Slashdot Mirror
Major Aussie ISP Disconnecting Trojaned PCs
daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.
"Thank God"
"It's about Time"
"Glad somebody is finally taking an interesting in keeping the neighborhood cleaned up"
"Oh crap, is this the first chink in the armor, ISP's can disconnect people based on their traffic... Virus, Trojan, P2P, Torrent"
More ISPs should handle compromised computers this way. Just leaving them around to harm the internet for the rest of is is irresponsible.
Do you care about the security of your wireless mouse?
ISP has problems with boxes infected with malware. ISP identifies and blocks said boxes. Block is only temporary, and will be lifted when customers disinfect their boxes.....
Where's the story?
Right- I can smell a cake burning. Let's add more flour! Come on- more flour!
Oh- right- let's take the cake out the oven...Seems a sensible thing to do to me- tackle the computers causing the problems, rather than trying to react to the problem itself.
Although, tackling the writers of the infecting programs would be good too, if somewhat harder.It's Australia's biggest ISP according to the posting.
-- Using the preview button since 2005
Thats not to say it isn't impossible, but it wouldn't surprise me that taking a laptop/ipod/some other storage device big enough around to another friends house and getting all the updates is going to be beyond most people.
Also, last time I checked, I can't download all the updates that have been developed after XP SP2 was released from a machine running Windows 2000.
(side note: I'm on a 56k modem at home and therefore don't have a spare 3 weeks to get the several hundred megabytes of updates - and autopatcher xp hasn't been updated after sp2 was released)
Avantslash - View Slashdot cleanly on your mobile phone.
If Telestra is like any other large ISP I've seen, I figure that the first thing they should do is hire (or allocate) a good gaggle of AUP investigators so that their intelligence on this problem is reasonably real-time.
They could also write some scripts to log and categorize the DNS queries that they're getting from their customers. It should be fairly easy to automatically identify the worst offenders. You could then send notes to their owners, and if there's no reasonable response, pull the plug. Over the last few years, I think that I've written scripts to do pretty much everything but the last step, so I know it's doable. (that last step should almost always be manual).
Free Software: Like love, it grows best when given away.
NTL (UK cable provider) does this. They once started redirecting all HTTP requests from our home network to a page saying "You have netsky. Download this." or something. I had to try this with the Linux box before I believed this wasn't an attempt to distribute malware. Thing is, I checked all the Windows machines with NTL's tool and with Sophos AV, and they were all clean.
Other people with this problem have speculated that Linux machines (which NTL allows but "doesn't support") are sometimes mis-detected as Netsky-infected Windows PCs.
The moral is, if this sort of thing is going to become widespread, they need good detection of many different types of network usage, and they need to tell them by phone instead of just giving them what looks like a default-homepage highjack.
In a similar vein, remember MS marking VNC as spyware? Imagine if an ISP starts taking down VNC servers for the users own security, etc, etc.
# cat
Damn, my RAM is full of llamas.
One of the best things is, that there is a one-strike.
Who can keep up with all the patches? One-strike means, that when you have downloaded the needed patches and run windows update, you can click onestrike and be back online without(!) isp-intervention.
It saves time for the user and especially for the isp, since detection is automated. Not only for blaster, but for alot of worms and virii.
Send the effected customers (better yet, all customers) a CD with a free anti-virus, free anti-spyware, a free firewall, an alternative browser, and the latest updates for all of the above plus Windows and Office (including support for ME, NT, 2000, 98 SE, 98, and 95). With it include a letter explaining courtiously and simply why security is important. Sure, you'd probably have to get permission from a dozen different legal departments to do distribution of nominally free software on a wide scale like that, but some companies I know would jump at having their demo version shipped.
Back this up with your regular tech support. Yes, some users will be too clueless but a good deal won't. A fair percentage of the clueless ones will catch on quickly when their internet gets shut off and stays off. I can guarentee you the network traffic they'd get would drop to a third of the levels seen before.
Actually, in this perspective AOL's lackluster virus and spyware protection make perfect sense.
I don't think the ISPs quite thought this plan though. Users aren't going to be able clean up their computers without tools such as ad-aware and spybot search & destroy. These ppl probably don't even have a virus checker at all. The necessary software is freely avaliable online, but without a net connection these ppl will have to buy $100 of stuff at PC World. And that'll need updating online anyway.
A better idea would be to restrict bandwidth and connections on infected computers. The ISP should also post everyone they disconnect a CD with the usual free tools and instructions on how to use them. Along with Firefox and Thunderbird, of course.
I agree though, action should be taken against owners of zombie computers. They're irresponsibly spoiling the internet for others. Such users who think 'Internet Explorer' is the internet and believe the internet = the web.
While such ignorant users should be allowed to run computers in private, once they're connected to the internet, they become a danger to everyone else. The way I see it, I'm not allowed to drive a car on the road without first taking a test to make sure I can use it safely, and recognise and repair common problems (or at least take the car to the garage). This requires knowledge of both how the mechanics of the engine work, and of the highway code. So why are people who have never even seen the inside of computer and don't realise that connecting an unpatched WinXP box to broadband is as dangerous as speeding down a motorway in the opposite direction to all traffic, allowed to do exactly that?
You can't realistically expect Joe SixPack, who doesn't know the difference between the CD tray and a coffee cup holder, to keep his computer up to date with the latest service pack or patch.
Why not? Most people don't know anything about how their cars work but do know that the oil needs to be changed at regular intervals and when the "Service Engine Soon" light comes on, it's time to visit a mechanic. They also know that if they don't do this their car will cease to function.
I'm really sick of the whole "people who don't know computers should be exempt from the rules" attitude. You know? Personal computers have been around for a very long time now, they aren't novelty items and people who use them should be expected to be courteous enough to keep them virus-free.
I for one am glad a major ISP is finally cutting off people who are too lazy to keep their computers secure. I hope more ISPs do this.
In case of fire, do not use elevator. Use water!
My Employer, a large national Cable ISP in Britain routinely suspends service to customers due to nasties on the unsuspecting users PC. Our infrastructure runs daily scripts that scan for open mail proxies and other suspicious ports that may be open. It's just part of the normal security process.
However it never used to be, this aggressive step of securing our network was prompted by the ISP being threatened with a Usenet Death Penalty, twice.
Whether this BigPond story is any different (Because it deals with Trojans rather than mail relays) is another matter...
kill elrond
take elrond
put elrond in cupboard
Viruses might be interested in wiping data, but malware tends not to be. I think the whole "oh noes my data is precious and will be destroyed!!" is a little over-blown; I've not heard of any recent spyware that does anything like this. Reading your data, on the other hand, or installing keyloggers, are much more important. But if such processes have only managed to infect a non-root account, then can easily be rooted (no pun intended :)) out (or scanned for continuously) and wiped. Of course, they may well have caused a lot of invasion of privacy by this stage.
Amateur radio operators, for example, have a responsibility to make sure their equipment is working properly, properly tuned, and operated without malicious intent so that it doesn't interfere with others.
So our ISP (U of R computing services) not only disconnected him from the network,
So you get your Internet feed through Uni computing services - noted.
but refused to let him back on the network unless he agreed to give them his computer and let *them* run an antivirus scan on it , after which it would be returned.
That's actually not a bad idea. They want to be sure that the system in question is no longer a problem. I'm sure you can see where a user would have motivation to lie about the scan if it would get him back on the network.
but the point is that our ISP can not only watch your internet traffic(as they have been), but if you "get a virus" they can disconnect you and demand they have access to all your personal files at will.
Blows my mind.
Re: watching traffic, disconnecting users - re-read the Terms of Service you signed when you accepted their Internet access; I suspect you will find they've had these capabilities all along.
However, your comment about demand... access to all your personal files at will is completely ridiculous.
First, computing services will only need to examine your PC if it causing a problem for other users; if things have gotten to this point you are either unable or unwilling to maintain the machine yourself and have effectively abdicated this responsibility.
Second, you probably already gave them permission to require such a scan when you agreed to the ToS (see above).
Third, who says your personal files have to remain on the machine if/when you turn it in for virus scanning?? Your roommate was told to deliver the computer; he can sanitize it before he does so. (This should be obvious.)
The University is not a commercial ISP. They provide the Internet access as a tool for you to use to further your education. It is a shared resource, and if you are causing problems they can rectify said problems as necessary based on the ToS. If you don't like their ToS you are free to go back to dial-up or pay for a T1.
I want to drag this out as long as possible. Bring me my protractor.
2. If they had any smarts at all, they'd still allow the client access to a whitelist of sites - windowsupdate, symantec, etc, as well as allowing them access to their own web/ftp sites to download fixes. If they don't, they're only doing a half-ass job of helping to fix the problem.
It's rare that an AC leaves a comment that can even see insightful, let alone actually contribute something. At least here in the US the phrase "We reserve the right to refuse service to anyone" would apply. Their network, their rules. If you go into a nightclub and start spewing feces on the other patrons, they don't refund your cover charge when they throw you out.
Deal with it, and clean up your fucking computer.
Never underestimate the power of stupid people in large groups.
Except on most Linux dists:
1). the default user is not an administrator
Wait until Linux goes mainstream. Most people will just log in as root for normal activities to avoid the hassle of "su". After all, they don't have to bother with such annoyances under Windows. If they don't log in as root, they will happily supply the root password and/or click "OK" for any popup - just like on Windows.
The problem is that the average Joe has no idea how computers work, and they don't want to think about it. They will follow the path of least resistance to pr0n or pirated music without thinking about the consequences.
If God had meant for man to see the sunrise, He would have scheduled it later in the day.
I've worked for 3 ISP's in the midwest, and all of them have had no tolerance policies that allowed them to cut the customer off at the first sign of spam, trojan or virus activity. I personally have cut off dozens of accounts this way, and why not? People are responsible for their own machines, asking them to keep them cleaned up isn't unreasonable in my opinion. In fact, asking us to keep supplying service to them while their rogue systems flood the net with crap is a lot more unreasonable than that imo. This isn't like their bill is a day late or something, this is an active malicious atttack on the network, of course we aren't going to let it go on regardless of whether the customer is home to pick up the phone when we detect it. That's how it should be.
Sigs are awesome huh?
Really??
J.
You're only jealous cos the little penguins are talking to me.
"Well, Joe SixPack isn't trained to fix his car either, does that mean the state should act like a big car repair shop as well?"
Not the state, but car manufacturers and dealers definitely do.
As people start treating their computers more and more as an "internet machine", the focus shifts from the hardware or software manufacturer to the ISP. To put it another way, if ISP X offers network and system management, and ISP Y only offers internet connectivity, i would definitely recommend ISP X to my friends and relatives. Even if X charges an extra 10 bucks a month for the service.
"My point: if joe six pack is not able to get his computer in good working order, he can pay someone to do it, just like he does to get his car fixed..."
Agreed. However, if the ISP is offering the same maintenance contract, i would definitely recommend it over the Dell contract.
My point is not that the ISP is *obligated* to provide this service. My point is that an ISP is the only entity that's permanently connected to the customer. Hence, it's in a unique position to offer services (such as security and even software support) that no-one else can. This is a unique opportunity for an ISP and they *should* make use of it.
Nothing stopping you from a setting up a local DNS server.
Unless this DNS server can connect to other DNS servers on port 53, having a DNS server isn't going to do you much good with respect to accessing the public Internet.
I really hate you "WHY IS THIS NEWS?!!!!" crybabies. It's news because this particular ISP is doing something which it previously was not. See how that works? Something HAPPENS, and then someone REPORTS that it happened, and then the story gets posted here because its subject matter appeals to a large portion of this site's readership. Are you so blindingly stupid as to actually need this explained to you? It's the fucking dictionary definition of news.
By the way, most ISPs still are NOT doing this. Time Warner's Road Runner, for instance, never even looks in the direction of a trojaned machine on their network - at least in my area.
This is not a liability issue,
This is like the ISP Road Department analogy from a story yesterday, The ISP is not so much checking the contents of passing cars on a highway for contraband.
This is more like the Highway department kicking cars off the road because their owners have allowed them to degrade to horse drawn carts and all the horseshit on the road is causing problems with slow traffic and time and money to clean up the mess, I say this is a good move.
One assumes that the links to the virus scanner and ad aware are allowed through.
I wonder after enough people get disconnected if they will switch to Linux.