Slashdot Mirror
Comcast Warns Customers Suspected of Bot Infection
eldavojohn writes "Comcast is pushing a new program nationwide that warns customers if they might have a bot infection. It puts a semitransparent overlay on the top of the website you're viewing, warning you that you may have a bot installed if the provider detects botnet traffic from your residence. Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
All of them?
It's good that Comcast is actually doing something, but I'm not really sure how effective it will be, and the precedent it sets makes me a little leery. Not sure how I feel about this.
Anyone know why there's an overlay saying, "The Cowboy Neil Bot is feeding," on my screen?
If brevity is the soul of wit, then how does one explain Twitter?
I saw this one video where the bot was basically pulled right out of the infection with tweezers. In another, the bot broke off halfway out and the guy had to have the rest removed by a surgeon, but not without great pain.
Normal insecticide and pest repellent doesn't even work with these things. You really need to keep your netting clean and free of holes. One small hole and you'll wake up with bots dug into your skin and larva chewing at your subcutaneous layer of fat.
I'm not a big fan of Comcast, but this is an excellent idea. If all broadband providers would do this, they could put a serious dent in bot nets and reduce the amount of spam and the phishing attacks.
[Insert pithy quote here]
"...if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
Let this be yet another example of why NAT is not an acceptable solution to IPv4 address space allocation. Every device should have it's own IP and a proper firewall in place (if necessary).
The method they chose for notification is to man-in-the-middle my connections? Are they injecting Javascript into sites I visit? Does this mess with protocols other than HTTP? Why can't they just send an email to the account holder, or call them with a recorded message? Why break your service in order to fix it?
If you're infested with a botnet you are doing harm. In short infested computers create attackers and ISPs need to take responsibility for the attackers on their networks. I was more concerned that ISPs have NOT done this until now.
The preceding post was not a Slashvertisement.
ComcastAntiVirus have detected a infection or your computer. To run free virus removal click here!
www.c0mcast.net/antivirus.exe
Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection
Not if you only have one Windows system.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Ten years ago they said I was mad for proposing this.
Thanks, comcast, you arrogant incompetents, for taking a decade to listen to your customers.
But I already moved to FIOS, along with my ENTIRE NEIGHBORHOOD, so tough luck.
Now if every other ISP would do something similar. Maybe block access until a user reads a notice or something.
That said, Comcast's way of doing this might look to me like the website I was looking at was trying to sell me malware... like one of those "YOU'RE INFECTED! SCAN NOW?" popups.
But I didn't have a hard time determining which machine it was. My son was visiting and he was running Windows. Everything else is Linux and one Mac. Not hard to figure it out.
Not only do they probably analyze the traffic in transit to detect an infection, they also manipulate data. Neither of those is acceptable. There are other methods of detection, like running honeypots, and there are other methods of notification, like calling the customer or sending them an email.
Feel free to get another broadband provider if you don't like the way Comcast handles this.
love is just extroverted narcissism
“When we see instructions are being sent from that known evil [Internet address] to one of our customer addresses, we know the instructions from that address cannot be good and that there’s something not good happening on your network,” Douglas said.
Can someone explain how much they know, are they saying they are aware of the ip addresses of the entire bot? If not, then this seems to me like ISP imposed antivirus software.
My parents have a Windows machine that nobody touches simply because it takes at my about 10 min. to boot since you have to sit through the anti-virus updates.
I'm not a fan of viruses / bot-nets by any means, but I hate anti-virus software almost as much. I'm not a fan of the ISP running one for me, or pushing third party software either.
From Krebs' article:
Comcast also is offering free subscriptions to Norton Security Suite for up to 7 computers per customer — including Mac versions of the Symantec suite.
At least most bots have the decency to let you use your own computer. Norton (and in my experience, McAfee) security suites are much less inclined to leave enough free resources for that to be possible.
You don't use science to show that you're right, you use science to become right.
Gosh golly gee whiz, Gomer, I don't think it even bothers GNU/Linux, but, just for our peace of mind, let's ask those wizards on /.
What is the legality of the ISP intercepting a web page a user requested, then injecting their own code into it, then serving it you the end user?
Take Nobody's Word For It.
I kid, I kid. Settle down.
we offer free Norton with internet service so there's no reason you can't protect yourself from some of the common threats.
You mean the common threats like Norton? The only people who should install Norton is computer experts, and the only reason they would want to is so they can figure out how to uninstall it.
Congratulations to Comcast for doing something about this, but it's not enough. If they can detect the malware infected computer, they can quarantine it. ISPs have a RESPONSIBILITY to prevent computers that they KNOW are infected from messing up other computers on the Internet. OS vendors don't do enough to remove vulnerabilities in their products, end-users don't do enough to lock down their machines, and ISPs don't do enough to restrict the damage infected machines do. Step up!
Excellent move!
Unfortunately malware authors will be updating their Fake AV attacks to emulate that banner in a matter of weeks, so it's only a temporary improvement.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
... bittorrent also setting off this message.
I got one of their emails last weekend. After virus scan and Wireshark analysis I determined that one of my email addresses must have been used for spam. I could find no bad traffic on any of my PCs.
I think it's great that Comcast is trying to address the bot problem. But they picked a rather poor method IMHO. Surely it's obvious that you can't rely on the infected computer to relay the message... All the bot has to do is run a filtering proxy server and these HTTP insertions are long gone. The best solution would be to use another communication device, i.e. a telephone or letter. Besides, you may have a little old lady that only uses (non-ISP) e-mail twice a month, which might not get the message.
My own ISP does something similar, but a little better (again, IMHO). A few weeks ago I opened my wireless network because one of my devices was choking on WPA2. Sure enough, someone must have hopped on it and sent a fair bit of spam. So my ISP killed my connection and changed the DNS server so everything resolved to their "Call tech support now" page (although it took a while to for me to figure that out since I wasn't using their DNS server, but I digress). A quick call had me talking with a representative with an explanation, and I was reconnected. (Obviously I re-enabled WPA2 and blocked/logged port 25 at the router in case I really did get rooted.)
Comcast is creating a system where unrelated websites will notify you of problems in your computer. This is the "Virus detected click here to install antivirus 2011!", except being legitimate it tells people to trust what a random website tells them. Way to train users to trust any website popup, I expect this will result in new phishing scams.
The only upshot is that the people who are infected are often the ones who already install anything that a popup warning tells them to.
Let's look at the following:
1. By definition, an internet service provider IS a man in the middle. To everyone whining about using this method - welcome to the real world. A man in the middle approach is the easiest one for the man in the middle to take.
No. By definition, an internet service provider is a bridge and router. It is not supposed to mess with your traffic. It is not supposed to be looking at these layers. Comcast has shown many times they don't care about that, though. They messed with all HTTP traffic by sending RST packets at you to upset bittorrent, also breaking normal web connections, and anything else which happened to be on port 80, e.g a lot of games. They messed with DNS to redirect to their own advertising sites for failed lookups. Now they're messing with HTTP to insert their banners. What will that do to traffic which happens to be HTTP but isn't web? News for you (and from your comment this probably IS news for you): the internet is not the web. That'll break bittorrent, games, maybe even iTunes, twitter apps, facebook apps, simple wget/curl transfers, and anything else that just happens to be HTTP on port 80.
2. Perhaps the ISP should just terminate the accounts of users of infected machines, since I am sure running an infected machine on the net is a violation of the TOS somewhere.
Yes, that's what they should actually be doing. It's in the ToS and if they have a machine connected which is degrading their network and/or being used for malicious attacks on other computers connected via their network, they are completely in their rights to disconnect them. This stinks of them trying to save money from support calls, sending out letters, hey even automated voicemail (which they do ANYWAY) or email.
OR they could just cut them off until they call tech support. OR they could filter the traffic, seeing as they've got enough of a stateful packet inspector in place to a) identify and b) modify your HTTP connections anyway. They just proved they can do it!
I WANT them to break the service and force people to upgrade, instead of continuing to spew their filthy zombie attacks all over the net. The more dramatic and attention getting, the better. Face it - your mission critical systems should not be on a residential account anyway, RIGHT? That's what the premium priced business packages are for... So what if grandpa has to click on some links to download some software and fix his machine before he can read his paper today. It's worth it to clean up the net.
I have a theory that anyone using the phrase "face it" actually knows that what they're suggested is absurd. You don't seem to understand exactly what's being done here. There's plenty of ways for them to solve this issue, and this tactic is just plain wrong.
Hell, this drops their "neutrality" altogether. They're actively inspecting traffic and inserting their own. I reckon that opens them up to being liable for it, too.
none of them REQUIRED an email to sign up for.
I still have the paperwork scanned in to PDF- just opened the files.
strangely, if you go to the comcast site and create a comcast ID, they require a "non comcast email address" in case they need to get in touch with you...
says lots about their faith in themselves.
every day http://en.wikipedia.org/wiki/Special:Random
...if you have multiple machines running behind a router, best assume they're ALL infected.
It's org you insensitive clod. Ihre sensitive klode. Etc. Welcome to the internet
Intercepting and modifying a customer's Web traffic is not okay. Sending an email, or making an automated phone call would be much better.
The notice from Comcast should tell the user to locate an anti-virus program, and possibly suggest a few pay and free ones WITHOUT LINKS. Because you can't trust ANY links from pop-ups since the bad guys WILL copy their message. But telling the user they ARE infected without saying "Click Here" is a safer way to go.
I'm kind of torn on botnets. The only sites that get taken down by botnets that I have read about lately are sites of organizations I wish didn't exist anyway.
When ACTA inevitably becomes the law of the land, DDoS will be one of the few weapons we plebes will have left against corporatism.
Why I think comcasts idea sucks:
1. If you have an issue call me - even if its an IVR doing the calling or send me a letter. Given what comcast users pay for HSI there is no fricking excuse for the default notification to be inject shit into my packets.
2. How does comcast know the consumer of the notification is a human?Everything under the fricking sun uses HTTP as a transport nowadays. What if they inject their crap into a protocol exchange that corrupts a computer to computer transaction? The draft they submitted to IETF marks a manually entered list of exceptions as a bullet point but this is obviously totally insufficient.
3. How the hell is the average user going to be able to tell the difference between a Comcast message and a phishers web site with a fake notification? Remember the messages are going out to users who were stupid enough to fall for being drafted into a botnet army in the first place!!
Comcast should fully expect this to be treated as an open door for phishers to steal account information now that the emails have gone out announcing its presence.
4. It actually opens an attack where a web site might intentionally point a browser at network resources that are known botnet CAC addresses with the sole intention of triggering notifications as a means of pissing off the end user and or comcast. Likewise I am sick of the unaddressed CSRF style attacks possible against most cable modems where external sites can reboot or sometimes even reconfigure cable modems with no authentication of any kind required. They can also force linking to the registration portal and effectivly reset the provisioning of your modem knocking you offline .. again BEFORE having to provide any authentication whatsoever.
5. More and more sites are using https where these web notifications do not work.
They won't admit it but I have a strong suspicion the real reason for implementing the infustructure in the first place will be to manage DMCA notifications at some point in the future. Mark my words they will claim it's for preventing abuse but later it's role will be expanded. Dealing with DMCA shit is a much larger human resource drain than any botnet has ever been by a large margin.
"Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
If you call turning off your machines and running them one at a time to check each machine's response "difficult", then you can damn well pay the neighbor kid to come over and do it for you, just like you paid him to come over and get your Internet Explorer brand computers surfing on the infotube highway in the first place. While he's there, have him take out that "MOE - DEM" thingy. Those blinking lights are just slowing things down.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
I used to have a Bot Infection but the doctor gave me some cream for it. Now I just get the occasional itch.
I'm against this idea of changing my user experience online. Sure, it would be nice to tell these people they are infected, but they do that by suspending their modem and let them call you. Putting a popup will, like everyone else said, just make it easier for people to social engineer an easier bot infestation with the new fake alerts. The only way I can see this actually being useful in its current form is if this popup was ONLY on the www.comcast.com site. This way, the user would know its actually comcast and not some malicious person putting a iframe or div with the same verbage on their site. But that would only workif everyone had comcast.com as their homepage or visited that site everyday, which... no. Good idea solving a difficult problem, wrong implementation of the solution.
How will this affect the ddos'er out there though? Since botnets are used for ddos, this could spell trouble for the trouble makers. better hurry and ddos all the music labels before they get everything in place!
The one(s) with Windows installed of course!
I'd prefer to see a prominent notice on my actual invoice. This way they are not mucking with my connection or data, and I'll know it's from them and won't be so easily ignored as an email might be.
The only reason Windows machines are more attacked is because more people use them, and, they use them for things like banking transactions from home OR shopping via credit card online. This alone makes them the MOST attractive target for botnet makers (or, any malware maker/malicious scripted page online etc./et al). Thieves online are NO DIFFERENT from thieves in the real world. For example, pickpockets do NOT go where there are little to no people, they hit trainstations, subways, malls or any place large amounts of folks gather. The same holds true online, and where do the MOST folks "gather"? On Windows.
I mean, nobody can tell me that a malscripted website page or maliciously scripted banner ad couldn't be tailored to attacks Macs or Linux rigs, because javascript works on them and their webbrowsers too, which are the same as the ones used on Windows for the most part (the "big 4" in IE, FireFox, and Opera or Chrome) and they use javascript and keep it turned on, by default.
By the way/disclaimer:
I am a user of both Linux (KUbuntu 10.4.1) and Windows (7) and both in 64 bit here, so, I am not some "biased fanboy" because I like both OS' very much (Linux has finally "come into its own" for the MOST part for the home user, as far as surfing the web/doing email/shopping online/viewing websites etc. & even for most "home office tasks", but it does have hassles with drivers for various pieces of "more exotic" equipment, such as my Promise Ex8350 128mb ECC RAM Caching RAID 6 Hard Disk Controller here, which this distro, afaik, doesn't come with drivers for natively (you can pickup open source ones & compile them into the kernel via a floppy disk driven procedure though & SOME distros ("RedHat" stuff, iirc) come with native drivers though)).
According to comcast, my mail server is a bot. Stopped getting disonnected and harassed by forwarding to dyndns's mailhop servers. Suck it, comcast.
Well, they actually said it was technically impossible, and when I offered to do it for free using their existing equipment the tech support management declined to let me speak with anyone who would have the authority to make such a thing happen.
But in fact my entire neighborhood did go over to FIOS - nearly all of them on my recommendation. As did my father's entire neighborhood - we watched the trucks come and go and tallied 'em up (he's retired so he has time for that sort of thing).