoke (973182) <mike@mikeand[ ]ny.com ['ebo' in gap]> on Thursday October 08, 2009 @04:30PM (#29685473) Homepage
    Sure thing, users NEVER get popup warnings about being infected and promptly ignore them... Unless they are really from the virus itself and are asking for credit card information.
    • Sure thing, users NEVER get popup warnings about being infected and promptly ignore them... Unless they are really from the virus itself and are asking for credit card information.

      This is so true. I was asked to look at a Windows box the other day because of numerous pop-up alerts about attacks from the Internet(s). I never heard of the "security software" which gave these warnings, so I disconnected it from the Internet. Guess what, it was supposedly still being "attacked" on random ports by random IPs.
    • by Rick17JJ (744063)
      On three different occasions, I have had advertisements saying that they had detected viruses and spyware on my computer. They then offer to scan my hard disk for free. When I try to close the tab, or try to say no, they then go ahead and pretend to scan my hard drive. After about 60 seconds of supposedly scanning my 500 GB hard drive, they announce that they have found 2 viruses on drive C, and also spyware in my registry.

      Since Linux does not use alphabetical letters as name for hard drives or partition
  • I agree, (Score:3, Insightful)

    by popeye44 (929152) on Thursday October 08, 2009 @04:30PM (#29685477)

    But having to set a cookie on each machine I want to disable their fucking dns redirect doesn't give me much hope. Love the speed.. hate the company!

    I think we're slowly but surely seeing the end of what was a really great thing. Open unfiltered internet. In a few years it will be an expanded version of tv with none to little user control about what we want to see. Soon it will be.. we noticed your IP has downloaded X amount of gigs in the last two days. It's impossible that you are doing anything legit and we are going to cancel or reduce your connection speeds for a month if you continue illegally downloading. PS. This may have been a virus and if so please take your pc to an **authorized vendor to clean it.

    **Vendor may also scan for copyright infringements on your pc in which case it will be kept at evidence.

  • Greetings,

    We recently detected abnormal activity on your computer associated with a virus infection. To protect your computer, please verify your name, password, and birthday, and then download this anti-virus software.
  • by Anonymous Coward on Thursday October 08, 2009 @04:31PM (#29685489)

    and I'm glad they did so. I was being lazy and neglected to install a virus scanner on one of the PCs hooked up here, and it got infected with conficker. Basically my ISP (XS4ALL, a Dutch ISP) detects this and blocks most of the traffic (getting mail still works), shows a warning page when you try to open a website, and some instructions on how to get through the blockade with a proxy, and how to clean up your PC. They'll only unblock you once you have gone through a number of steps to clean up your PC (running some trojan scanners etc.). This may seem harsh, but I think if every ISP did this there wouldn't be some many huge botnets out there and perhaps a lot less SPAM as well.

  • Opt-out? (Score:2, Insightful)

    by Zortrium (1251080)
    This seems harmless enough to me if Comcast provides an opt-out service (like they do for their DNS-redirection). Someone who's savvy enough to opt-out of this is probably not as likely to get malware-infected, and the rest of the population probably doesn't care very much about the service either way. As for the monitoring aspect, I doubt that Comcast is actually examining customers' traffic any more as a result of this -- they're probably just using their existing heaps of data to implement this.
  • I know TFA shows it on Comcast's page.. but still this is Comcast we're talking about. Are they going to just inject a pop-up while I'm randomly surfing?
    Also, prepare for brand-new phishing tactics in 3, 2, 1..
    Also, joining the chorus on this being tied to anti-P2P intentions.
  • flyswattery. (Score:5, Insightful)

    by nimbius (983462) on Thursday October 08, 2009 @04:36PM (#29685579) Homepage
    this proves and solves nothing, its a frogboil tactic they use to get customers familiar with their 'responsibility' on their network. soon it becomes "we kick you off if we find malware." Internet providers are already shovelling this bullshit with port scanning and automated warnings regarding account termination. Treating customers like dirt, redefining what "demand" is in terms of the business model, and shaping the services you supply sure is alot easier than actually scaling infrastructure to meet real-life demand.
    • Re: (Score:3, Insightful)

      by westlake (615356)

      Treating customers like dirt, redefining what "demand" is in terms of the business model, and shaping the services you supply sure is a lot easier than actually scaling infrastructure to meet real-life demand.

      The business model is to keep the mass market consumer product affordable and drive the geek who wants "unlimited" broadband into paying the going rate for business or professional grade service.

  • Will be interesting how they handle that.

  • This is another message that scammers will spoof. Know all those fake/rogue virus warning pop ups? Yeah, just like that.
  • Comcast story is that "we are testing a new "Service Notice" customer alert that lets people know if we have reason to believe their home computer has been infected with a bot. The Service Notice is sent to appear in their Web browser with a direct link to our Anti-Virus Center where they can diagnose the problem and take steps to fix it"

    This sounds like they are going to inject the supposed "Service Notice" into tcp-streams on port 80 if you are using software Comcast never heard of such as GNU/Linux. T
  • More Phishing (Score:3, Informative)

    by kcornia (152859) on Thursday October 08, 2009 @04:44PM (#29685693) Journal

    Over under on new phishing e-mails is about 2 seconds.

    From: Comcast
    To: Joe Usar

    NOTICE: Your computer has been infected

    To who it may concarn:

    Please be to aware that your computer has been infected by virus. Please click here and verify your payment information so we can authorize removal of your viruses. If you do not your account blocked!!!!

  • Prediction (Score:5, Funny)

    by bistromath007 (1253428) on Thursday October 08, 2009 @04:45PM (#29685701)
    Comcast Gold PCGuard+ Express Pro has detected a significant overnight spike in your network usage that suggests your PC may be infected with a virus. This process has been identified as utorrent.exe. It is recommended that you delete all files related to this program immediately to keep your personal information secure.
  • by SirGarlon (845873) on Thursday October 08, 2009 @04:45PM (#29685707)
    I don't predict a good outcome from this. Comcast will be flooded with incoming tech support calls from customers, half panicked about a virus they don't have and the other half angrily denying a virus they do have. And Comcast will discover that the cost of all those calls far outweighs any benefits they receive from the new system.
    • by djupedal (584558)
      > Comcast will discover that the cost of all those calls far outweighs any benefits they receive from the new system.

      BS

      This is Comcast - what better way to get customers on the phone so they can be upsold?
  • Oblig (Score:2, Funny)

    by ParanoiaBOTS (903635)
    That made me think of this: http://xkcd.com/570/ [xkcd.com]
  • by jtownatpunk.net (245670) on Thursday October 08, 2009 @04:51PM (#29685781)

    They even proactively installed AntiVirus 2009 on my system. Gosh, it's amazing how many viruses I had and didn't even know it.

  • one time shut off my DSL account. I was downloading a Red Hat Linux ISO file via BitTorrent. I called them up and they claimed they saw virus like activity on my connection and then shut off my Internet access to prevent my computer from infecting others. I told them I would remove the virus and they said they would restore access. I had to set my BitTorrent program to use a lower setting for bandwidth to avoid tripping off their false positive virus detection. I switched to a different DSL ISP after that.

  • by dmomo (256005) on Thursday October 08, 2009 @04:55PM (#29685827) Homepage

    I had a tech come by to fix a line issue. When his fix didn't work, he needed a computer to debug with. I let him use an extra laptop I had lying around. The jerk put some kind of Comcast toolbar on IE. I don't remember the details, but removing it was not trivial. Not insane, maybe, but definitely designed to be annoying for the average user to remove. I'm not sure if the tech was pressured to do that or if it was just something that the page he was told to access from users' machines did automatically. I just re-imaged the thing, but still. It left a bad taste in my mouth.

  • by pavera (320634) on Thursday October 08, 2009 @04:57PM (#29685861) Homepage Journal

    Ok.. so its Comcast and we can all assume they will handle it poorly, but I worked at a small local ISP and was responsible for implementing just such a system on our network. The system would notify our NOC engineers about suspected infections, they would investigate more fully, and if the traffic was really suspect, we would log a ticket with customer support who would then call the customer. If we were unable to contact the customer for 48 hours and they didn't call us back we would disable their service.

    Now, it was a little different as we are small and local, and we would send a tech out to their house to help clean the virus off their machine. When customer service called that was part of the call.. It went something like this: "We have detected suspicious traffic coming from your connection. To protect our network and your neighbors who also use our service, if the traffic does not stop within 48 hours we will disconnect your service. If you need any information about the traffic in question we can have an engineer contact you. Also, if you need help installing, updating, or using virus and or spyware removal software, we will be happy to send a tech support engineer to your house to help you remedy this situation."

    We didn't charge for that tech support house call, it was just part of providing excellent service. In short, if it were to be handled appropriately, I don't see any problem with this sort of system. That being said, I feel comcast will probably really botch this, just as any large telecom company would.

    Our system never detected a false positive on for example bittorrent traffic. We did have some on the IRC ports, but less than 5% (not that many people actually use IRC anymore, on a residential ISP network, probably 95%+ of IRC traffic is botnet control). We never turned off someone's connection who was validly using IRC. The customer service tech would ask "do you use IRC?" almost everyone would say "uh.. what is that?" The few people who use it would say "Yes I do" and we would say "Oh ok, that explains it" and that would be that.

    We only ever turned off 1 person's connection, they had left their machine on and left on vacation and it was on a botnet. We disabled their connection as we didn't get a response from them, when they got back they called in, we sent out a tech and cleaned up their machine and that was that.

    • We didn't charge for that tech support house call, it was just part of providing excellent service.

      Sadly, I don't see Comcast caring a whole lot about "excellent service".

      I sincerely wish they did, but here in Georgia, the only "excellence" they've demonstrated thus far is in an ability to increase rates, reduce quality of service, and infuriate existing customers.

  • A significant overnight spike in traffic is a sure sign that I don't have to go in to the office the next day.
  • by endofoctober (660252) <`jk.cole' `at' `ifredsayred.com'> on Thursday October 08, 2009 @05:10PM (#29686029) Homepage
    ...that they called and told me that I had a zombie PC. I run updates, antivirus software and am very careful about where I go on the web, and what I download. Despite all my precautions, though, my PC got infected via an infected CD from my office (autorun is now turned off, btw). I got a call from Comcast saying that they'd noticed some odd traffic. The tech guy said it looked like my PC had been infected although it didn't seem to be actively sending/receiving any unusual data. After a quick re-scan with my antivirus software, it was gone, and all was right with the world (well, my tiny corner of it, anyway). I was used to Comcast sucking hardcore before this happened. Now my attitude is a little better toward them -- the Comcast tech guy knew his stuff, and was very helpful.
  • by HockeyPuck (141947) on Thursday October 08, 2009 @05:11PM (#29686035)

    Here's a question for the masses here on /.

    How would you notify customers that their machine is spewing spam or part of a botnet? Would you continue with the phone calls? Surely paying people to call customers about a virus can't be cheap, and doesn't scale. What is your ISP doing about this?

    Even if what comcast is doing isn't the best solution, it's gotta be better than doing nothing, or taking the draconian measures of turning off service until you call in and they tell you, "Sir/Ma'am we turned off your service because your home computer is sending out spam. Once you've fixed it, we'll turn your service back on." I work at a "large database company" and in our labs if a lab machine is detected to be infected, the lab admins will shut of the ethernet drop that server connects to until you fix it.

    • by i.r.id10t (595143)

      Don't allow outgoing connections to a SMTP server other than the one the ISP runs, and use SMTPAuth or similar would go a long way to stopping this. Heck, most of the ISPs in the area I live already do part 1 ...

      • Blocking SMTP just prevents the email flood from hitting the ISPs network, but doesn't do anything to benefit the customer.

  • One way to partially address this issue, with users approval, is to offer a cheaper Internet connection which only allows for outbound connections.

    Many customers have no need for inbound communications to their PC. As an option, provide them with an RFC1918 aka 192.168.x.x address, and let them save $5/mo.

    This traffic would pass through the ISP's NAT firewall and would not support UPNP.

    This would free up some IPv4 space for re-use by the ISP, and this would eliminate some BOTNET C&C. Obviously not al

  • by Skapare (16644) on Thursday October 08, 2009 @05:22PM (#29686167) Homepage

    All that it takes is for the ISP to block traffic to any port 25 destination BY DEFAULT, and remove that block for any customer that asks for it to be removed. At the same time, the ISP should also provide assistance to customers that need to do things like send email through their office/work address, so that most of those customer would not need to ask for port 25 to be unblocked. Then, most of those that do ask for port 25 to be fully open would either be running an OS that doesn't get so infected like that, or would know how to properly secure their OS from viruses.

  • > Comcast is launching a trial of a service that will warn customers via a
    > browser pop-up...

    And just how are they going to arrange for this pop-up to pop-up?

  • How about the bigger war on direct tv that had VS taken away.

  • by dave562 (969951) on Thursday October 08, 2009 @06:14PM (#29686745) Journal

    The idea of quarantine networks have been around for a few years in the enterprise market segment. Any hardware that hasn't been pre-authorized is scanned for compliance and if out of compliance, it is locked into a network DMZ where it can only access servers that assist in bringing it into compliance with network security policies (ie, servers that install anti-virus software, etc). Once it has passed the compliance tests, it gets access to the rest of the network.

    Now it would be great if Comcast could pre-screen customers' computers for compliance, but lets face it, that won't happen. They are in the situation where they already have a bunch of compromised computers and they need to deal with them. So they quarantine the compromised computers and hijack their DNS settings so that when they browse the web, they get pointed toward a webpage that has basic cleaning instructions. Since we're talking about Windows boxes they would be forced to download the Microsoft Malicious Software Cleaning tool (or whatever the monthly tool that cleans all of the common infections is called these days). They could be given links to free anti-virus software pages like Microsoft Security Essentials, AVast, etc. They could be given links to alternate browsers like Firefox.

    Once the customers run all of those tools, they could be given the number to phone support. Delaying the option to call support could mitigate the volume of support calls.

    All things considered, Comcast is going out on a limb with this one. They risk losing customers who might find it easier to just go with another ISP. They are putting themselves at a competitive disadvantage if other ISPs don't follow their lead. I think we can all agree that more ISPs should be doing what they can to address the problem of malware infected PCs. I also think we're all mature enough to recognize that addressing the problem isn't simple, and is in a lot of cases, beyond the ability of the average consumer. The last couple malware infected boxes I've had to deal with I ended up formatting and re-installing the OS. Even booting to LiveCDs and scanning the drives from a clean environment wouldn't get rid of everything.

There is hardly a thing in the world that some man can not make a little worse and sell a little cheaper.

Working...