Major Aussie ISP Disconnecting Trojaned PCs

daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.

My 1st Thoughts

[reezle]

"Thank God"

"It's about Time"

"Glad somebody is finally taking an interesting in keeping the neighborhood cleaned up"

"Oh crap, is this the first chink in the armor, ISP's can disconnect people based on their traffic... Virus, Trojan, P2P, Torrent"

Re:My 1st Thoughts

[TeraCo]

ISP's can disconnect people based on their traffic

They've always been able to do that.

Re:My 1st Thoughts

"Oh crap, is this the first chink in the armor, ISP's can disconnect people based on their traffic... Virus, Trojan, P2P, Torrent"

Yeah, that's a valid concern. I think what we are talking about here is the difference between being pragmatic and idealistic.

Idealistically, the ISP would never look at your traffic, and just deliver the pipe. Practically, zombies are degrading the service of other customers significantly, and the ISP is going to know what the problem is.

It's not a perfect Internet yet, we all know that, so I think it's pretty reasonable that certain measures are taken in cases like this.

Just remember to scream really loud when there is an incident of an ISP disconnecting you for something that is perfectly legal.

(PS. It's good to see that the use of Torrents appears to have a high legal/questionable content ratio, whereas the last time I looked at P2P, it was really hard to argue that it wasn't used mainly for illegally copying stuff)

Re:My 1st Thoughts

[spongman]

ISPs don't want to be liable for the shit your sending over their network. As soon as they start sniffing they make themselves responsible for your kiddy porn and your copyright infringements. They don't know, and that's what they tell the lawyers, they don't want to know and more importantly they don't want to have to know. just don't piss them off and you'll be fine.

This is a good thing

[kasperd]

More ISPs should handle compromised computers this way. Just leaving them around to harm the internet for the rest of is is irresponsible.

Re:This is a good thing

If you don't disconect the offending computer, how will the idiot who owns it know they've been an idiot? Disconecting it totally is a great way to handle the problem, because it forces the idiot to call customer services to find out why their connection no longer works, at which point you can lart them for being an idiot and force them to clean up their idiot-box before you reconnect them. Just silently droping the offending packets does nothing to educate the idiot involved.

Re:This is a good thing

[R.Caley]

Well, there is no need to *disconnect* the computer if all you have to do is block the problematic port.

I think for 99.9999% of a residential ISP's customers, having their access to DNS blocked would not be noticably different from disconnection.

Besides, is someone has an infected PC, disconnection is a friendly action. It kicks them up the arse so they have to find out what is going on, and it prevents them being zombied.

We have a collective problem that many many people have PCs on the internet but don't have the kind of basic understanding we demand before we'd allow them onto the road in a car. Sending them back to the garage for a day or two with a hint to learn what the windscreen wipers are for is good for everyone.

Re:This is a good thing

[rabbit994]

Nothing stopping you from a setting up a local DNS server. We had issues with Comcast DNS until we simply set up our own.

Re:This is a good thing

[FireFury03]

Disconecting it totally is a great way to handle the problem, because it forces the idiot to call customer services to find out why their connection no longer works

Even better is to block all access and redirect web requests to a server that explains what's going on and provides patches, etc. That way people (with more than one brain cell) don't _have_ to phone customer support.

Hmm... makes sense to me!

[PDA_Boy]

Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network."

Right- I can smell a cake burning. Let's add more flour! Come on- more flour!

Oh- right- let's take the cake out the oven...

Seems a sensible thing to do to me- tackle the computers causing the problems, rather than trying to react to the problem itself.

Although, tackling the writers of the infecting programs would be good too, if somewhat harder.

Catch-22

[Mr_Silver]

Of course, once you have no net connection, it becomes a little difficult to download all the latest Microsoft patches and virus updates to clean your machine so you can get back on the internet.

Thats not to say it isn't impossible, but it wouldn't surprise me that taking a laptop/ipod/some other storage device big enough around to another friends house and getting all the updates is going to be beyond most people.

Also, last time I checked, I can't download all the updates that have been developed after XP SP2 was released from a machine running Windows 2000.

(side note: I'm on a 56k modem at home and therefore don't have a spare 3 weeks to get the several hundred megabytes of updates - and autopatcher xp hasn't been updated after sp2 was released)

Slow response times?

[Stephen+Samuel]

One problem with this is that many ISPs are days (or even weeks) behind on responding to complaints. I have a script which automates the process of generating SPAM and virus complaints. In the cases where I've actually gotten a real-live response, it's almost invariably been days after my complaint. (It's only the smallest ISPs that seem to have a fast response time.) In the menatime, these machines have been spewing spam and viruses across the 'net.

If Telestra is like any other large ISP I've seen, I figure that the first thing they should do is hire (or allocate) a good gaggle of AUP investigators so that their intelligence on this problem is reasonably real-time.

They could also write some scripts to log and categorize the DNS queries that they're getting from their customers. It should be fairly easy to automatically identify the worst offenders. You could then send notes to their owners, and if there's no reasonable response, pull the plug. Over the last few years, I think that I've written scripts to do pretty much everything but the last step, so I know it's doable. (that last step should almost always be manual).

NTL

[bcmm]

NTL (UK cable provider) does this. They once started redirecting all HTTP requests from our home network to a page saying "You have netsky. Download this." or something. I had to try this with the Linux box before I believed this wasn't an attempt to distribute malware. Thing is, I checked all the Windows machines with NTL's tool and with Sophos AV, and they were all clean.

Other people with this problem have speculated that Linux machines (which NTL allows but "doesn't support") are sometimes mis-detected as Netsky-infected Windows PCs.

The moral is, if this sort of thing is going to become widespread, they need good detection of many different types of network usage, and they need to tell them by phone instead of just giving them what looks like a default-homepage highjack.

In a similar vein, remember MS marking VNC as spyware? Imagine if an ISP starts taking down VNC servers for the users own security, etc, etc.

Best Practice

[MrNonchalant]

Send the effected customers (better yet, all customers) a CD with a free anti-virus, free anti-spyware, a free firewall, an alternative browser, and the latest updates for all of the above plus Windows and Office (including support for ME, NT, 2000, 98 SE, 98, and 95). With it include a letter explaining courtiously and simply why security is important. Sure, you'd probably have to get permission from a dozen different legal departments to do distribution of nominally free software on a wide scale like that, but some companies I know would jump at having their demo version shipped.

Back this up with your regular tech support. Yes, some users will be too clueless but a good deal won't. A fair percentage of the clueless ones will catch on quickly when their internet gets shut off and stays off. I can guarentee you the network traffic they'd get would drop to a third of the levels seen before.

Actually, in this perspective AOL's lackluster virus and spyware protection make perfect sense.

How acquire spyware removal tools if disconnected?

[matt+me]

I don't think the ISPs quite thought this plan though. Users aren't going to be able clean up their computers without tools such as ad-aware and spybot search & destroy. These ppl probably don't even have a virus checker at all. The necessary software is freely avaliable online, but without a net connection these ppl will have to buy $100 of stuff at PC World. And that'll need updating online anyway.

A better idea would be to restrict bandwidth and connections on infected computers. The ISP should also post everyone they disconnect a CD with the usual free tools and instructions on how to use them. Along with Firefox and Thunderbird, of course.

I agree though, action should be taken against owners of zombie computers. They're irresponsibly spoiling the internet for others. Such users who think 'Internet Explorer' is the internet and believe the internet = the web.

While such ignorant users should be allowed to run computers in private, once they're connected to the internet, they become a danger to everyone else. The way I see it, I'm not allowed to drive a car on the road without first taking a test to make sure I can use it safely, and recognise and repair common problems (or at least take the car to the garage). This requires knowledge of both how the mechanics of the engine work, and of the highway code. So why are people who have never even seen the inside of computer and don't realise that connecting an unpatched WinXP box to broadband is as dangerous as speeding down a motorway in the opposite direction to all traffic, allowed to do exactly that?

(Uni computing services) != (commercial ISP)

[sczimme]

So our ISP (U of R computing services) not only disconnected him from the network,

So you get your Internet feed through Uni computing services - noted.

but refused to let him back on the network unless he agreed to give them his computer and let *them* run an antivirus scan on it , after which it would be returned.

That's actually not a bad idea. They want to be sure that the system in question is no longer a problem. I'm sure you can see where a user would have motivation to lie about the scan if it would get him back on the network.

but the point is that our ISP can not only watch your internet traffic(as they have been), but if you "get a virus" they can disconnect you and demand they have access to all your personal files at will.

Blows my mind.

Re: watching traffic, disconnecting users - re-read the Terms of Service you signed when you accepted their Internet access; I suspect you will find they've had these capabilities all along.

However, your comment about demand... access to all your personal files at will is completely ridiculous.

First, computing services will only need to examine your PC if it causing a problem for other users; if things have gotten to this point you are either unable or unwilling to maintain the machine yourself and have effectively abdicated this responsibility.

Second, you probably already gave them permission to require such a scan when you agreed to the ToS (see above).

Third, who says your personal files have to remain on the machine if/when you turn it in for virus scanning?? Your roommate was told to deliver the computer; he can sanitize it before he does so. (This should be obvious.)
The University is not a commercial ISP. They provide the Internet access as a tool for you to use to further your education. It is a shared resource, and if you are causing problems they can rectify said problems as necessary based on the ToS. If you don't like their ToS you are free to go back to dial-up or pay for a T1.

Shut up

[Hrothgar+The+Great]

I really hate you "WHY IS THIS NEWS?!!!!" crybabies. It's news because this particular ISP is doing something which it previously was not. See how that works? Something HAPPENS, and then someone REPORTS that it happened, and then the story gets posted here because its subject matter appeals to a large portion of this site's readership. Are you so blindingly stupid as to actually need this explained to you? It's the fucking dictionary definition of news.

By the way, most ISPs still are NOT doing this. Time Warner's Road Runner, for instance, never even looks in the direction of a trojaned machine on their network - at least in my area.