Slashdot Mirror
Comcast Warns Customers Suspected of Bot Infection
eldavojohn writes "Comcast is pushing a new program nationwide that warns customers if they might have a bot infection. It puts a semitransparent overlay on the top of the website you're viewing, warning you that you may have a bot installed if the provider detects botnet traffic from your residence. Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
It's good that Comcast is actually doing something, but I'm not really sure how effective it will be, and the precedent it sets makes me a little leery. Not sure how I feel about this.
Anyone know why there's an overlay saying, "The Cowboy Neil Bot is feeding," on my screen?
If brevity is the soul of wit, then how does one explain Twitter?
I saw this one video where the bot was basically pulled right out of the infection with tweezers. In another, the bot broke off halfway out and the guy had to have the rest removed by a surgeon, but not without great pain.
Normal insecticide and pest repellent doesn't even work with these things. You really need to keep your netting clean and free of holes. One small hole and you'll wake up with bots dug into your skin and larva chewing at your subcutaneous layer of fat.
I'm not a big fan of Comcast, but this is an excellent idea. If all broadband providers would do this, they could put a serious dent in bot nets and reduce the amount of spam and the phishing attacks.
[Insert pithy quote here]
The method they chose for notification is to man-in-the-middle my connections? Are they injecting Javascript into sites I visit? Does this mess with protocols other than HTTP? Why can't they just send an email to the account holder, or call them with a recorded message? Why break your service in order to fix it?
If you're infested with a botnet you are doing harm. In short infested computers create attackers and ISPs need to take responsibility for the attackers on their networks. I was more concerned that ISPs have NOT done this until now.
The preceding post was not a Slashvertisement.
ComcastAntiVirus have detected a infection or your computer. To run free virus removal click here!
www.c0mcast.net/antivirus.exe
Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection
Not if you only have one Windows system.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Ten years ago they said I was mad for proposing this.
Thanks, comcast, you arrogant incompetents, for taking a decade to listen to your customers.
But I already moved to FIOS, along with my ENTIRE NEIGHBORHOOD, so tough luck.
I think that most of the people who are qualified to setup and maintain their own router are also qualified enough to determine exactly which of their machines are infected. Of course there will always be a few people who knew just enough about setting up a router to be dangerous, but if the network is completely open and someone using their network is spewing out spam or other garbage, it might tip off the network owner that they should secure their network.
IPv4 isn't a serious problem, and that part of the summary seems rather silly considering that anyone who has a serious network setup probably either has a good understanding of it or has a friend / family member with that knowledge. IPv6 would be a lot nicer, but the world is going to go on dragging its feet as long as it can.
Now if every other ISP would do something similar. Maybe block access until a user reads a notice or something.
That said, Comcast's way of doing this might look to me like the website I was looking at was trying to sell me malware... like one of those "YOU'RE INFECTED! SCAN NOW?" popups.
But I didn't have a hard time determining which machine it was. My son was visiting and he was running Windows. Everything else is Linux and one Mac. Not hard to figure it out.
I don't want to firewall every damn device on my LAN when I can throw up a single firewall at the choke point.
No thanks.
Gone!
Coincidentally, I've noticed Comcast seems to be deploying IPv6 to home users. I was just helping a friend move into a new apartment, and I had the toughest time setting up the wireless router. Turned out that the router didn't support IPv6, so it wasn't able to connect to the cable modem. Right now, I've had her just wire up her laptop, but I'm going to see if different firmware makes the router usable.
“When we see instructions are being sent from that known evil [Internet address] to one of our customer addresses, we know the instructions from that address cannot be good and that there’s something not good happening on your network,” Douglas said.
Can someone explain how much they know, are they saying they are aware of the ip addresses of the entire bot? If not, then this seems to me like ISP imposed antivirus software.
My parents have a Windows machine that nobody touches simply because it takes at my about 10 min. to boot since you have to sit through the anti-virus updates.
I'm not a fan of viruses / bot-nets by any means, but I hate anti-virus software almost as much. I'm not a fan of the ISP running one for me, or pushing third party software either.
From Krebs' article:
Comcast also is offering free subscriptions to Norton Security Suite for up to 7 computers per customer — including Mac versions of the Symantec suite.
At least most bots have the decency to let you use your own computer. Norton (and in my experience, McAfee) security suites are much less inclined to leave enough free resources for that to be possible.
You don't use science to show that you're right, you use science to become right.
aren't comcast supposed to be using 6rd ? it should be compatible, you can try the following procedure: unplug the modem from the laptop, do an hard reset of the modem then plug it into the router. You have to do this sometimes because some modem remember the first mac address they spoke to and they uniquely speak to that address afterward.
Jehovah be praised, Oracle was not selected
Gosh golly gee whiz, Gomer, I don't think it even bothers GNU/Linux, but, just for our peace of mind, let's ask those wizards on /.
I think that most of the people who are qualified to setup and maintain their own router are also qualified enough to determine exactly which of their machines are infected
1) You go to best buy and plug $59 for a 4 port router box.
2) You take it home and plug it into the wall.
3) You plug the WAN port on the router to the cable or dsl box. - this is the hardest part to get right
4) You plug your computers into the other ports and start accessing the internet
People qualified to do the above are not qualified to determine which of their machines are infected.
What is the legality of the ISP intercepting a web page a user requested, then injecting their own code into it, then serving it you the end user?
Take Nobody's Word For It.
I kid, I kid. Settle down.
we offer free Norton with internet service so there's no reason you can't protect yourself from some of the common threats.
You mean the common threats like Norton? The only people who should install Norton is computer experts, and the only reason they would want to is so they can figure out how to uninstall it.
Congratulations to Comcast for doing something about this, but it's not enough. If they can detect the malware infected computer, they can quarantine it. ISPs have a RESPONSIBILITY to prevent computers that they KNOW are infected from messing up other computers on the Internet. OS vendors don't do enough to remove vulnerabilities in their products, end-users don't do enough to lock down their machines, and ISPs don't do enough to restrict the damage infected machines do. Step up!
Very true. It's specifically true for Comcast, and has been for years.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
I'll try that next time I'm over. Thanks.
I agree. You shouldn't run NAT.
Excellent move!
Unfortunately malware authors will be updating their Fake AV attacks to emulate that banner in a matter of weeks, so it's only a temporary improvement.
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
... bittorrent also setting off this message.
No, but neither are those people qualified to disinfect a single computer connected directly to the Internet. In either case, the solution is the same: unplug the cable modem and call a nerd for help.
DRM: Terminator crops for your mind!
I don't agree. you should run NAT when your only choices for a reasonable price are no connection and ipv4 connection.
Jehovah be praised, Oracle was not selected
Let's say I have an office with 100 machines and 5 public IP addresses. I have a few addresses with specific port forwarding set up for services to some servers and and the rest of the workstations share an external address. Hell, web traffic out of the aforementioned servers may go out the same external address as the workstations. They all share a common firewall that NATs the internal network. Why is this scenario bad?
I think it's great that Comcast is trying to address the bot problem. But they picked a rather poor method IMHO. Surely it's obvious that you can't rely on the infected computer to relay the message... All the bot has to do is run a filtering proxy server and these HTTP insertions are long gone. The best solution would be to use another communication device, i.e. a telephone or letter. Besides, you may have a little old lady that only uses (non-ISP) e-mail twice a month, which might not get the message.
My own ISP does something similar, but a little better (again, IMHO). A few weeks ago I opened my wireless network because one of my devices was choking on WPA2. Sure enough, someone must have hopped on it and sent a fair bit of spam. So my ISP killed my connection and changed the DNS server so everything resolved to their "Call tech support now" page (although it took a while to for me to figure that out since I wasn't using their DNS server, but I digress). A quick call had me talking with a representative with an explanation, and I was reconnected. (Obviously I re-enabled WPA2 and blocked/logged port 25 at the router in case I really did get rooted.)
...at which point the nerd will tell you to fuck off.
(I'm quite aware that said comic has nothing to do with virus removal, but the phone call would be so similar that the nerd won't listen...)
$ make available
Comcast is creating a system where unrelated websites will notify you of problems in your computer. This is the "Virus detected click here to install antivirus 2011!", except being legitimate it tells people to trust what a random website tells them. Way to train users to trust any website popup, I expect this will result in new phishing scams.
The only upshot is that the people who are infected are often the ones who already install anything that a popup warning tells them to.
Let's look at the following:
1. By definition, an internet service provider IS a man in the middle. To everyone whining about using this method - welcome to the real world. A man in the middle approach is the easiest one for the man in the middle to take.
No. By definition, an internet service provider is a bridge and router. It is not supposed to mess with your traffic. It is not supposed to be looking at these layers. Comcast has shown many times they don't care about that, though. They messed with all HTTP traffic by sending RST packets at you to upset bittorrent, also breaking normal web connections, and anything else which happened to be on port 80, e.g a lot of games. They messed with DNS to redirect to their own advertising sites for failed lookups. Now they're messing with HTTP to insert their banners. What will that do to traffic which happens to be HTTP but isn't web? News for you (and from your comment this probably IS news for you): the internet is not the web. That'll break bittorrent, games, maybe even iTunes, twitter apps, facebook apps, simple wget/curl transfers, and anything else that just happens to be HTTP on port 80.
2. Perhaps the ISP should just terminate the accounts of users of infected machines, since I am sure running an infected machine on the net is a violation of the TOS somewhere.
Yes, that's what they should actually be doing. It's in the ToS and if they have a machine connected which is degrading their network and/or being used for malicious attacks on other computers connected via their network, they are completely in their rights to disconnect them. This stinks of them trying to save money from support calls, sending out letters, hey even automated voicemail (which they do ANYWAY) or email.
OR they could just cut them off until they call tech support. OR they could filter the traffic, seeing as they've got enough of a stateful packet inspector in place to a) identify and b) modify your HTTP connections anyway. They just proved they can do it!
I WANT them to break the service and force people to upgrade, instead of continuing to spew their filthy zombie attacks all over the net. The more dramatic and attention getting, the better. Face it - your mission critical systems should not be on a residential account anyway, RIGHT? That's what the premium priced business packages are for... So what if grandpa has to click on some links to download some software and fix his machine before he can read his paper today. It's worth it to clean up the net.
I have a theory that anyone using the phrase "face it" actually knows that what they're suggested is absurd. You don't seem to understand exactly what's being done here. There's plenty of ways for them to solve this issue, and this tactic is just plain wrong.
Hell, this drops their "neutrality" altogether. They're actively inspecting traffic and inserting their own. I reckon that opens them up to being liable for it, too.
none of them REQUIRED an email to sign up for.
I still have the paperwork scanned in to PDF- just opened the files.
strangely, if you go to the comcast site and create a comcast ID, they require a "non comcast email address" in case they need to get in touch with you...
says lots about their faith in themselves.
every day http://en.wikipedia.org/wiki/Special:Random
With IPv6 (or with IPv4 for that matter) you can still throw up a single firewall. To duplicate the protection you get from using NAT, just make it reject all incoming connection requests.
I'm kind of torn on botnets. The only sites that get taken down by botnets that I have read about lately are sites of organizations I wish didn't exist anyway.
When ACTA inevitably becomes the law of the land, DDoS will be one of the few weapons we plebes will have left against corporatism.
Why I think comcasts idea sucks:
1. If you have an issue call me - even if its an IVR doing the calling or send me a letter. Given what comcast users pay for HSI there is no fricking excuse for the default notification to be inject shit into my packets.
2. How does comcast know the consumer of the notification is a human?Everything under the fricking sun uses HTTP as a transport nowadays. What if they inject their crap into a protocol exchange that corrupts a computer to computer transaction? The draft they submitted to IETF marks a manually entered list of exceptions as a bullet point but this is obviously totally insufficient.
3. How the hell is the average user going to be able to tell the difference between a Comcast message and a phishers web site with a fake notification? Remember the messages are going out to users who were stupid enough to fall for being drafted into a botnet army in the first place!!
Comcast should fully expect this to be treated as an open door for phishers to steal account information now that the emails have gone out announcing its presence.
4. It actually opens an attack where a web site might intentionally point a browser at network resources that are known botnet CAC addresses with the sole intention of triggering notifications as a means of pissing off the end user and or comcast. Likewise I am sick of the unaddressed CSRF style attacks possible against most cable modems where external sites can reboot or sometimes even reconfigure cable modems with no authentication of any kind required. They can also force linking to the registration portal and effectivly reset the provisioning of your modem knocking you offline .. again BEFORE having to provide any authentication whatsoever.
5. More and more sites are using https where these web notifications do not work.
They won't admit it but I have a strong suspicion the real reason for implementing the infustructure in the first place will be to manage DMCA notifications at some point in the future. Mark my words they will claim it's for preventing abuse but later it's role will be expanded. Dealing with DMCA shit is a much larger human resource drain than any botnet has ever been by a large margin.
"Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
If you call turning off your machines and running them one at a time to check each machine's response "difficult", then you can damn well pay the neighbor kid to come over and do it for you, just like you paid him to come over and get your Internet Explorer brand computers surfing on the infotube highway in the first place. While he's there, have him take out that "MOE - DEM" thingy. Those blinking lights are just slowing things down.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
I'd prefer to see a prominent notice on my actual invoice. This way they are not mucking with my connection or data, and I'll know it's from them and won't be so easily ignored as an email might be.
it might tip off the network owner that they should secure their network
If you have wifi, secure the individual computers, share the network. Anything less is almost as selfish as the assholed sending spam in the first place. Of course, if you discover spam, blackhole the spammer's IP (or do a little visilanteism and ruin his computer).
Free Martian Whores!
According to comcast, my mail server is a bot. Stopped getting disonnected and harassed by forwarding to dyndns's mailhop servers. Suck it, comcast.
Well, they actually said it was technically impossible, and when I offered to do it for free using their existing equipment the tech support management declined to let me speak with anyone who would have the authority to make such a thing happen.
But in fact my entire neighborhood did go over to FIOS - nearly all of them on my recommendation. As did my father's entire neighborhood - we watched the trucks come and go and tallied 'em up (he's retired so he has time for that sort of thing).