Slashdot Mirror
Comcast Warns Customers Suspected of Bot Infection
eldavojohn writes "Comcast is pushing a new program nationwide that warns customers if they might have a bot infection. It puts a semitransparent overlay on the top of the website you're viewing, warning you that you may have a bot installed if the provider detects botnet traffic from your residence. Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
Anyone know why there's an overlay saying, "The Cowboy Neil Bot is feeding," on my screen?
If brevity is the soul of wit, then how does one explain Twitter?
I saw this one video where the bot was basically pulled right out of the infection with tweezers. In another, the bot broke off halfway out and the guy had to have the rest removed by a surgeon, but not without great pain.
Normal insecticide and pest repellent doesn't even work with these things. You really need to keep your netting clean and free of holes. One small hole and you'll wake up with bots dug into your skin and larva chewing at your subcutaneous layer of fat.
The method they chose for notification is to man-in-the-middle my connections? Are they injecting Javascript into sites I visit? Does this mess with protocols other than HTTP? Why can't they just send an email to the account holder, or call them with a recorded message? Why break your service in order to fix it?
ComcastAntiVirus have detected a infection or your computer. To run free virus removal click here!
www.c0mcast.net/antivirus.exe
Customer education is an issue with this one. I haven't talked to someone with that issue but we offer free Norton with internet service so there's no reason you can't protect yourself from some of the common threats. The thing that gets most people though is the drive by bots. People have to abandon the plug and play web mentality as that's what gets them in trouble. One person told me she got a pop up telling her that the computer was infected with 45 viruses. I'm like WTF?? but they fall for it all the time. Education is the only thing that can fix that problem.
"We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection
Not if you only have one Windows system.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If they''re inspecting your traffic (and I really don't think they should be allowed to without a warrant) this is probably one of the few good things that they could do with what they see.
One person told me she got a pop up telling her that the computer was infected with 45 viruses.
A thought that just struck me - if Comcast is using web overlays to pass on this info, it will, if anything, serve to legitimise the "Your computer is infected click here and give us your credit card details to fix it" pop-ups.
An email to the address they have on file would be much less creepy and more effective, IMO.
I think that most of the people who are qualified to setup and maintain their own router are also qualified enough to determine exactly which of their machines are infected. Of course there will always be a few people who knew just enough about setting up a router to be dangerous, but if the network is completely open and someone using their network is spewing out spam or other garbage, it might tip off the network owner that they should secure their network.
IPv4 isn't a serious problem, and that part of the summary seems rather silly considering that anyone who has a serious network setup probably either has a good understanding of it or has a friend / family member with that knowledge. IPv6 would be a lot nicer, but the world is going to go on dragging its feet as long as it can.
Now if every other ISP would do something similar. Maybe block access until a user reads a notice or something.
That said, Comcast's way of doing this might look to me like the website I was looking at was trying to sell me malware... like one of those "YOU'RE INFECTED! SCAN NOW?" popups.
Because people will ignore the email.
Just one more piece of spam.
If I were God, wouldn't I protect my churches from acts of me?
An email to the address they have on file would be much less creepy and more effective, IMO
I agree but not everyone uses Comcast email.
"We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
If the customer fails to address the issue promptly, then Comcast should disable their connection. When they call in, Comcast could easily ask them for a email address to forward such communications to.
I work for an ISP and this is how we handle it. (Of course, we're small, so we also call the customer on the phone number(s) on their account.)
FTFA:
Douglas said the bot intelligence is coming from Damballa, an Atlanta-based security company that monitors botnet activity and identifies botnet control networks. If Damballa spots a Comcast Internet address that is phoning home to one of these botnet command centers, Comcast’s system flags that customer’s address for a service notice.
That's a good point, but the screenshot does look pretty reasonable. It could have been done a lot worse, but it looks like they're at least acknowledging the trust issue.
That being said, it's not difficult to figure out which ISP a certain IP belongs to and for someone to forge these things.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
I think that most of the people who are qualified to setup and maintain their own router are also qualified enough to determine exactly which of their machines are infected
1) You go to best buy and plug $59 for a 4 port router box.
2) You take it home and plug it into the wall.
3) You plug the WAN port on the router to the cable or dsl box. - this is the hardest part to get right
4) You plug your computers into the other ports and start accessing the internet
People qualified to do the above are not qualified to determine which of their machines are infected.
Sorry, but that does rather look like spam.
I won't join Slashcott. OTOH, If Beta goes live, I just won't be back until it's fixed. Sorry Dice.
What happened to the good old days of ISPs where if your computer was being a menace the ISP phoned you, and if you still didn't fix it they cut off your internet access until you did?
It worked. and it worked well.
... bittorrent also setting off this message.
That, and they seem to have an increasingly small workforce which is able to communicate effectively in English over the phone. ...Oh yeah, like you said.
DRM: Terminator crops for your mind!
What about a phone call? My ISP does this. Granted, it only has about 1.5 million customers. The way it goes is first, a phone call, if they are unable to talk to the person, they disable the modem until they call back. They only do this for large botnets, unless they receive a complaint about an IP.
But it *IS* effective.
Overlays and emails will only teach people to click on fake antivirus warnings, like you said...
I've got better things to do tonight than die.
I think it's great that Comcast is trying to address the bot problem. But they picked a rather poor method IMHO. Surely it's obvious that you can't rely on the infected computer to relay the message... All the bot has to do is run a filtering proxy server and these HTTP insertions are long gone. The best solution would be to use another communication device, i.e. a telephone or letter. Besides, you may have a little old lady that only uses (non-ISP) e-mail twice a month, which might not get the message.
My own ISP does something similar, but a little better (again, IMHO). A few weeks ago I opened my wireless network because one of my devices was choking on WPA2. Sure enough, someone must have hopped on it and sent a fair bit of spam. So my ISP killed my connection and changed the DNS server so everything resolved to their "Call tech support now" page (although it took a while to for me to figure that out since I wasn't using their DNS server, but I digress). A quick call had me talking with a representative with an explanation, and I was reconnected. (Obviously I re-enabled WPA2 and blocked/logged port 25 at the router in case I really did get rooted.)
I don't know about you. But as soon as I realize it is a call from an autodialer, I hangup.
If I were God, wouldn't I protect my churches from acts of me?
Let's look at the following:
1. By definition, an internet service provider IS a man in the middle. To everyone whining about using this method - welcome to the real world. A man in the middle approach is the easiest one for the man in the middle to take.
No. By definition, an internet service provider is a bridge and router. It is not supposed to mess with your traffic. It is not supposed to be looking at these layers. Comcast has shown many times they don't care about that, though. They messed with all HTTP traffic by sending RST packets at you to upset bittorrent, also breaking normal web connections, and anything else which happened to be on port 80, e.g a lot of games. They messed with DNS to redirect to their own advertising sites for failed lookups. Now they're messing with HTTP to insert their banners. What will that do to traffic which happens to be HTTP but isn't web? News for you (and from your comment this probably IS news for you): the internet is not the web. That'll break bittorrent, games, maybe even iTunes, twitter apps, facebook apps, simple wget/curl transfers, and anything else that just happens to be HTTP on port 80.
2. Perhaps the ISP should just terminate the accounts of users of infected machines, since I am sure running an infected machine on the net is a violation of the TOS somewhere.
Yes, that's what they should actually be doing. It's in the ToS and if they have a machine connected which is degrading their network and/or being used for malicious attacks on other computers connected via their network, they are completely in their rights to disconnect them. This stinks of them trying to save money from support calls, sending out letters, hey even automated voicemail (which they do ANYWAY) or email.
OR they could just cut them off until they call tech support. OR they could filter the traffic, seeing as they've got enough of a stateful packet inspector in place to a) identify and b) modify your HTTP connections anyway. They just proved they can do it!
I WANT them to break the service and force people to upgrade, instead of continuing to spew their filthy zombie attacks all over the net. The more dramatic and attention getting, the better. Face it - your mission critical systems should not be on a residential account anyway, RIGHT? That's what the premium priced business packages are for... So what if grandpa has to click on some links to download some software and fix his machine before he can read his paper today. It's worth it to clean up the net.
I have a theory that anyone using the phrase "face it" actually knows that what they're suggested is absurd. You don't seem to understand exactly what's being done here. There's plenty of ways for them to solve this issue, and this tactic is just plain wrong.
Hell, this drops their "neutrality" altogether. They're actively inspecting traffic and inserting their own. I reckon that opens them up to being liable for it, too.
Who wants to bet that torrent trackers and users of uTorrent will end up with these "overlays"?
You are welcome on my lawn.
Yes, but your business plan is probably just to profit from providing internet bandwidth to customers.
Comcast has a whole 'nother agenda.
You are welcome on my lawn.
I'm kind of torn on botnets. The only sites that get taken down by botnets that I have read about lately are sites of organizations I wish didn't exist anyway.
When ACTA inevitably becomes the law of the land, DDoS will be one of the few weapons we plebes will have left against corporatism.
"Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
If you call turning off your machines and running them one at a time to check each machine's response "difficult", then you can damn well pay the neighbor kid to come over and do it for you, just like you paid him to come over and get your Internet Explorer brand computers surfing on the infotube highway in the first place. While he's there, have him take out that "MOE - DEM" thingy. Those blinking lights are just slowing things down.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
If they weren't "inspecting" traffic then the internet wouldn't work. How else would you route data from one computer to another without inspecting the traffic to see where the data needs to go? This same level of data can also tell you if the computer is a bot. For instance if your computer is only sending data to a port 25 to seemingly random hosts continuously for days, take a guess at what is happening, it's likely to only be one of two things. Same thing for suddenly getting a lot if 100% identical requests from 50 computers on your network at the same time going to the same destination, maxing out their own connection.
This is no different than the telephone company "inspecting" the line for a 2600Hz tone when the phone was placed off hook. A lot can be done without looking at the content of the data.
How about a message that comes with the monthly bill in snailmail?
Free Martian Whores!