Australian ISPs Asked To Cut Off Malware-Infected PCs

bennyboy64 writes "Australia's Internet Industry Association has put forward a new code of conduct that suggests ISPs contact, and in some cases disconnect, customers that have malware-infected computers. 'Once an ISP has detected a compromised computer or malicious activity on its network, it should take action to address the problem. ISPs should therefore attempt to identify the end user whose computer has been compromised, and contact them to educate them about the problem,' the new code states. The code won't be mandatory, but it's expected the ISP industry will take it up if they are to work with the Australian Government in preventing the many botnets operating in Australia."

let's wait and see

if the Australian definition of 'malware' is 'bittorrent'

Re:let's wait and see

[indi0144]

No really. How can they tell if some machine is infected? I know they monitor traffic (After all AU is the small brother of the big one *cough* UK *cough*) Maybe they can just slow down the bandwidth on infected PCs so when the customer call because "the internet is slow" the ISP would have the chance to tell them why it's "slow". For those who don't care or can't tell, well, maybe nobody else should care for them either.

I'd really like to see this implemented worldwide if it's done right.

Re:let's wait and see

[someone1234]

Doing portscan 24/7, taking pause only when sending out 100 mails per minute?

Re:let's wait and see

If this is so imprtant, then why don't the telecommunications companies listen in on all our phone calls and terminate the telemarketing calls that a wasting the usable phone lines which means I get a "network busy" signal?

Re:let's wait and see

[the_raptor]

Telemarketers pay for access to the phone system. Spammers and botnet controllers hijack other peoples access.

And what third world country do you live in to get "network busy" at any time except during a disaster? I am 26 and have never experienced it myself although I know it happens.

Re:let's wait and see

Nicola Roxon (Australian Health Minister) recently let the cat out of the bag during an interview with the Financial Review (August 20, 2009). She was speaking about the new Heatlh IT system that is aimed at increasing communication between the states, and she stated that the major cause of delay was working out how to prioritise the transmission of medical records over the internet - aka. net neutrality. So suddenly Herr Conroys' filter has another purpose. Then they can also change the laws on data-casting, and expect a nice little income from Channel 7, 9 and 10 for the privilege of priority feeds for their content. I guess they need to figure out ways to make money now that they have sold off the power stations, telecommunications, water and sewerage - and every other 'utility' that was built on the back of the previous generations taxes.

Re:let's wait and see

[pinkushun]

One way is using Honeypots: set it up to appeal to that specific ISP's traffic, logs attack attempts, and resolves those back to ISP user accounts.

Re:let's wait and see

[commodore64_love]

>>>freedom of speech means watching child porn.

Nudity is not porn except in the minds of mentally ill persons. And yet oftentimes mere possession of a naked photograph, even it's of your own family or yourself, will land you in jail. Witness the American students who were charged with child porn because they used their phones to shoot themselves without clothes. Why is taking a photo of yourself illegal??? It's stupidity. It's anti-liberty. Worse - fear of nude bodies is a psychological disease, and I suspect Conroy is patient zero.

Don't be a policeman

[kregg]

ISPs should just provide internet access not police and monitor traffic.

Re:Don't be a policeman

[some_guy_88]

The problem is the Australian government are already trying to censor our internet connections at the ISP level and whilst getting rid of bot nets sounds like a great idea, building any sort of traffic monitoring in now sounds dangeroulsy close to their existing plan to filter the net.

Hell, this could even be their plan, bring in filtering to take down bot nets then slowly but surely start to block porn they don't like and pro-abortion web sites and before you know it any political site not to their liking

Re:Don't be a policeman

[calmofthestorm]

"The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all." - H L Mencken

Of course this is dicey, as the current proposition is, in my opinion a good idea. But we all know that GP's right.

Re:Don't be a policeman

[Runaway1956]

I pretty much agree - but the ISP's already monitor traffic for a variety of reasons. Mostly bad reasons, but the monitoring is in place. It really isn't hard to determine that a machine's excessive traffic is due to viral infections. Shutting them down seems like a good idea. When the customer calls to complain, tech support has a kindergarten teacher on hand to explain how simple it is to upgrade to a safe unix-like operating system to avoid future infestations.

Problem solved.

Re:Don't be a policeman

[bzipitidoo]

I think this is a dumb idea. ISPs shouldn't have to cover for Microsoft's insecure software. Why not require that everyone connected to the Internet use a better OS? That idea makes just as much sense, doesn't it?

Worse is that this can so obviously be used as a wedge to demand that ISPs do copyright policing, obscenity policing, and who knows what else.

Throttling based solely on quantity of traffic coming from a customer seems a simpler, fairer, less politically exploitable method.

Re:Don't be a policeman

[dintech]

What about malware writers who figure out how the detection works? This is yet another arm race.

Re:Don't be a policeman

[mikael_j]

I've worked for ISPs here in Sweden and most serious ISPs here see it as standard practice to warn and then disconnect users who are running zombie machines, nothing strange or totalitarian about it, it's about protecting their network and their other customers from harm.

/Mikael

Re:Don't be a policeman

I pretty much agree - but the ISP's already monitor traffic for a variety of reasons. Mostly bad reasons, but the monitoring is in place. It really isn't hard to determine that a machine's excessive traffic is due to viral infections. Shutting them down seems like a good idea. When the customer calls to complain, tech support has a kindergarten teacher on hand to explain how simple it is to upgrade to a safe unix-like operating system to avoid future infestations.

Problem solved.

Meanwhile in the real world: everything previously rejected by censorship initiatives now falls under malware and can be blocked/disconnected without the need for a law that is hard to get past parliament/congress or whatever they call it down there. Reminds me of the German family ministers initiavite to make "voluntary" contracts with ISPs to block undesirable sites because putting it into a law would take too much time and opposition.

Even if it sounds good on the surface, rest assured they won't stop there and they will get pretty creative when it comes to the definition of malware. Not to mention that the more of these filters get implemented, the more will follow. Another example was a court decision here where the judge said an ISP is not required to filter (potentially copyright violating foreign sites) because no filtering infrastructure is in place. Would there have already been an infrastructure, a lot more would have been mandatory to filter.

Re:Don't be a policeman

[PeterBrett]

The idea is good because it would it that much harder to propagate botnets and even feasible, but the real problem is that almost all end users have no idea what malware is or how to stop it. Unless the enduser is supported in removing the malware, and in the case of rootkits this usually means reinstalling the OS, then it will only result in a huge number of complaints that the ISPs will not be able to cope with.

Most end users have no idea how to replace the spin motor on their washing machine, either.

I don't understand why people who are perfectly happy with getting knowledgeable technicians to work on almost all of their household equipment think that their PC is some sort of magical exception.

Re:Don't be a policeman

[Peet42]

"It's the next-best thing to requiring a license to use the 'net. "

Instead, you'll need a license to run a peer-to-peer protocol.* Any traffic from an "unlicensed application" will be assumed to be malware and thus blocked. That way, only "authorised" applications from vendors who have paid for a license will work. How many of those will be things like "iTunes" and how many things like "BitTorrent"...?

(*Just because I'm paranoid doesn't mean they aren't out to get us...)

Re:Don't be a policeman

[SlashWombat]

The Aussie Government has both good and bad ideas WRT the internet. On the good side, is genuine broadband via a new fibreoptic backbone at an estimated cost of 43e9 dollars. On the bad side is the excretable idea of mandatory filtering. (Which can easily be circumvented ... thus making those who do wish to view kiddie porn even more anonymous!)

Having said all that, it is NOT the Aussie government advocating this action! Perhaps the errant public would be well served by their ISP informing them that their machine is infected. As it stands, I see machines that are "typhoid Mary's", So infected with trojan's, virus's and other malware that it is amazing they still work at all. The average user doesn't have a clue there is a problem beyond complaining that their machine is slow. (Which is often why they "upgrade" to a "faster" machine! Seems very fast until the new machine gets infected ... takes about a week!)

Re:Don't be a policeman

RTFA - They said if the ISP Knows a customer is using a malware infected PC; Working for an Australian (Adelaide) ISP at one point, I can tell you - this is the easy part, We don't have to monitor ports or anything - just wait for somebody to send an email to postmaster/abuse/etc on our domain complaining about spam from specified IP in our range.

Find the customers session - call them, tell them its malware, etc

Protip: Adelaide ISPs pretty much do this already; having your subnet blocked from sending email to somewhere important (like hotmail or gmail - which are important becuase customers send lots of email there) means customers get pissy, pissy customers is a loss of business - killing 1 customers session and suspending their service is better from a business point of view than having 10,000 customers complain and possibly move ISPs...

Re:Don't be a policeman

[supernova_hq]

There is a HUGE difference between detecting copyright violations (for which no filter is in place) and detecting outgoing mass-mailing and DOS attacks.

Any network admin worth the lunch they bring in every day can find a seriously malware infected machine in about 10 minutes.

Re:Don't be a policeman

[natd]

This isn't suggesting the ISP's make any decisions, just to apply a new set of rules and have a procedure for disconnection. I suffered for weeks some years back from what looked like DoS attacks and masses of Spam which was largely coming from a single Internet Cafe on George St Sydney. I first spoke to the owner, who basically told me to get stuffed with what I assume were Chinese profanities chucked in for good measure. I appealed to him a few more times to at least try and clean up his machines, he told me to get stuffed. I think the closest he came to acknowledging he had a responsibility was "How am I meant to know what people put on the machines?" I got him cut off, problem went away, but this was only because he was using a major telco who I had some business with. Ordinarily I doubt I'd been able to have done anything and I'd have had to suffer and pay for all the wasted bandwidth / load on my relatively small connection. Many people must have been in just that situation so I'm glad there is even a suggestion that the offenders will now have their plug pulled.

Re:Don't be a policeman

[jimicus]

Well, quite. It doesn't help that Microsoft have conditioned people to ignore these warnings as being totally unimportant, and at the same time have worded them so badly that most people never even try to understand them, they just hammer away trying to find a way to do what they want without the warning coming up.

I've actually met IT professionals who seem to think that doing this is the correct way to troubleshoot a problem. Shoot me now...

Re:Don't be a policeman

[commodore64_love]

"The GP is right"??? Okay. And while we're at it we should advise women to stop wearing clothes cut above the knee, or more than 2 inches below the neck. Plus we should punish people who leave their car doors unlocked. Also we should punish people who have regular windows on their homes instead of unbreakable windows.

Point - This proposal strikes me as blaming the victim. It's not a woman's fault she got raped, just because she wore revealing clothing. It's not the car or home owner's fault somebody broke in and stole. Likewise in most cases it's not the user's fault somebody used a flash or java applet to hijack his machine (it's typically the fault of the webmaster).

Stop punishing victims.

Re:Don't be a policeman

[Cro+Magnon]

When my car's "check engine" light comes on, there is almost always a real problem. When my computer pops up its warning, it might be something serious or it might mean I need to enter a password, or it might be attention-whoring from my AV program. To be useful, PC warnings have to be rare events that only happen when your machine really does need attention, not things that happen all the time.

Re:Don't be a policeman

[IPFreely]

You missed the point. It's not punishment.

It's quarantine. If a person gets sick with a contagious disease, it may not be their fault and you probably don't want to punish them. But for public safety, you do need to contain them until they are no longer dangerous to others.

The same applies to sick computers. If it is spewing viruses and malware then stop it, whether the person who owns it was doing it intentionally or not. You can forward all traffic to a local ISP web sight that informs them of the problem and directs them to appropriate ISP approved scanning software or other solutions available within the quarantine zone. If the user does not trust the ISP, fine. They can go clean their machine themselves.

Whether you trust the ISP/Government to have the right motive is a separate issue. But quarantine is an established procedure for humans, and it's not that different here.

sigh

[Mr_Plattz]

This is actually a good idea. Sadly, it's another step in the direction of moderated, government approved, unable to opt-out internet.

About time

[Falconpro10k]

Want to put a stop to malware/botnets? This is it. If a simple email/phone call asking "are you using irc/running your own mail server?" gets a response of "I don't know what irc is!", shut them down until they can clean out their machines, hell, even give them help, such as redirecting them to an isp sponsored AV or something (and no, i'm not talking enforcing it like some schools do with clean access or other network admission control.) Doing this sensibly could very seriously take a bite of out a lot of the problems on the 'net today.

Re:About time

[supernova_hq]

tech support: Are you using irc/running your own mail server?
alice: I don't know what irc is!

3 hours later...

bob: alice, what happened to our internet? I couldn't connect to our server from work today.
alice: server?

Verify and notify before you disconnect

[erice]

My otherwise stellar ISP has a "shoot first, ask no questions security policy"

It is frustrating to lose access to my home server while at work and not be able to do any troubleshooting because I need physical access to the machine.

It is quite maddening to finally get home, verify that there is nothing wrong on my end, call up support and (eventually) find out that I've been deliberately disconnected because of a security problem that doesn't exist.

Re:internet licence

[neumayr]

It should be illegal to speak in public without some formal education in psychology and rhetoric.
Some kind of attitude test might be a good idea too.

Re:Microsoft's response

[Norsefire]

Given the story a few days back about the Linux botnet, and this story a few months ago about the Mac botnet ... The real problem is education, idiots will be idiots no matter what platform they use.

Re:Microsoft's response

[jimicus]

Oh come on.

90% of security holes that have been exploited in the last few years are sitting on the chair in front of the computer. Even if Windows were to evaporate overnight and everyone using it were magically switched to a Mac or to Linux, inside a few weeks you'd see malware pop up which has Apple logos and Linux penguins and makes reassuring noises while insisting it really does need your password.

Re:Microsoft's response

[thona]

WHich the dump user will gladly use to install the package giving him access to the latest porn or some bettre video codec or some new chat emoticons. Under windows, most malware is installed by software USER WILLINGLY INSTALL. That wont change under Linux a bit - dump users will leanr to install software. Not for their new word processor, no - because they absolutly NEED that new emoticons in their favourite chat software.

Re:Microsoft's response

[grcumb]

Um, not exactly. Evidence of Linux botnets and OS X variants with confirmed infections in the wild.

The 'botnet' consisted of about 100 Linux servers, none of whom could be proven to have been infected via automated means. Indeed, the man who discovered this threat speculated that they were compromised by sniffing FTP passwords. Not included in the report was how many actual machines were compromised. Individual Linux web servers can host hundreds of accounts or more.

As a proportion of Linux servers, this number is vanishingly small. Compared to the rate of infection of Windows PCs, both in real numbers and per capita, there's almost no comparison to be made.

The target of the malicious iframes that the Linux machines were serving up? Windows.

Methinks you're buying a bit too much into the late 90s / early 2000s era FUD against Microsoft.

Methinks thou dost protest too much.

Re:Car Inspection

[Sabriel]

Because such a cure would be worse than the disease; we don't need nor want that much bureaucracy.

Pick a number. Make it six digits.

[Drakkenmensch]

If you are disconnected for being malware infected, exactly what WILL be the process for being reconnected, assuming you aren't just black listed for life as an internet persona non grata? Will it be some byzantine bureaucratic DMV-like red tape nightmare with hundreds, even thousands of people showing up every day as botnets simply infect more and more systems to make up for those it lost during the morning disconnect purge?

Re:Microsoft's response

[LoudMusic]

Did this get modded up so we could all marvel at the insanity of this person? Because those are some outrageously ignorant claims.

Re:Car Inspection

[Hatta]

Do you really want a government bureaucrat picking through your hard disk deciding what is malware and what isn't? Would the government even have technicians capable of determining whether your linux install is malware or not?