Forgot your password?
typodupeerror
Botnet Privacy Security The Internet Your Rights Online

Comcast Warns Customers Suspected of Bot Infection 196

Posted by Soulskill
from the wonder-what-this-does-when-it-detects-torrents dept.
eldavojohn writes "Comcast is pushing a new program nationwide that warns customers if they might have a bot infection. It puts a semitransparent overlay on the top of the website you're viewing, warning you that you may have a bot installed if the provider detects botnet traffic from your residence. Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
This discussion has been archived. No new comments can be posted.

Comcast Warns Customers Suspected of Bot Infection

Comments Filter:
  • It's good that Comcast is actually doing something, but I'm not really sure how effective it will be, and the precedent it sets makes me a little leery. Not sure how I feel about this.

    • Re:Mixed feelings (Score:4, Insightful)

      by shoehornjob (1632387) on Monday October 04, 2010 @06:30PM (#33789024)
      Customer education is an issue with this one. I haven't talked to someone with that issue but we offer free Norton with internet service so there's no reason you can't protect yourself from some of the common threats. The thing that gets most people though is the drive by bots. People have to abandon the plug and play web mentality as that's what gets them in trouble. One person told me she got a pop up telling her that the computer was infected with 45 viruses. I'm like WTF?? but they fall for it all the time. Education is the only thing that can fix that problem.
      • Re:Mixed feelings (Score:5, Insightful)

        by MoonBuggy (611105) on Monday October 04, 2010 @06:34PM (#33789068) Journal

        One person told me she got a pop up telling her that the computer was infected with 45 viruses.

        A thought that just struck me - if Comcast is using web overlays to pass on this info, it will, if anything, serve to legitimise the "Your computer is infected click here and give us your credit card details to fix it" pop-ups.

        An email to the address they have on file would be much less creepy and more effective, IMO.

        • Re:Mixed feelings (Score:4, Insightful)

          by Capt.DrumkenBum (1173011) on Monday October 04, 2010 @06:39PM (#33789114)

          An email to the address they have on file would be much less creepy and more effective, IMO.

          Because people will ignore the email.
          Just one more piece of spam.

          • by spazdor (902907)

            Something like "HEY, YOU, Customer #4572953, have a virus and this is your ISP, Comcast, telling you so. Please call our tech support at 1-888-IPGOUGE for removal help, and you should probably verify that phone number against your own documents before calling it."

            • Re: (Score:3, Insightful)

              by gd2shoe (747932)
              Sorry, but that does rather look like spam.
              • What if it had your home address, name, censored billing information (credit card xxxx....1234) etc?

              • And all the people who use ISP-independent email (which is good practice anyway as an ISP change will be easier) won't even receive it.

                Having said that, the overlay is about the worst way they could have used the WWW.

                What about a redirection of all www traffic to a warning page?

                After you click a checkbox that says OK I got it but I'm in a hurry let me finish surfing which sets a session cookie, or after n http requests or n minutes since the first recent http request normal behavior would be restored.

                This i

          • Re: (Score:2, Troll)

            by nametaken (610866) *

            True, maybe an automated phone call with a, "Press 1 to speak with a Comcast representative"?

            • Re: (Score:3, Informative)

              I don't know about you. But as soon as I realize it is a call from an autodialer, I hangup.
              • I don't know about you. But as soon as I realize it is a call from an autodialer, I hangup.

                One trick if you don't recognize the caller ID is to pick up the phone and just listen. If it's complete silence on the other end, it's an autodialer and it will hang up after five seconds or so. Bonus points if you play the "number not in service" tone -- download that from here [voip-info.org] and play the "ss-noservice" file.

                • by ls671 (1122017) *

                  I just play a message telling the caller to press 1 to speak to me, wait 3 seconds then send them to the fax if they don't press any key. Actually, pressing any key routes the call to me. I swear, it is pretty efficient.

                  Playing the SIT tone (Zapateller) as you suggest might cause you to miss legitimate calls. In my case, the worst that happens is that legitimate callers have to call twice if they were distracted and not quick enough to punch in a key the first time.

                  If you do not have a fax, you could always

              • Many of comcast's cable customers are also phone service customers, they could just unobtrusively add a voicemail message to those accounts.

                And I don't see why they shouldn't be able to send voicemails out-of-network, too. There's no reason the phone needs to actually ring for this, if it's in your voicemail you'll get the message eventually.

          • Re: (Score:3, Insightful)

            by mcgrew (92797) *

            How about a message that comes with the monthly bill in snailmail?

        • Re: (Score:2, Insightful)

          by shoehornjob (1632387)

          An email to the address they have on file would be much less creepy and more effective, IMO

          I agree but not everyone uses Comcast email.

          • Re: (Score:2, Insightful)

            by Anonymous Coward

            If the customer fails to address the issue promptly, then Comcast should disable their connection. When they call in, Comcast could easily ask them for a email address to forward such communications to.

            I work for an ISP and this is how we handle it. (Of course, we're small, so we also call the customer on the phone number(s) on their account.)

            • by gd2shoe (747932)

              Of course, we're small, so we also call the customer on the phone number(s) on their account.

              You mean you're considerate and rational. Technically, there's nothing keeping the big players from doing the same thing. (besides being inconsiderate and irrational)

              • Re: (Score:3, Funny)

                by spazdor (902907)

                That, and they seem to have an increasingly small workforce which is able to communicate effectively in English over the phone. ...Oh yeah, like you said.

            • by shentino (1139071)

              Comcast cannot be trusted to not "mistake" torrent traffic for virus traffic, especially if the MAFIAA tried to either bribe OR extort them to tell their techies to look the other way before being able to tell the difference.

              They've already been caught red handed screwing with torrents once before. Giving them plausible deniability with an opportunity to cover it up as virus quarantine is not a good idea.

            • Re: (Score:3, Insightful)

              by PopeRatzo (965947) *

              I work for an ISP and this is how we handle it.

              Yes, but your business plan is probably just to profit from providing internet bandwidth to customers.

              Comcast has a whole 'nother agenda.

        • The people most likely to get an infection are exactly the ones that need a blunt warning like this.

        • Re:Mixed feelings (Score:5, Informative)

          by amicusNYCL (1538833) on Monday October 04, 2010 @06:52PM (#33789220)

          That's a good point, but the screenshot [krebsonsecurity.com] does look pretty reasonable. It could have been done a lot worse, but it looks like they're at least acknowledging the trust issue.

          That being said, it's not difficult to figure out which ISP a certain IP belongs to and for someone to forge these things.

        • by mewsenews (251487)

          An email to the address they have on file would be much less creepy and more effective, IMO.

          "E.. mail? You mean that thing that our marketing dept uses to send out propaganda? Who reads that shit?" -- Comcast Exec

        • A thought that just struck me - if Comcast is using web overlays to pass on this info, it will, if anything, serve to legitimise the "Your computer is infected click here and give us your credit card details to fix it" pop-ups.

          Any thoughts from people who know more than me as to whether comcast just didn't think of this, or did and just doesn't care? On the one hand, they are comcast and don't have a reputation for forward thinking. On the other hand, they are comcast and don't have a reputation for giving two shits about their customers.

          Any chance this is just the path of least resistance to say "Hey, we tried to help, but you ignored our warnings, the malware took you over your quota and you owe us $400," not caring if the us

        • Re:Mixed feelings (Score:5, Interesting)

          by Hamsterdan (815291) on Monday October 04, 2010 @07:54PM (#33789790)

          What about a phone call? My ISP does this. Granted, it only has about 1.5 million customers. The way it goes is first, a phone call, if they are unable to talk to the person, they disable the modem until they call back. They only do this for large botnets, unless they receive a complaint about an IP.

          But it *IS* effective.

          Overlays and emails will only teach people to click on fake antivirus warnings, like you said...

        • by Burz (138833)

          You're right, but it *also* legitimizes the act of an ISP editing your data stream.

      • we offer free Norton with internet service so there's no reason you can't protect yourself from some of the common threats.

        You mean the common threats like Norton? The only people who should install Norton is computer experts, and the only reason they would want to is so they can figure out how to uninstall it.

        • by PopeRatzo (965947) *

          The only people who should install Norton is computer experts

          Anyone who would install Norton is no "expert".

          • The only people who should install Norton is computer experts

            Anyone who would install Norton is no "expert".

            Noob. An expert would have read the second half of the sentence: "... and the only reason they would want to is so they can figure out how to uninstall it." Because, as you now know, uninstalling it makes this wonderful 'whoosh' sound.

        • Yeah. The only AV that I've seen that's anywhere as bad as Norton is CA. I still can't get that off my GF's computer. I've spent 3 hours already. Norton Corporate is awesome. Nobody should have to deal with Norton Home. Ever. It's cruel and unusual punishment.
      • by dnaumov (453672)

        Customer education is an issue with this one. I haven't talked to someone with that issue but we offer free Norton with internet service

        What is wrong with you? No, really? Have you actually used the recent Norton versions? I reckon a fair share of those who actually have would agree that Norton's presence on one's PC is actually worse than most malware infections.

    • Re:Mixed feelings (Score:4, Insightful)

      by Nerdfest (867930) on Monday October 04, 2010 @06:31PM (#33789050)
      If they''re inspecting your traffic (and I really don't think they should be allowed to without a warrant) this is probably one of the few good things that they could do with what they see.
      • Re: (Score:2, Informative)

        by Anonymous Coward

        FTFA:

        Douglas said the bot intelligence is coming from Damballa, an Atlanta-based security company that monitors botnet activity and identifies botnet control networks. If Damballa spots a Comcast Internet address that is phoning home to one of these botnet command centers, Comcast’s system flags that customer’s address for a service notice.

      • by PopeRatzo (965947) *

        If they''re inspecting your traffic (and I really don't think they should be allowed to without a warrant) this is probably one of the few good things that they could do with what they see.

        So as long as they're doing it to make you more secure, it's OK if they inspect your traffic? I know you're not saying that.

        I'd bet that we could get a dozen better ways from readers here to isolate bot-infected computers and prevent their spread without having to resort to letting Comcast move into your house and make s

      • Re: (Score:3, Informative)

        by thegarbz (1787294)
        If they weren't "inspecting" traffic then the internet wouldn't work. How else would you route data from one computer to another without inspecting the traffic to see where the data needs to go? This same level of data can also tell you if the computer is a bot. For instance if your computer is only sending data to a port 25 to seemingly random hosts continuously for days, take a guess at what is happening, it's likely to only be one of two things. Same thing for suddenly getting a lot if 100% identical req
    • Re: (Score:3, Interesting)

      by PopeRatzo (965947) *

      It's good that Comcast is actually doing something, but I'm not really sure how effective it will be, and the precedent it sets makes me a little leery.

      Who wants to bet that torrent trackers and users of uTorrent will end up with these "overlays"?

    • by Burz (138833)

      You're right to feel leery. Comcast should not be altering the content of your web pages AT ALL. In addition, the effectiveness of this tactic over time is questionable: Malware and scam artists are already using popup-style alerts.

      The canvas of a web page is simply the wrong context for security alerts. An email would be a bit better, and a US mail postcard or phone call would be better still.

    • by ls671 (1122017) *

      Well, at least it seems to beat Comcast waiting on reports like this one before taking action with an infected customer. Maybe they realized that all that unwanted traffic cost them money after all.

      From abuse-report@myhost Thu Sep 2 08:52:54 2010
      Date: Thu, 2 Sep 2010 08:52:03 -0400
      From: abuse-report@myhost
      To: abuse@comcast.net
      Subject: Report of abuse from one of your IP: 75.149.85.71

      Hello,

      An IP from your network is scanning one of our machine
      Culprit IP on YOUR network: 75.149.85.71
      Victim IP on OUR network:

  • by Shadow Wrought (586631) * <shadow.wroughtNO@SPAMgmail.com> on Monday October 04, 2010 @06:24PM (#33788956) Homepage Journal
    Anyone know why there's an overlay saying, "The Cowboy Neil Bot is feeding," on my screen?
  • by BadAnalogyGuy (945258) <BadAnalogyGuy@gmail.com> on Monday October 04, 2010 @06:24PM (#33788960)

    I saw this one video where the bot was basically pulled right out of the infection with tweezers. In another, the bot broke off halfway out and the guy had to have the rest removed by a surgeon, but not without great pain.

    Normal insecticide and pest repellent doesn't even work with these things. You really need to keep your netting clean and free of holes. One small hole and you'll wake up with bots dug into your skin and larva chewing at your subcutaneous layer of fat.

    • by PopeRatzo (965947) *

      I saw this one video where the bot was basically pulled right out of the infection with tweezers. In another, the bot broke off halfway out and the guy had to have the rest removed by a surgeon

      I heard that if you hold a lit cigarette over the infection, the bot will back out on his own.

  • I'm not a big fan of Comcast, but this is an excellent idea. If all broadband providers would do this, they could put a serious dent in bot nets and reduce the amount of spam and the phishing attacks.

    • by jack2000 (1178961)
      Just wait till the YOUR PC IS INFECTED crowd picks this up, they are going to have a field day with this.
      In my opinion people should get a warning next time they pay their monthly fee and if they do nothing about it maybe a stupid-tax or something.
      • Re:Excellent idea (Score:4, Interesting)

        by green1 (322787) on Monday October 04, 2010 @07:37PM (#33789614)

        What happened to the good old days of ISPs where if your computer was being a menace the ISP phoned you, and if you still didn't fix it they cut off your internet access until you did?

        It worked. and it worked well.

        • by jack2000 (1178961)
          I agree but people these days will get all upity if you start disconnecting them. So i propose a bastard tax
        • by shentino (1139071)

          Simple.

          They got taken over by the days where we got fed up with chicken shit companies abusing their power and losing our trust to let them have internet police powers.

          I think an ISP should be able to block downstreamers who are spewing spams.

          Trusting them to do so and leave alone torrents and the like, however, is another story.

    • by nurb432 (527695)

      It will backfire as people will be un-taught the 'dont click on popups' lesson being taught now.

    • Comcast is creating a system where unrelated websites will notify you of problems in your computer. This is the "Virus detected click here to install antivirus 2011!", except being legitimate it tells people to trust what a random website tells them. Way to train users to trust any website popup, I expect this will result in new phishing scams.

      The only upshot is that the people who are infected are often the ones who already install anything that a popup warning tells them to.

  • Wait, what? (Score:4, Interesting)

    by XanC (644172) on Monday October 04, 2010 @06:27PM (#33788986)

    The method they chose for notification is to man-in-the-middle my connections? Are they injecting Javascript into sites I visit? Does this mess with protocols other than HTTP? Why can't they just send an email to the account holder, or call them with a recorded message? Why break your service in order to fix it?

    • Re:Wait, what? (Score:4, Insightful)

      by ceep (527600) on Monday October 04, 2010 @06:37PM (#33789094) Homepage
      I think this is a good method. It's a lot harder to ignore than other ways that you've suggested (how much of an automated phone message would you listen to if it started as "This is a courtesy call from Comcast internet services ..."). HTTP also a service that people are more likely to use every day, and there's little chance that an errant spam filter will block it.

      A risk - in theory - is that when people see this popup, they'll say "I'm supposed to not interact with these things" and just click "Close," rather than understanding what it says. On the other hand, if your computer is infected with some sort of 'bot, you probably click through things like this anyway.
      • by XanC (644172)

        No, doing this to people's connections is inexcusable. If they're being a problem on the network, then they should be cut off. But inserting yourself into their communications is simply wrong.

        That would solve the "how to get in touch with them" problem... They'll come to you!

        • Re:Wait, what? (Score:4, Insightful)

          by Dunbal (464142) * on Monday October 04, 2010 @07:15PM (#33789400)

          Let's look at the following:

          1. By definition, an internet service provider IS a man in the middle. To everyone whining about using this method - welcome to the real world. A man in the middle approach is the easiest one for the man in the middle to take.
          2. Perhaps the ISP should just terminate the accounts of users of infected machines, since I am sure running an infected machine on the net is a violation of the TOS somewhere.

          I WANT them to break the service and force people to upgrade, instead of continuing to spew their filthy zombie attacks all over the net. The more dramatic and attention getting, the better. Face it - your mission critical systems should not be on a residential account anyway, RIGHT? That's what the premium priced business packages are for... So what if grandpa has to click on some links to download some software and fix his machine before he can read his paper today. It's worth it to clean up the net.

          • by pslam (97660)

            Let's look at the following:

            1. By definition, an internet service provider IS a man in the middle. To everyone whining about using this method - welcome to the real world. A man in the middle approach is the easiest one for the man in the middle to take.

            No. By definition, an internet service provider is a bridge and router. It is not supposed to mess with your traffic. It is not supposed to be looking at these layers. Comcast has shown many times they don't care about that, though. They messed with all H

    • Re: (Score:3, Insightful)

      by lordDallan (685707)
      I'd guess Comcast isn't sending an email at least in part because a healthy percentage of their customers don't use Comcast's crappy email service.

      I still think this is a gross and intrusive tactic, but so is how they hijack DNS redirects to show you a custom "search" page with ads on it. At least they give you an option [comcast.net] of turning that "service" off.
    • by Skapare (16644)

      If your IP is not on the list of infected customers, they won't affect you. But, if it is, they redirect your port 80 traffic to their proxy server that injects the HTML. Specifics, like how it does the overlay, I don't know. Maybe it wraps a frame or div. You'll have to fake being infected to see. Use HTTPS, or an SSH tunnel to a proxy of your own, to avoid it while being infected. If you can't be infected, then your own risk is if your ordinary traffic trips their infection detector.

    • Re:Wait, what? (Score:5, Informative)

      by StikyPad (445176) on Monday October 04, 2010 @06:54PM (#33789236) Homepage

      They do send an e-mail, at first. If the traffic continues unabated, they redirect port 80 traffic (only) through a proxy which adds the notice to the server response (the web page you request). It doesn't break or tamper with anything else.

      Personally, I don't see a problem with this, since, if you're allowing botnet traffic, you're already abusing the TOS (with or without your knowledge -- and after the notice, certainly ignorance isn't an excuse), and as such you're not really entitled to "unbroken" service, or any service at all for that matter. I think providing this notice is a good compromise.

      Rather than making a separate post, I also want to address one of the points in TFS: "Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."

      This is rather missing the point -- realistically, if any machine inside your network has been compromised, you should assume that the entire network has been compromised, and you should be inspecting/sanitizing/protecting all of the machines accordingly. You should likewise assume that all of your online accounts have been compromised, change your passwords from a trusted location, and check for any unauthorized activity.

  • If you're infested with a botnet you are doing harm. In short infested computers create attackers and ISPs need to take responsibility for the attackers on their networks. I was more concerned that ISPs have NOT done this until now.

    • by nurb432 (527695)

      They should get involved by turning off your service and have you call them to turn it back on, routing you only to a in-house site for cleaning the PC.

      • by pecosdave (536896) *

        Exactly!

        I'm not 100% on-board with the method used in this article, but anything is better than just leaving the crap infested and causing trouble.

  • Antivirus2010 (Score:5, Insightful)

    by Anonymous Coward on Monday October 04, 2010 @06:29PM (#33789002)

    ComcastAntiVirus have detected a infection or your computer. To run free virus removal click here!
    www.c0mcast.net/antivirus.exe

  • by SuperKendall (25149) on Monday October 04, 2010 @06:31PM (#33789044)

    Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection

    Not if you only have one Windows system.

  • Ten years ago they said I was mad for proposing this.

    Thanks, comcast, you arrogant incompetents, for taking a decade to listen to your customers.

    But I already moved to FIOS, along with my ENTIRE NEIGHBORHOOD, so tough luck.

  • by ThreeGigs (239452) on Monday October 04, 2010 @06:35PM (#33789078)

    Now if every other ISP would do something similar. Maybe block access until a user reads a notice or something.

    That said, Comcast's way of doing this might look to me like the website I was looking at was trying to sell me malware... like one of those "YOU'RE INFECTED! SCAN NOW?" popups.

    • by DeadCatX2 (950953)

      I say exponentially decay their bandwidth as if it was an RC circuit with a time constant of about three days. In about a week I'm sure they'll be calling to complain about the Internet speed...and then you'll have their undivided attention.

      • by green1 (322787)

        when people's connections are slow, they switch providers (because providers all advertise based on how fast their network is (of course without ever giving out numbers))
        what makes people call and complain is if you cut off their service.

        This is what ISPs used to do, it's too bad they don't anymore.

  • I use a router... (Score:2, Interesting)

    by erroneus (253617)

    But I didn't have a hard time determining which machine it was. My son was visiting and he was running Windows. Everything else is Linux and one Mac. Not hard to figure it out.

  • From Krebs' article:

    Comcast also is offering free subscriptions to Norton Security Suite for up to 7 computers per customer — including Mac versions of the Symantec suite.

    At least most bots have the decency to let you use your own computer. Norton (and in my experience, McAfee) security suites are much less inclined to leave enough free resources for that to be possible.

  • What is the legality of the ISP intercepting a web page a user requested, then injecting their own code into it, then serving it you the end user?
    • by jack2000 (1178961)
      It should be illegal, if it's not, then get on your feet and make it so.
    • by spazdor (902907)

      Well, websites are copyrighted documents, and websites with extra ISP-injected code are unauthorized derivative works of those documents. Aaaaaaaaaaaand GO.

  • ...but if their diagnostics are accurate, it will only affect Windows users. And those people are fine with these things (botnets, spyware, constant intrusive advertising, confusing choices between virus checkers, weird popups, etc). No important work will be interrupted, just games, facebook and porn. The rest of us may or may not see slightly faster access, so... what's the bfd?

    I kid, I kid. Settle down.
  • Excellent move!

    Unfortunately malware authors will be updating their Fake AV attacks to emulate that banner in a matter of weeks, so it's only a temporary improvement.

  • ten bucks on .... (Score:3, Insightful)

    by trum4n (982031) on Monday October 04, 2010 @07:46PM (#33789708)
    ... bittorrent also setting off this message.
  • by izomiac (815208) on Monday October 04, 2010 @09:00PM (#33790294) Homepage
    I think it's great that Comcast is trying to address the bot problem. But they picked a rather poor method IMHO. Surely it's obvious that you can't rely on the infected computer to relay the message... All the bot has to do is run a filtering proxy server and these HTTP insertions are long gone. The best solution would be to use another communication device, i.e. a telephone or letter. Besides, you may have a little old lady that only uses (non-ISP) e-mail twice a month, which might not get the message.

    My own ISP does something similar, but a little better (again, IMHO). A few weeks ago I opened my wireless network because one of my devices was choking on WPA2. Sure enough, someone must have hopped on it and sent a fair bit of spam. So my ISP killed my connection and changed the DNS server so everything resolved to their "Call tech support now" page (although it took a while to for me to figure that out since I wasn't using their DNS server, but I digress). A quick call had me talking with a representative with an explanation, and I was reconnected. (Obviously I re-enabled WPA2 and blocked/logged port 25 at the router in case I really did get rooted.)
  • by mykos (1627575) on Tuesday October 05, 2010 @12:40AM (#33791556)
    I'm kind of torn on botnets. The only sites that get taken down by botnets that I have read about lately are sites of organizations I wish didn't exist anyway.

    When ACTA inevitably becomes the law of the land, DDoS will be one of the few weapons we plebes will have left against corporatism.
  • by DynaSoar (714234) on Tuesday October 05, 2010 @04:12AM (#33792260) Journal

    "Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."

    If you call turning off your machines and running them one at a time to check each machine's response "difficult", then you can damn well pay the neighbor kid to come over and do it for you, just like you paid him to come over and get your Internet Explorer brand computers surfing on the infotube highway in the first place. While he's there, have him take out that "MOE - DEM" thingy. Those blinking lights are just slowing things down.

news: gotcha

Working...