Slashdot Mirror

← Back to Stories (view on slashdot.org)

Australian ISPs Asked To Cut Off Malware-Infected PCs

Posted by timothy on from the good-of-the-tribe dept.

bennyboy64 writes "Australia's Internet Industry Association has put forward a new code of conduct that suggests ISPs contact, and in some cases disconnect, customers that have malware-infected computers. 'Once an ISP has detected a compromised computer or malicious activity on its network, it should take action to address the problem. ISPs should therefore attempt to identify the end user whose computer has been compromised, and contact them to educate them about the problem,' the new code states. The code won't be mandatory, but it's expected the ISP industry will take it up if they are to work with the Australian Government in preventing the many botnets operating in Australia."

39 of 286 comments (clear)

  1. let's wait and see by Anonymous Coward · · Score: 5, Insightful

    if the Australian definition of 'malware' is 'bittorrent'

    1. Re:let's wait and see by Dorsai65 · · Score: 5, Interesting

      True, except for one tiny little detail: all the crap the infected/zombie machines spew out wastes bandwidth on the net and slows things down for the rest of us -- as well as trying to infect other machines. Not to mention the spam, DDoS-ing, and other jackassery going on.

      --
      --- Asking inconvenient questions for over 30 years...
    2. Re:let's wait and see by Anonymous Coward · · Score: 5, Funny

      that would make them a bunch of assholes now wouldn't it?

      Nope, it would make us a bunch of arseholes

    3. Re:let's wait and see by the_raptor · · Score: 4, Insightful

      Telemarketers pay for access to the phone system. Spammers and botnet controllers hijack other peoples access.

      And what third world country do you live in to get "network busy" at any time except during a disaster? I am 26 and have never experienced it myself although I know it happens.

      --

      ========
      CINC, 4th Penguin Legion
    4. Re:let's wait and see by commodore64_love · · Score: 5, Insightful

      >>>freedom of speech means watching child porn.

      Nudity is not porn except in the minds of mentally ill persons. And yet oftentimes mere possession of a naked photograph, even it's of your own family or yourself, will land you in jail. Witness the American students who were charged with child porn because they used their phones to shoot themselves without clothes. Why is taking a photo of yourself illegal??? It's stupidity. It's anti-liberty. Worse - fear of nude bodies is a psychological disease, and I suspect Conroy is patient zero.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    5. Re:let's wait and see by KillerBob · · Score: 4, Informative

      ISPs regularly portscan connected clients to make sure that they aren't running a server in violation of the TOS... many large ISPs have terms of service that strictly forbid running such servers, and even the ones that don't have that prohibition will usually keep tabs on their users to see what they're running.

      More than portscanning, they also monitor which ports account for the bulk of your traffic. If you're putting out more than 50MB/day average on port 25, it's a fairly safe bet that it's more than just personal e-mail use. Many large ISPs will also silently redirect all port 25 traffic directly to their own mail server, and some of htem won't be so silent about it, and will simply block outbound port 25 to anything other than their mail servers. When all outgoing mail has to go through their servers, it's pretty easy for them to check attachments for viruses.

      Beyond active scanning, there's also abuse reports... those actually do get read, and if they have the appropriate information, then they can very easily be used to track down the user who's infected with a virus.

      None of the methods are going to detect a user's virus infection the moment they're infected, but taking a few proactive steps as well as taking proper reactive steps can allow the ISP to pick up on suspicious activity, and to work with the user to clean things up.

      Obligatory disclaimer: I used to work for an ISP that did exactly this. We would portscan our users, we would monitor their mail traffic for viruses, and we'd actively monitor the abuse mailbox. When we detected a virus-infected user, we'd send them an e-mail notifying them that they were infected. If they hadn't cleaned up or replied to the e-mail within 5 business days, we'd phone them, and if there was no response within 5 days of that, we'd segregate their connection so that the only sites they could navigate to were the company website, and several notable antivirus sites (McAfee, Norton, AVG, Avast, PC-Cillin). I suspect that the Australian policy described here will work very much the same, and I don't really understand why people are up in arms about it. There's other methods to deal with BitTorrent besides defining it as "malicious" and "viral" (traffic shaping anybody?), and besides that, most piracy these days doesn't even happen through bittorrent. Direct downloads + hjsplit, rename file extensions. They can't really know what's being downloaded, and they can't throttle direct downloads because it'd piss off their customer base.

      --
      If you believe everything you read, you'd better not read. - Japanese proverb
    6. Re:let's wait and see by Nefarious+Wheel · · Score: 4, Funny

      And I'm sure most of the bot nets are from computers in Australia!

      Which as everybody knows, is populated entirely by criminals! So clearly I can't use the botnet closest to me!

      --
      Do not mock my vision of impractical footwear
  2. Don't be a policeman by kregg · · Score: 5, Insightful

    ISPs should just provide internet access not police and monitor traffic.

    1. Re:Don't be a policeman by DavidD_CA · · Score: 5, Informative

      Since infected computers often lead to DDOS and spam botnets, I think this is a good idea.

      Up for debate is the method they use to detect a rogue machine, but if they can perfect that then I'm all for this.

      Clueless users probably go for months without realizing they're sending out hundreds of emails a day, or helping to bring down some remote server.

      It's the next-best thing to requiring a license to use the 'net. ;)

      --
      -David
    2. Re:Don't be a policeman by some_guy_88 · · Score: 5, Insightful

      The problem is the Australian government are already trying to censor our internet connections at the ISP level and whilst getting rid of bot nets sounds like a great idea, building any sort of traffic monitoring in now sounds dangeroulsy close to their existing plan to filter the net.

      Hell, this could even be their plan, bring in filtering to take down bot nets then slowly but surely start to block porn they don't like and pro-abortion web sites and before you know it any political site not to their liking

    3. Re:Don't be a policeman by calmofthestorm · · Score: 5, Insightful

      "The trouble with fighting for human freedom is that one spends most of one's time defending scoundrels. For it is against scoundrels that oppressive laws are first aimed, and oppression must be stopped at the beginning if it is to be stopped at all." - H L Mencken

      Of course this is dicey, as the current proposition is, in my opinion a good idea. But we all know that GP's right.

      --
      93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
    4. Re:Don't be a policeman by Runaway1956 · · Score: 3, Insightful

      I pretty much agree - but the ISP's already monitor traffic for a variety of reasons. Mostly bad reasons, but the monitoring is in place. It really isn't hard to determine that a machine's excessive traffic is due to viral infections. Shutting them down seems like a good idea. When the customer calls to complain, tech support has a kindergarten teacher on hand to explain how simple it is to upgrade to a safe unix-like operating system to avoid future infestations.

      Problem solved.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    5. Re:Don't be a policeman by mikael_j · · Score: 5, Insightful

      I've worked for ISPs here in Sweden and most serious ISPs here see it as standard practice to warn and then disconnect users who are running zombie machines, nothing strange or totalitarian about it, it's about protecting their network and their other customers from harm.

      /Mikael

      --
      Greylisting is to SMTP as NAT is to IPv4
    6. Re:Don't be a policeman by PeterBrett · · Score: 4, Insightful

      The idea is good because it would it that much harder to propagate botnets and even feasible, but the real problem is that almost all end users have no idea what malware is or how to stop it. Unless the enduser is supported in removing the malware, and in the case of rootkits this usually means reinstalling the OS, then it will only result in a huge number of complaints that the ISPs will not be able to cope with.

      Most end users have no idea how to replace the spin motor on their washing machine, either.

      I don't understand why people who are perfectly happy with getting knowledgeable technicians to work on almost all of their household equipment think that their PC is some sort of magical exception.

      --
      Pirate Party UK
    7. Re:Don't be a policeman by Peet42 · · Score: 3, Insightful

      "It's the next-best thing to requiring a license to use the 'net. "

      Instead, you'll need a license to run a peer-to-peer protocol.* Any traffic from an "unlicensed application" will be assumed to be malware and thus blocked. That way, only "authorised" applications from vendors who have paid for a license will work. How many of those will be things like "iTunes" and how many things like "BitTorrent"...?

      (*Just because I'm paranoid doesn't mean they aren't out to get us...)

    8. Re:Don't be a policeman by SlashWombat · · Score: 4, Insightful

      The Aussie Government has both good and bad ideas WRT the internet. On the good side, is genuine broadband via a new fibreoptic backbone at an estimated cost of 43e9 dollars. On the bad side is the excretable idea of mandatory filtering. (Which can easily be circumvented ... thus making those who do wish to view kiddie porn even more anonymous!)

      Having said all that, it is NOT the Aussie government advocating this action! Perhaps the errant public would be well served by their ISP informing them that their machine is infected. As it stands, I see machines that are "typhoid Mary's", So infected with trojan's, virus's and other malware that it is amazing they still work at all. The average user doesn't have a clue there is a problem beyond complaining that their machine is slow. (Which is often why they "upgrade" to a "faster" machine! Seems very fast until the new machine gets infected ... takes about a week!)

    9. Re:Don't be a policeman by Anonymous Coward · · Score: 3, Insightful

      RTFA - They said if the ISP Knows a customer is using a malware infected PC; Working for an Australian (Adelaide) ISP at one point, I can tell you - this is the easy part, We don't have to monitor ports or anything - just wait for somebody to send an email to postmaster/abuse/etc on our domain complaining about spam from specified IP in our range.

      Find the customers session - call them, tell them its malware, etc

      Protip: Adelaide ISPs pretty much do this already; having your subnet blocked from sending email to somewhere important (like hotmail or gmail - which are important becuase customers send lots of email there) means customers get pissy, pissy customers is a loss of business - killing 1 customers session and suspending their service is better from a business point of view than having 10,000 customers complain and possibly move ISPs...

    10. Re:Don't be a policeman by Horus1664 · · Score: 3, Interesting

      I'm in the UK and used to use Zen as my ISP. I found their tech support very helpful in spotting dodgy activity emanating from my home network and advising me on ways to investigate and correct my problems. They did warn that I should take immediate action or they would have to consider suspending my connection. I found this a sensible, helpful and mature approach to the situation.

      If done properly involvement of the ISP in identifying and helping resolve infected PCs should be welcomed I would have thought...

    11. Re:Don't be a policeman by digitig · · Score: 4, Interesting

      I'm surprised that the ISPs don't do this already. When one of my family members connected an infected PC to my home network my (UK) ISP promptly contacted me to tell me that the network was a source of malware attacks and to sort it or they would disconnect me. For which I was grateful, and I helped the family member resolve the problem.

      --
      Quidnam Latine loqui modo coepi?
    12. Re:Don't be a policeman by supernova_hq · · Score: 3, Funny

      If the malware writers decreased their bandwidth and stopped sending mass mailouts, I don't think there would be a NEED to detect them!

    13. Re:Don't be a policeman by supernova_hq · · Score: 3, Insightful

      There is a HUGE difference between detecting copyright violations (for which no filter is in place) and detecting outgoing mass-mailing and DOS attacks.

      Any network admin worth the lunch they bring in every day can find a seriously malware infected machine in about 10 minutes.

    14. Re:Don't be a policeman by jimicus · · Score: 3, Insightful

      Well, quite. It doesn't help that Microsoft have conditioned people to ignore these warnings as being totally unimportant, and at the same time have worded them so badly that most people never even try to understand them, they just hammer away trying to find a way to do what they want without the warning coming up.

      I've actually met IT professionals who seem to think that doing this is the correct way to troubleshoot a problem. Shoot me now...

    15. Re:Don't be a policeman by IPFreely · · Score: 5, Insightful
      You missed the point. It's not punishment.

      It's quarantine. If a person gets sick with a contagious disease, it may not be their fault and you probably don't want to punish them. But for public safety, you do need to contain them until they are no longer dangerous to others.

      The same applies to sick computers. If it is spewing viruses and malware then stop it, whether the person who owns it was doing it intentionally or not. You can forward all traffic to a local ISP web sight that informs them of the problem and directs them to appropriate ISP approved scanning software or other solutions available within the quarantine zone. If the user does not trust the ISP, fine. They can go clean their machine themselves.

      Whether you trust the ISP/Government to have the right motive is a separate issue. But quarantine is an established procedure for humans, and it's not that different here.

      --
      There is nothing so silly as other peoples traditions, and nothing so sacred as our own.
  3. Please don't by rrrhys · · Score: 5, Funny

    Don't make me choose between the internet and bonzibuddy.

  4. There's already precedent for this, too... by Runefox · · Score: 4, Informative

    Rogers, here in Canada, has been practising this for a few years now, and will notify and disconnect computers that are sending network packets that match known malware. I think it's an automated process, too.

    It's sort of funny, there was once a time when someone set the DHCP lease length too short, and several customers wrongly got blasted off the internet as they had been "infected".

    --
    Screw the rules, I have green hair!
  5. Reminds me by Shadikka · · Score: 5, Interesting

    A couple of years ago, a major ISP in Finland had a somewhat similar system. They wouldn't allow infected computers to take any other network access than HTTP and they redirected all HTTP traffic to a page saying "you're infected" and providing short instructions on how to fix it. It seems that they're not doing it anymore, but I don't know the reason.

    1. Re:Reminds me by dnaumov · · Score: 5, Interesting

      A couple of years ago, a major ISP in Finland had a somewhat similar system. They wouldn't allow infected computers to take any other network access than HTTP and they redirected all HTTP traffic to a page saying "you're infected" and providing short instructions on how to fix it. It seems that they're not doing it anymore, but I don't know the reason.

      The largest ISP in Finland, Elisa is still doing it and the system is actually working very well. I haven't seen a single false positive yet (yes I work in their helpdesk).

  6. I think it's a great idea. by pecosdave · · Score: 3, Informative

    I've contacted ISP's about their customers attempting to "hack me" because they were infested with Code Red and Nimda and for some reason my Apache server on Linux looked incredibly tasty. They of course proceeded to ignore me and not even to contact their customers.

    --
    The preceding post was not a Slashvertisement.
    1. Re:I think it's a great idea. by Falconpro10k · · Score: 3, Interesting

      i always enjoyed seeing those in my snort logs, or even the logs in my pix in later years. And yes, I'd send the sniffer trace to the abuse address of the isp, never made a damn bit of difference. This is what infuriates me about consumer isps. If one of my clients who buys service from me started to get sniffer trace emails to my abuse mailbox, i'd be on the phone at the least.

    2. Re:I think it's a great idea. by Gandalf_Greyhame · · Score: 4, Interesting

      I've contacted ISP's about their customers attempting to "hack me" because they were infested with Code Red and Nimda and for some reason my Apache server on Linux looked incredibly tasty. They of course proceeded to ignore me and not even to contact their customers.

      I had a similar experience at University. I was living on campus and had my Apache server running along nicely on my Linux box, and kept on getting these weird error logs. As soon as I saw it I had a feeling that it was Code Red, so I checked up on the net just to confirm. It was. So I then traced it back to its source - one of the University's own computers. I contacted the Uni's IT staff and informed them that they had a machine that was infected with Code Red. Do you know what response they gave me?

      "It isn't our machine that is infected. Your machine is the infected one."

      For anyone who didn't read the above properly, or can't be bothered going back over it again, I was running Apache on Linux and the Code Red worm infected Microsoft IIS Web Servers.

      --
      I am not stubborn. I am right!
  7. About time by Falconpro10k · · Score: 3, Insightful

    Want to put a stop to malware/botnets? This is it. If a simple email/phone call asking "are you using irc/running your own mail server?" gets a response of "I don't know what irc is!", shut them down until they can clean out their machines, hell, even give them help, such as redirecting them to an isp sponsored AV or something (and no, i'm not talking enforcing it like some schools do with clean access or other network admission control.) Doing this sensibly could very seriously take a bite of out a lot of the problems on the 'net today.

    1. Re:About time by badfish99 · · Score: 3, Interesting

      Having sold "unlimited" access at a fixed price, ISPs run on tight margins, so one simple email or phone call, plus the subsequent dealing with the customer, will wipe out the whole year's profit from that customer. So what in practice will happen if ISPs go down this route is that they will simply start blocking the ports for IRC and mail. And then the malware will move to another protocol, and that will be blocked, and so on.

      I suspect the the law of unintended consequences will mean that we'll end up with ISPs that provide access only to http and https.

    2. Re:About time by supernova_hq · · Score: 4, Insightful

      tech support: Are you using irc/running your own mail server?
      alice: I don't know what irc is!

      3 hours later...

      bob: alice, what happened to our internet? I couldn't connect to our server from work today.
      alice: server?

  8. My ISP (EXETEL) already does this.. by the_raptor · · Score: 5, Interesting

    My (Australian) ISP has been doing this at least for spam relays for a few years now. If they detect you are being used to spam they cut all your traffic and redirect port 80 to a page telling you what has happened and giving you links to AV tools and an automated traffic checker that will unblock you once you have dealt with the malware. Two of the guys I live with got infected and so I have personal experience dealing with the system. To me it seems like a perfectly sensible and responsible reaction to a serious problem. IMO any ISP not doing this is an irresponsible netizen.

    To me it is like your CC company notifying you of suspicious charges or the phone company asking why your mobile is suddenly making hundreds of calls from Azerbaijan. It not only stops the current problem but if people are actually notified that they have a problem they are far more likely to take steps to protect themselves in the future.

    --

    ========
    CINC, 4th Penguin Legion
  9. Many school networks already do this by vxvxvxvx · · Score: 3, Interesting

    I know when I was living on campus at a state university my computer was caught in one of their malware scans. I was running Linux and had firewalled ping requests among other things. Their scanning system automatically assumed if a computer did not respond to ping it was infected.

  10. Only Macs will be left by Anonymous Coward · · Score: 3, Funny

    If you cut off all the Malware-Infected PCs, only Macs will be left. (ok, maybe some linux boxen).

    *ducks*

  11. Verify and notify before you disconnect by erice · · Score: 4, Insightful

    My otherwise stellar ISP has a "shoot first, ask no questions security policy"

    It is frustrating to lose access to my home server while at work and not be able to do any troubleshooting because I need physical access to the machine.

    It is quite maddening to finally get home, verify that there is nothing wrong on my end, call up support and (eventually) find out that I've been deliberately disconnected because of a security problem that doesn't exist.

  12. Microsoft's response by AnalPerfume · · Score: 5, Interesting

    EVERY country needs to be doing this, and not making it voluntary either. Any problem on the internet affects everyone connected to it. Cutting off PCs in one country has limited effect in isolation. Considering botnets are an exclusive Windows problem, Microsoft should be forced to pay for the scheme too. It's their mess after all.

    I'm curious about how MS will respond to this if it comes into being. On one hand they'll lose a large number of users, after all, does anyone outside the MS camp really believe that it's not gonna be 100% infected Windows PC's that will be affected? What will MS do?

    Will they offer discounted or free vouchers for repairs, upgrades etc? How many of these machines will be unlicensed? Will they pay to fix unlicensed copies of Windows if the owners either have no money to spend on a sticker with a number on it? In the current economic climate you can't blame them. Is a subsidy to clean the PC worth the ISP's time and hassle knowing it'll be infected again by the end of the week at the latest, and they'll have to repeat the same warning and threat of disconnection all over again. Will they provide paid anti-malware software? Who pays for all of this? Will they provide training for Windows users to at least give them a chance of having a few months online without a letter?

    This would reflect badly on MS in any free press, even having to be the only ones to offer fixes is embarrassing enough. Given that MS control the mainstream media it'll go unnoticed as far as PR is concerned, but it's yet one more thing eating into their profits at a time where they're struggling.

    The alternative is to lose a large number either to Linux, or off the internet altogether. Anyone who's had the internet for a while knows what it's like when it goes down for a few hours, will those people really decide the internet is not worth it?

    I'm guessing the great philanthropists and all round nice people at MS are busy lobbying at every level to stop this from happening or at least water it down (notice the ISPs are being "asked" not "told"). They need to keep market share by any means necessary, ideally without spending a cent on it. The rest of the world can suffer as long as MS's interests are not hurt.

    Given that Windows has all the security of a paper tank in a thunderstorm this will be hilarious to see the workload the scheme entails, and over time the number of Windows PCs in Australia still connected because they're NOT infected. They will drop like flies. Give it a few years and it'll be a Windows free zone.

    1. Re:Microsoft's response by jimicus · · Score: 5, Insightful

      Oh come on.

      90% of security holes that have been exploited in the last few years are sitting on the chair in front of the computer. Even if Windows were to evaporate overnight and everyone using it were magically switched to a Mac or to Linux, inside a few weeks you'd see malware pop up which has Apple logos and Linux penguins and makes reassuring noises while insisting it really does need your password.