Slashdot Mirror
Australian ISPs Asked To Cut Off Malware-Infected PCs
bennyboy64 writes "Australia's Internet Industry Association has put forward a new code of conduct that suggests ISPs contact, and in some cases disconnect, customers that have malware-infected computers.
'Once an ISP has detected a compromised computer or malicious activity on its network, it should take action to address the problem. ISPs should therefore attempt to identify the end user whose computer has been compromised, and contact them to educate them about the problem,' the new code states. The code won't be mandatory, but it's expected the ISP industry will take it up if they are to work with the Australian Government in preventing the many botnets operating in Australia."
if the Australian definition of 'malware' is 'bittorrent'
ISPs should just provide internet access not police and monitor traffic.
Don't make me choose between the internet and bonzibuddy.
This is just SOCIALISM!
This is actually a good idea. Sadly, it's another step in the direction of moderated, government approved, unable to opt-out internet.
> "Once an ISP has detected a compromised computer or malicious activity on its network, it should take action to address the problem..."
Damn I hope the entire process is automated - sniff/clip/boom....including the customer help line. Gonna be some super fine yelling and screaming at the line judge over this one.
I mean, since 'the problem' has already been determined and all...
Rogers, here in Canada, has been practising this for a few years now, and will notify and disconnect computers that are sending network packets that match known malware. I think it's an automated process, too.
It's sort of funny, there was once a time when someone set the DHCP lease length too short, and several customers wrongly got blasted off the internet as they had been "infected".
Screw the rules, I have green hair!
A couple of years ago, a major ISP in Finland had a somewhat similar system. They wouldn't allow infected computers to take any other network access than HTTP and they redirected all HTTP traffic to a page saying "you're infected" and providing short instructions on how to fix it. It seems that they're not doing it anymore, but I don't know the reason.
I've contacted ISP's about their customers attempting to "hack me" because they were infested with Code Red and Nimda and for some reason my Apache server on Linux looked incredibly tasty. They of course proceeded to ignore me and not even to contact their customers.
The preceding post was not a Slashvertisement.
Want to put a stop to malware/botnets? This is it. If a simple email/phone call asking "are you using irc/running your own mail server?" gets a response of "I don't know what irc is!", shut them down until they can clean out their machines, hell, even give them help, such as redirecting them to an isp sponsored AV or something (and no, i'm not talking enforcing it like some schools do with clean access or other network admission control.) Doing this sensibly could very seriously take a bite of out a lot of the problems on the 'net today.
My (Australian) ISP has been doing this at least for spam relays for a few years now. If they detect you are being used to spam they cut all your traffic and redirect port 80 to a page telling you what has happened and giving you links to AV tools and an automated traffic checker that will unblock you once you have dealt with the malware. Two of the guys I live with got infected and so I have personal experience dealing with the system. To me it seems like a perfectly sensible and responsible reaction to a serious problem. IMO any ISP not doing this is an irresponsible netizen.
To me it is like your CC company notifying you of suspicious charges or the phone company asking why your mobile is suddenly making hundreds of calls from Azerbaijan. It not only stops the current problem but if people are actually notified that they have a problem they are far more likely to take steps to protect themselves in the future.
========
CINC, 4th Penguin Legion
I know when I was living on campus at a state university my computer was caught in one of their malware scans. I was running Linux and had firewalled ping requests among other things. Their scanning system automatically assumed if a computer did not respond to ping it was infected.
Obviously there is the risk that the scanning could be "extended" but I would back it IF:
1 - Users could opt-out
2 - The list of blacklisted "malware" was maintained and published by a non political body
I'll see your hokum and raise you a boondoggle.
This is known as a "MAC block". Anyone with a brain who controls their own network space is either doing this, or should be doing this. I work at a largish University, and we do this every day to student and faculty/staff workstations who are compromised and are a risk to our network.
If you cut off all the Malware-Infected PCs, only Macs will be left. (ok, maybe some linux boxen).
*ducks*
A lot of ISPs especially the smaller ones have a pretty good idea which of their customers have viruses or have otherwise joined the rank of p0wned botnet zombies and their knowledge is fairly accurate.
Notifying customers of the same might be a good idea but there is a risk they will not react positivly and for that reason many opt not to contact the customer.
Personally I would rather not be cut off because some hueristic match thinks I have a virus. Virus scanners routinly make mistakes, overzealous and random spam filters make SMTP Email unusable. Putting network access in the same category would only fasttrack a search for a new provider that didn't play games.
There must be better ways. If the ISP can detect this why not push the detection method to the client via CPE router firmware or network hook to analyze traffic... Some PC based software already does this and if there is demand the belkin/linksys/netgear consumer routers of the world it seems could be reasonably positioned to do some basic signature checking.
Having tools/choices via the ISPs customer portal would certainly also be an acceptable approach.
The devil is in the details.
It's illegal to drive on public roads without a driver's licence.
It ought to be illegal to use a computer connected to the internet without some form of minimum qualification. i.e. an "internet licence"
These are the same ISPs that supply you with a dumb modem with no firewall or firewall disabled by default and have no compunction in letting users online with unpatched PCs.
In principle, I'm against the idea of ISPs doing this due to the slippery slope argument - that they will start with "Malware" and move on to other types of traffic that someone decides is undesirable.
For practical reasons, I'm all for it, if it can be done well - it will basically shut down botnets and most spam if it becomes widely adopted, as eventually ISPs that don't adopt it will become havens for malware sites and home to the remaining botnets - at which point, their upstream providers will shut off their access if they refuse to clean up their traffic.
Back in the day, Demon Internet in the UK would check for open relays and port block if one was found. The only reason I know this is the numerous entries in my Linux server at the time. I did speak to one of the tech guys who gave me a run down on what they did. I've no problems with an ISP monitoring and protecting itself.
I want to meet the guy who invented beer and see whats he's up to now.
My otherwise stellar ISP has a "shoot first, ask no questions security policy"
It is frustrating to lose access to my home server while at work and not be able to do any troubleshooting because I need physical access to the machine.
It is quite maddening to finally get home, verify that there is nothing wrong on my end, call up support and (eventually) find out that I've been deliberately disconnected because of a security problem that doesn't exist.
EVERY country needs to be doing this, and not making it voluntary either. Any problem on the internet affects everyone connected to it. Cutting off PCs in one country has limited effect in isolation. Considering botnets are an exclusive Windows problem, Microsoft should be forced to pay for the scheme too. It's their mess after all.
I'm curious about how MS will respond to this if it comes into being. On one hand they'll lose a large number of users, after all, does anyone outside the MS camp really believe that it's not gonna be 100% infected Windows PC's that will be affected? What will MS do?
Will they offer discounted or free vouchers for repairs, upgrades etc? How many of these machines will be unlicensed? Will they pay to fix unlicensed copies of Windows if the owners either have no money to spend on a sticker with a number on it? In the current economic climate you can't blame them. Is a subsidy to clean the PC worth the ISP's time and hassle knowing it'll be infected again by the end of the week at the latest, and they'll have to repeat the same warning and threat of disconnection all over again. Will they provide paid anti-malware software? Who pays for all of this? Will they provide training for Windows users to at least give them a chance of having a few months online without a letter?
This would reflect badly on MS in any free press, even having to be the only ones to offer fixes is embarrassing enough. Given that MS control the mainstream media it'll go unnoticed as far as PR is concerned, but it's yet one more thing eating into their profits at a time where they're struggling.
The alternative is to lose a large number either to Linux, or off the internet altogether. Anyone who's had the internet for a while knows what it's like when it goes down for a few hours, will those people really decide the internet is not worth it?
I'm guessing the great philanthropists and all round nice people at MS are busy lobbying at every level to stop this from happening or at least water it down (notice the ISPs are being "asked" not "told"). They need to keep market share by any means necessary, ideally without spending a cent on it. The rest of the world can suffer as long as MS's interests are not hurt.
Given that Windows has all the security of a paper tank in a thunderstorm this will be hilarious to see the workload the scheme entails, and over time the number of Windows PCs in Australia still connected because they're NOT infected. They will drop like flies. Give it a few years and it'll be a Windows free zone.
Full disclosure: I work at Quarantainenet
... plus grab a tan and do some surfing, weather's probably a lot better there than in the cold & wet Netherlands ;)
I'm sure the sales guys would be happy to get some ISP's sold on Qnet to help 'em isolate those malware-infected PC's.
Why not make it compulsory to get networkable devices certified to be malware-free every year just as cars need to go through statutory vehicle inspections? If bandwidth is such an important resource, shouldn't we consider networkable devices to be potentially dangerous and perhaps consider the idea of requiring a license for ownership?
I think while pretty hard on the innocent users this proposition could be good for the internet. If users of unsafe OS are punished there will be atleast some incentive to push better security. Right now security is all about lipservice and PR. It will also force people who dont upgrade off the net and make them aware that their computers has been breached.
The marginal effects are pretty big but hopefully people will go after the OS/applications vendors for better security.
HTTP/1.1 400
How about an opt in for the user. The ISP would discount the rate in exchange for them monitoring their clients connection for suspicious activity.
Just my 2cents.
If my ISP detects 10,000 of their customers' machines trying to connect to a single 'residential' machine on another ISP, why shouldn't they do something about it? Back in the early '90's, I would send a list of 'infected machines' to abuse@bellsouth.net about once-a-month. The list included IP Address and timestamp, and if it was obvious, the virus name. As far as I could tell, NOTHING ever became of that information. I've been thinking, and I cannot recall a single positive reply from any message sent to abuse or technical contacts of ISPs.
When I used to work for [very big company], If I detected virus traffic trying to enter our facility coming from anywhere else in the company, I could pick up the phone, contact the company NOC, and (after the first time of having to demonstrate that I did in fact know what I was doing) get a tier-2 or tier-3 to check the connections in the WAN routers, and in less than 5 minutes, they would have pinpointed the offending facility/machine. They'd thank me, and I knew that the problem would be resolved. In fact, after the 3rd or 4th such call, I had a direct line to WAN engineering in FL and in IL.
...an increase in traffic on 443.
ISPs should just provide internet access not police and monitor traffic.
Yeah, and if they help my neighbour get rid of their malware, there will be less useless (even harmful) traffic clogging up the pipes I want to use.
Even though I get along well with the "privacy paranoid" group, I think it's reasonably for ISPs to monitor for malware/spam traffic, and contact the users who get hit by it (which in many cases is through no fault of their own), tell them what's going on and offer help changing the situation.
That's good for the malware-infected customer; it gives the ISP a better reputation and frees up the pipes, which is good for the other customers, making the ISP more competitive, which is good for the ISP. Isn't this just good all around?
On the other hand, having the ultimate power to shut people off with no way of appealing is bad. Very bad. But I'm not sure what to do about users who deny the existence of malware, or refuse to remove it. Just block tcp/25 out? While good, is that good enough?
Can't Nastyware authors detect which ISP you have? Presuming so, it just leads to another Phish attack. Combined with the completely abusive recordings their LEGIT tech support has, you get this:
"Hello, this is ________. Your account details need to be updated because we think you have malware on your computer. Have you rebooted your computer? Rebooting your computer can help remove local events in a browser that are slowing your machine down. Once you have rebooted your computer, stay on the line and an account operative will update your account details. .... ...
"Hello yes? This is ____. Yes, we need to update your account. Can you verify your login name and password yes? Thank you for your patience while we hose your account and your credit. ...."
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Instead of disconnecting the user, my (Australian) ISP has a more proactive approach. By default they block:
Port 25 (smtp) inbound and outbound
Port 80 (http) inbound
Port 135 DCOM SCM inbound
Port 139 (netbeui/ipx) inbound
Port 443 inbound
Port 445 Microsoft Windows File sharing / NETBIOS inbound
The option to disable port blocking is given on their website, and changes take effect within 15 min. This blocks the propagation of malware without running the risk of accidentally disconnecting users on false positives, and it also can't be use d to block file sharing (well it could, but since the user can disable it it would be pointless). The only downside is that if you are infected, you won't get notified and may infect others via USBs, etc.
Most human behaviour can be explained in terms of identity.
Can't Nastyware authors detect which ISP you have? Presuming so, it just leads to another Phish attack.
Those phish attacks would work pretty much as well whether the ISPs actually monitor for malware traffic or not, so the ISPs actually monitoring for malware traffic still makes things better.
Quidnam Latine loqui modo coepi?
Prroblem is that most people have infected windows pcs out of ignorance and not so much as apathy. Cutting iff their service will just add to the confusion.
boycott slashdot February 10th - 17th check out: altSlashdot.org
It is a much better practice to use a "walled garden"[1] to give them a very limited access to the net until they have cleaned up their infection. I have seen examples of this used to give the customers access to anti-virus software and Windows update only, in addition to a set of web pages that explains why they have limited access (and how to get out of it).
This is a much better solution than just blocking the customers access to the net.
Just cut off all Windows users "preemtively". ;)
On a more serious note: They can't simply cut off the connection. You have a contract. They have an obligation to fulfill it. If they don't, sue, and let them pay for the damage, the breach of contract, the expenses, the expenses to calculate and mail the expenses, and the expenses to... GOTO 10. ^^
Also, a court first would have to decide what is defined as "malware". Because in my eyes, the software that most ISPs offer their clients to "dial in" or "configure the system" is just malware itself.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Rather than cutting them off completely (because how would they get anti-malware apps and updates?), why not just severely limit the bandwidth on an IP that's deemed "malicious"? That way they can still get their machines clean and not kill the speed for the rest of us.
Loading...
If you are disconnected for being malware infected, exactly what WILL be the process for being reconnected, assuming you aren't just black listed for life as an internet persona non grata? Will it be some byzantine bureaucratic DMV-like red tape nightmare with hundreds, even thousands of people showing up every day as botnets simply infect more and more systems to make up for those it lost during the morning disconnect purge?
Comcrap has disconnected me numerous times for "being infected with malware". I run my own mail server, and it was hosting some small mailing lists at the time. Dyndns outbound mailhop to the rescue. Funny how I'm no longer 'infected' if I'm using port 2525 outbound.
I have long time ago tried to send out multiple requests to ISPS, to try and start a movement such as this, was met with alot of
negativity, saying that the ISP has no responsibility for this, and why would they seeing as they make money on the bandwidth used by the infected machine anyways, so it would be not in their best interest.
An infected machine sending out spam emails uses up bandwidth, and when the user does not catch on there is an extra charge
on his bill at the end, it ends up being good for the ISP, as this pays their rent!
I agree with doing something, is this IT as a means to get this done, I am uncertain how it will pan out, but I would have gone charge per email myself, the user would know it by seeing on his bill how many emails he sent , with a cap of course for max charge allowed...but 1 cent per email sounds good. Someone who has a company and legitimately sends out spam emails will be sending out 5 million emails, so the cap will be applicable for them as well....and for someone sending out from their home, will end up seeing that their machine is infected without needing personnel to contact this person and educate them.
Not if you ask their censorship minister Stephen Goebbels-Conroy ...
Well are you surprised that the Kevin Hitler-Rudd dictatorship, would have a Censorship Minister. And if you don't believe it's a dictatorship, ask my Uncle Bob, he's been executed several times in the past two years! Besides which, have you noticed how we don't have elections any more now that Kevin Hitler-Rudd has taken over?!
That being said, I really can't see why you enjoy watching child porn so much mate.
Australia Experiences Giant Website Traffic Drop
In Australia, Linux Spikes to 50% Market Share
Those who would give up liberty to obtain working drivers, deserve neither liberty nor working drivers.
How can you equate water with internet?
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
I'd say "Yes" do it -- take those infected machines off, if they are confirmed part of a botnet, meaning, not only do packet signatures match known malware, but endpoint history match botnet C&C addresses.
On the other hand, if ISPs are not confident they can match "malware" criteria *and* properly identify the offending PCs, how does RIAA evidence of a particular PC infringing come off as legitimate? It should not be able to go both ways.
Well, apparently, you only have to fool the majority of people for a little while.
.. and we already do this. I don't actually work in the role that does it, but from my understanding we get a list from the IIA (and possibly other sources) and we call the customer, let them know of the issue and also advise them that if they don't get it fixed, in the worst case scenario we could disconnect their internet connection (as it is against T&C). I think SMTP blocks are put in place for confirmed outgoing spam/etc, and not removed until they have fixed it.
I suspect that certain vendors of operating systems won't be in favor of this. I think you will find that the vast majority of systems that are compromised run one of the versions of Windows.
Shutting off Windows systems will make other, competing operating system suddenly look a lot more attractive.
Best regards.
Imagine your entire company is running through a single IP to get out using a Proxy or NAT. The blockage could do a lot more harm than good here.
Does any one that actually lives here in Australia truly believe that, oh, let's say, HELLSTRA, sorry, TELSTRA or Optus is actually going to sacrifice profit in order to stop malware? These folks offshore everything and anything they can to cut costs and increase profits - they structure their support systems as much as possible to deter supporting the end-user. I personally believe that unless the Feds step in and put the hard word on the ISP's, they're going to ignore this as much as possible - or make a show of hitting those using torrents or other file-sharing applications just to "make a show" of it all. IMHO, mind you...
YankDownUnder Veni, Vidi, volo in domum redire