Comcast's War On Infected PCs (Or All Customers) 304
thadmiller writes "Comcast is launching a trial on Thursday of a new automated service that will warn broadband customers of possible virus infections if the computers are behaving as if they have been compromised by malware. For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus, taking control of the system and using it to send spam as part of a botnet." Update: Jason Livingood
of Comcast's Internet Systems Engineering group sent to Dave Farber's "Interesting People" mailing list a more detailed explanation of what this trial will involve.
Nice try. (Score:5, Interesting)
My ISP just blocked me for getting conficker.. (Score:4, Interesting)
and I'm glad they did so. I was being lazy and neglected to install a virus scanner on one of the PCs hooked up here, and it got infected with conficker. Basically my ISP (XS4ALL, a Dutch ISP) detects this and blocks most of the traffic (getting mail still works), shows a warning page when you try to open a website, and some instructions on how to get through the blockade with a proxy, and how to clean up your PC. They'll only unblock you once you have gone through a number of steps to clean up your PC (running some trojan scanners etc.). This may seem harsh, but I think if every ISP did this there wouldn't be some many huge botnets out there and perhaps a lot less SPAM as well.
Re:Seems fine to notify (Score:3, Interesting)
Re:Nice try. (Score:3, Interesting)
A co-worker of mine recently had his service terminated because he had exceeded 1TB of downloading in a month. I'm not sure if this is a regional thing, but that seems like a really high cap. Ultimately, he called them and the solution was to upgrade to a business class connection. It ended up costing him an additional $20 (iirc) a month, but he now has a higher upstream and a static IP. He was cool with that as it seems this works out better for him anyway, but any sort of cap for an advertised unlimited service is a bit ridiculous.
Re:Bad subject, this is a GOOD thing... (Score:5, Interesting)
I disagree. Using pop-ups as the notification method will likely trigger a new round of malware attacks that look like official Comcast notifications, complete with helpful links to download scanner and removal tools.
When AT&T ran things during the ATTBI days they would routinely shutdown connections for subscribers who had known issues (trojans, etc). It would set their cable modem config file to some dummy one which would only get them to AT&T internal network pages and they'd have to call in to get working again--if they fixed the problem.
I don't see why that type of thing can't be restarted. Maybe there are just so many infected machines (and based on my webserver logs from Comcast's IP ranges, I'd guess this is true) that their phone staff just wouldn't be able to handle the volume.
Will they warn me about Comcast Spyware? (Score:3, Interesting)
I had a tech come by to fix a line issue. When his fix didn't work, he needed a computer to debug with. I let him use an extra laptop I had lying around. The jerk put some kind of Comcast toolbar on IE. I don't remember the details, but removing it was not trivial. Not insane, maybe, but definitely designed to be annoying for the average user to remove. I'm not sure if the tech was pressured to do that or if it was just something that the page he was told to access from users' machines did automatically. I just re-imaged the thing, but still. It left a bad taste in my mouth.
If handled properly.. (Score:5, Interesting)
Ok.. so its Comcast and we can all assume they will handle it poorly, but I worked at a small local ISP and was responsible for implementing just such a system on our network. The system would notify our NOC engineers about suspected infections, they would investigate more fully, and if the traffic was really suspect, we would log a ticket with customer support who would then call the customer. If we were unable to contact the customer for 48 hours and they didn't call us back we would disable their service.
Now, it was a little different as we are small and local, and we would send a tech out to their house to help clean the virus off their machine. When customer service called that was part of the call.. It went something like this: "We have detected suspicious traffic coming from your connection. To protect our network and your neighbors who also use our service, if the traffic does not stop within 48 hours we will disconnect your service. If you need any information about the traffic in question we can have an engineer contact you. Also, if you need help installing, updating, or using virus and or spyware removal software, we will be happy to send a tech support engineer to your house to help you remedy this situation."
We didn't charge for that tech support house call, it was just part of providing excellent service. In short, if it were to be handled appropriately, I don't see any problem with this sort of system. That being said, I feel comcast will probably really botch this, just as any large telecom company would.
Our system never detected a false positive on for example bittorrent traffic. We did have some on the IRC ports, but less than 5% (not that many people actually use IRC anymore, on a residential ISP network, probably 95%+ of IRC traffic is botnet control). We never turned off someone's connection who was validly using IRC. The customer service tech would ask "do you use IRC?" almost everyone would say "uh.. what is that?" The few people who use it would say "Yes I do" and we would say "Oh ok, that explains it" and that would be that.
We only ever turned off 1 person's connection, they had left their machine on and left on vacation and it was on a botnet. We disabled their connection as we didn't get a response from them, when they got back they called in, we sent out a tech and cleaned up their machine and that was that.
How to incremintally address this issue with appro (Score:2, Interesting)
One way to partially address this issue, with users approval, is to offer a cheaper Internet connection which only allows for outbound connections.
Many customers have no need for inbound communications to their PC. As an option, provide them with an RFC1918 aka 192.168.x.x address, and let them save $5/mo.
This traffic would pass through the ISP's NAT firewall and would not support UPNP.
This would free up some IPv4 space for re-use by the ISP, and this would eliminate some BOTNET C&C. Obviously not all.
Another piece to this is to offer an alternate DNS service. Something like what OpenDNS and DynDNS are offering. Perhaps rebrand one of those services. These service track malware DNS and block them.
It's doesn't solve all the problems with Malware, but it does address several issues. It does place your non P2P customers into a separate offering, allowing you to bill P2P customers more. P2P customers would never go for this offering.
This has always been easy to fix (Score:3, Interesting)
All that it takes is for the ISP to block traffic to any port 25 destination BY DEFAULT, and remove that block for any customer that asks for it to be removed. At the same time, the ISP should also provide assistance to customers that need to do things like send email through their office/work address, so that most of those customer would not need to ask for port 25 to be unblocked. Then, most of those that do ask for port 25 to be fully open would either be running an OS that doesn't get so infected like that, or would know how to properly secure their OS from viruses.
Re:Seems fine to notify (Score:5, Interesting)
That is so true it's painful.
Many years ago I fixed someones windows installation.
The user originally complained about a subtle windows annoyance, and a system that was running a bit slow.
What I found when I started digging, was the most badly infected computer I have EVER seen to date.
Many of the viruses were craftily avoiding all attempts at removal, so I backed up data only and reinstalled.
Some of the backup was useless due to an encrypting virus.
A week later that original annoyance was back. It turns out that on the same day, the user had downloaded kazaa and all the programs they felt were MUST HAVE, and with a combination of screen savers, custom mouse pointers, and other assorted crap recreated the exact same malware+virus infected state.
So basically everyone from lusers to geeks have in their mind what their ideal system is, and from a fresh install we tweak towards that OS ideal.
Re:Bad subject, this is a GOOD thing... (Score:5, Interesting)
I'm undoing a bunch of moderation just to point out that you're an idiot. I hate to be so blunt, but it's the truth. If you want uninterrupted, business class service then pay for it and get an SLA in writing that explicitly spells out the obligations of both parties. In fact if you're on Comcast and you go ahead and just cross your fingers and hope for the best, I think a decent lawyer could sue you for negligence if Comcast's proactive measures impact your business. You are now aware that they might be doing this. If you don't take steps to mitigate it, you're the one who is at fault. As a business owner, you need to take steps to ensure that you can deliver what you promise to your clients. Trying to blame Comcast for a technical glitch strikes me as the digital equivalent of "sorry, the dog ate my homework".
Maybe I should have just modded you -1 and gone about my day.
Opportunity for phishing (Score:2, Interesting)
Re:Bad subject, this is a GOOD thing... (Score:3, Interesting)
See my previous response to your other post. If you are a contractor who is promising to get things done, it is on you to ensure that you are able to get them done. That means either get an SLA with an ISP who won't cut you off and will promise in writing that they won't cut you off, or get a firewall that will fail over to a secondary connection in case you do run into problems with your primary ISP. If you want to really cover your ass, do both because as we all know, shit happens. The best SLA in the world doesn't do you any good if the CO catches on fire, or if some contractor hits the trunk line with a back hoe.
Re:Bad subject, this is a GOOD thing... (Score:2, Interesting)
Simple: if a customer's machine is blasting out spam, you direct all traffic from that machine to a walled garden, that only allows access to a webpage where you are notified of the problem, told where to call for more info and a link to download tools to potentially clean up your mess... Makes sense, which mean it *will NOT* be what Comcrap does....
This is how I'd do it (Score:3, Interesting)
The idea of quarantine networks have been around for a few years in the enterprise market segment. Any hardware that hasn't been pre-authorized is scanned for compliance and if out of compliance, it is locked into a network DMZ where it can only access servers that assist in bringing it into compliance with network security policies (ie, servers that install anti-virus software, etc). Once it has passed the compliance tests, it gets access to the rest of the network.
Now it would be great if Comcast could pre-screen customers' computers for compliance, but lets face it, that won't happen. They are in the situation where they already have a bunch of compromised computers and they need to deal with them. So they quarantine the compromised computers and hijack their DNS settings so that when they browse the web, they get pointed toward a webpage that has basic cleaning instructions. Since we're talking about Windows boxes they would be forced to download the Microsoft Malicious Software Cleaning tool (or whatever the monthly tool that cleans all of the common infections is called these days). They could be given links to free anti-virus software pages like Microsoft Security Essentials, AVast, etc. They could be given links to alternate browsers like Firefox.
Once the customers run all of those tools, they could be given the number to phone support. Delaying the option to call support could mitigate the volume of support calls.
All things considered, Comcast is going out on a limb with this one. They risk losing customers who might find it easier to just go with another ISP. They are putting themselves at a competitive disadvantage if other ISPs don't follow their lead. I think we can all agree that more ISPs should be doing what they can to address the problem of malware infected PCs. I also think we're all mature enough to recognize that addressing the problem isn't simple, and is in a lot of cases, beyond the ability of the average consumer. The last couple malware infected boxes I've had to deal with I ended up formatting and re-installing the OS. Even booting to LiveCDs and scanning the drives from a clean environment wouldn't get rid of everything.
Re:Seems fine to notify (Score:3, Interesting)
Here in the UK one of my previous ISP's claimed my computer was infected with some worm, but how did I find this _lie_ they told me?
Whilst I was using my internet connection they started to flood my router and pc's open ports with packets. Whilst the router and pc were able to repel their attack on my machine which lasted some minutes, they did not impress me with their accusation and then tactics against my machine, I thought it was under a "genuine" DDOS attack which was saturating my connection.
To end the story, the ISP apologised for what they did with their attack on my machine and not informing me of their _lie_ of my pc being infected, and eating up my bandwidth. On the plus side, I upped and left them.
The one and only infection my pc had was when a university lecturer gave back our CAD work from our floppy discs, and the lecturer infected all the students discs, despite the cretin telling us to scan our discs before giving it to him. I'm very strict of what files I run on my machine, and after that incident, even more so.
I would be REALLY wary of an ISP and thier "war on infected pc's".
Re:Seems fine to notify (Score:3, Interesting)
Last time I encountered a system that badly infected, after cleaning it I put the free version of a decent AV on the machine and told them that if they tried to download anything dodgy again and the AV cut the connection, not to try to download it again.
A month later they came back and asked where to download the AV from, because some of their friends' pcs are in similar state and they're sick of getting virus-infected emails from them.
*happy ending*
Re:Seems fine to notify (Score:3, Interesting)
This is why I eventually decided it wouldn't be detrimental to me at all to outright block outgoing SMTP at my router - I exclusively use gmail for my email now.
Unfortunately, precedent says they will act on this by blocking all access if a compromise is detected - Time Warner has a "two strikes and you're out" deal - The first time ANY sort of complaint comes in, you get a temp-block that can be lifted by clicking a URL. Second report, even if it's 1.5 months later, will result in service shutoff until you call the company. (Which is annoying because the notification page does NOT provide any phone numbers.)
(I know this because my Windows gaming machine got compromised.)