Comcast Warns Customers Suspected of Bot Infection

eldavojohn writes "Comcast is pushing a new program nationwide that warns customers if they might have a bot infection. It puts a semitransparent overlay on the top of the website you're viewing, warning you that you may have a bot installed if the provider detects botnet traffic from your residence. Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."

Mixed feelings

[The_mad_linguist]

It's good that Comcast is actually doing something, but I'm not really sure how effective it will be, and the precedent it sets makes me a little leery. Not sure how I feel about this.

Antivirus2010

[Anonymous Coward]

ComcastAntiVirus have detected a infection or your computer. To run free virus removal click here!
www.c0mcast.net/antivirus.exe

Re:Mixed feelings

[shoehornjob]

Customer education is an issue with this one. I haven't talked to someone with that issue but we offer free Norton with internet service so there's no reason you can't protect yourself from some of the common threats. The thing that gets most people though is the drive by bots. People have to abandon the plug and play web mentality as that's what gets them in trouble. One person told me she got a pop up telling her that the computer was infected with 45 viruses. I'm like WTF?? but they fall for it all the time. Education is the only thing that can fix that problem.

Re:Mixed feelings

[Nerdfest]

If they''re inspecting your traffic (and I really don't think they should be allowed to without a warrant) this is probably one of the few good things that they could do with what they see.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:IPv6!

[alvinrod]

I think that most of the people who are qualified to setup and maintain their own router are also qualified enough to determine exactly which of their machines are infected. Of course there will always be a few people who knew just enough about setting up a router to be dangerous, but if the network is completely open and someone using their network is spewing out spam or other garbage, it might tip off the network owner that they should secure their network.

IPv4 isn't a serious problem, and that part of the summary seems rather silly considering that anyone who has a serious network setup probably either has a good understanding of it or has a friend / family member with that knowledge. IPv6 would be a lot nicer, but the world is going to go on dragging its feet as long as it can.

Re:Wait, what?

[ceep]

I think this is a good method. It's a lot harder to ignore than other ways that you've suggested (how much of an automated phone message would you listen to if it started as "This is a courtesy call from Comcast internet services ..."). HTTP also a service that people are more likely to use every day, and there's little chance that an errant spam filter will block it.

A risk - in theory - is that when people see this popup, they'll say "I'm supposed to not interact with these things" and just click "Close," rather than understanding what it says. On the other hand, if your computer is infected with some sort of 'bot, you probably click through things like this anyway.

Re:Mixed feelings

[Capt.DrumkenBum]

An email to the address they have on file would be much less creepy and more effective, IMO.

Because people will ignore the email.
Just one more piece of spam.

Re:Wait, what?

[lordDallan]

I'd guess Comcast isn't sending an email at least in part because a healthy percentage of their customers don't use Comcast's crappy email service.

I still think this is a gross and intrusive tactic, but so is how they hijack DNS redirects to show you a custom "search" page with ads on it. At least they give you an option [comcast.net] of turning that "service" off.

Re:Wait, what?

[ceep]

So: they don't have an e-mail address for you, or a phone number, and you throw out all postal mail you get from them. How do you suggest they contact you if there's a problem? I wouldn't be in favor of overuse of this method, but if you've got a 'bot running on your system, you're part of a problem and maybe something a little heavy-handed is warranted.

Re:Mixed feelings

[shoehornjob]

An email to the address they have on file would be much less creepy and more effective, IMO

I agree but not everyone uses Comcast email.

Re:Mixed feelings

[Anonymous Coward]

If the customer fails to address the issue promptly, then Comcast should disable their connection. When they call in, Comcast could easily ask them for a email address to forward such communications to.

I work for an ISP and this is how we handle it. (Of course, we're small, so we also call the customer on the phone number(s) on their account.)

Re:Wait, what?

[Mr. Freeman]

"So: they don't have an e-mail address for you, or a phone number, and you throw out all postal mail you get from them. How do you suggest they contact you if there's a problem?"

Anyone that throws out mail from comcast can just as easily ignore the overlay. Besides, it's not comcast's responsibility to tell you if you have a bot running on your machine. This would be a little like your car putting an overlay on your windshield if your windshield wipers are in need of replacing, it's just ridiculous.

Also, what happens when someone gets flagged falsely and they can't get the overlay removed. Every try calling comcast customer service. Wait three hours on hold and then talk to a moron in india that doesn't speak english only to be read a script in a thick accent and then have them hang up on you.

Re:IPv6!

[vux984]

I think that most of the people who are qualified to setup and maintain their own router are also qualified enough to determine exactly which of their machines are infected

1) You go to best buy and plug $59 for a 4 port router box.
2) You take it home and plug it into the wall.
3) You plug the WAN port on the router to the cable or dsl box. - this is the hardest part to get right
4) You plug your computers into the other ports and start accessing the internet

People qualified to do the above are not qualified to determine which of their machines are infected.

Re:Mixed feelings

[gd2shoe]

Sorry, but that does rather look like spam.

Re:Does anything bad even run in GNU/Linux?

[Anonymous Coward]

I don't think it even bothers GNU/Linux, but, just for our peace of mind, let's ask those wizards on /.

Linux servers are generally a pretty high value target (they usually don't get turned off at night, most are on better-than-average connections and 99% of the software written for the thing doesn't require a GUI). Also, some guy running ancient shitty php forum software "for his family" on his home network is ripe for pwning.

Re:Wait, what?

[Dunbal]

Let's look at the following:

1. By definition, an internet service provider IS a man in the middle. To everyone whining about using this method - welcome to the real world. A man in the middle approach is the easiest one for the man in the middle to take.
2. Perhaps the ISP should just terminate the accounts of users of infected machines, since I am sure running an infected machine on the net is a violation of the TOS somewhere.

I WANT them to break the service and force people to upgrade, instead of continuing to spew their filthy zombie attacks all over the net. The more dramatic and attention getting, the better. Face it - your mission critical systems should not be on a residential account anyway, RIGHT? That's what the premium priced business packages are for... So what if grandpa has to click on some links to download some software and fix his machine before he can read his paper today. It's worth it to clean up the net.

ten bucks on ....

[trum4n]

... bittorrent also setting off this message.

Good idea, but a bad implementation

[izomiac]

I think it's great that Comcast is trying to address the bot problem. But they picked a rather poor method IMHO. Surely it's obvious that you can't rely on the infected computer to relay the message... All the bot has to do is run a filtering proxy server and these HTTP insertions are long gone. The best solution would be to use another communication device, i.e. a telephone or letter. Besides, you may have a little old lady that only uses (non-ISP) e-mail twice a month, which might not get the message.

My own ISP does something similar, but a little better (again, IMHO). A few weeks ago I opened my wireless network because one of my devices was choking on WPA2. Sure enough, someone must have hopped on it and sent a fair bit of spam. So my ISP killed my connection and changed the DNS server so everything resolved to their "Call tech support now" page (although it took a while to for me to figure that out since I wasn't using their DNS server, but I digress). A quick call had me talking with a representative with an explanation, and I was reconnected. (Obviously I re-enabled WPA2 and blocked/logged port 25 at the router in case I really did get rooted.)

You just don't get it

[pslam]

Let's look at the following:

1. By definition, an internet service provider IS a man in the middle. To everyone whining about using this method - welcome to the real world. A man in the middle approach is the easiest one for the man in the middle to take.

No. By definition, an internet service provider is a bridge and router. It is not supposed to mess with your traffic. It is not supposed to be looking at these layers. Comcast has shown many times they don't care about that, though. They messed with all HTTP traffic by sending RST packets at you to upset bittorrent, also breaking normal web connections, and anything else which happened to be on port 80, e.g a lot of games. They messed with DNS to redirect to their own advertising sites for failed lookups. Now they're messing with HTTP to insert their banners. What will that do to traffic which happens to be HTTP but isn't web? News for you (and from your comment this probably IS news for you): the internet is not the web. That'll break bittorrent, games, maybe even iTunes, twitter apps, facebook apps, simple wget/curl transfers, and anything else that just happens to be HTTP on port 80.

2. Perhaps the ISP should just terminate the accounts of users of infected machines, since I am sure running an infected machine on the net is a violation of the TOS somewhere.

Yes, that's what they should actually be doing. It's in the ToS and if they have a machine connected which is degrading their network and/or being used for malicious attacks on other computers connected via their network, they are completely in their rights to disconnect them. This stinks of them trying to save money from support calls, sending out letters, hey even automated voicemail (which they do ANYWAY) or email.

OR they could just cut them off until they call tech support. OR they could filter the traffic, seeing as they've got enough of a stateful packet inspector in place to a) identify and b) modify your HTTP connections anyway. They just proved they can do it!

I WANT them to break the service and force people to upgrade, instead of continuing to spew their filthy zombie attacks all over the net. The more dramatic and attention getting, the better. Face it - your mission critical systems should not be on a residential account anyway, RIGHT? That's what the premium priced business packages are for... So what if grandpa has to click on some links to download some software and fix his machine before he can read his paper today. It's worth it to clean up the net.

I have a theory that anyone using the phrase "face it" actually knows that what they're suggested is absurd. You don't seem to understand exactly what's being done here. There's plenty of ways for them to solve this issue, and this tactic is just plain wrong.

Hell, this drops their "neutrality" altogether. They're actively inspecting traffic and inserting their own. I reckon that opens them up to being liable for it, too.

Re:Mixed feelings

[PopeRatzo]

I work for an ISP and this is how we handle it.

Yes, but your business plan is probably just to profit from providing internet bandwidth to customers.

Comcast has a whole 'nother agenda.

The Case For Internet Licenses

[DynaSoar]

"Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."

If you call turning off your machines and running them one at a time to check each machine's response "difficult", then you can damn well pay the neighbor kid to come over and do it for you, just like you paid him to come over and get your Internet Explorer brand computers surfing on the infotube highway in the first place. While he's there, have him take out that "MOE - DEM" thingy. Those blinking lights are just slowing things down.

Re:Mixed feelings

[mcgrew]

How about a message that comes with the monthly bill in snailmail?