Federal law enforcement agents targeting botnets recently recorded a grim milestone, identifying the millionth potential zombie victim, the FBI said Wednesday. Operation Bot Roast, as the cyber crime project has come to be known, has now logged more than 1m IP addresses belonging to a botnet. That amounts to plenty of owners, …
I say detect and delete
Victims of malware should be detected and their ISP informed. Once that is done, the ISP should email the victim with an explanation and a warning that, if nothing is done within 30 days, their access will be cut off.
Repeat the message every seven days until something is done or the cutoff date arrives. If nothing is done, cut them off.
When the user calls to complain, have someone ready at the call center to help the user purge the PC or reinstall it (yes, this is going to be the most costly part). When the PC is clean, service may resume.
For the inevitable cranky user, a reminder that Federal law can consider that he is an e-terrorist and can thus be deported to Guantanamo without trial should cut off quite an amount of steam.
re: I say detect and delete
It's a good idea in theory but to enable such an event the ISP would have to amend their T&C's to allow them to block internet access on 'zombie' machines where the owners have been alerted but nothing done after 30 days, plus if you were to block their internet access off, how would they be able to get latest anti-virus fingerprints and/or Windows service pack updates if re-installing from scratch?
But perhaps the zombie machine owners should be inconvenienced in some way for having to clean out their machines, because after all it's most likely their machine has inconvenienced many other people through spam etc.
A simple way to stop spam
Given that most spam is beamed directly to the "victim's" mailserver, the simple solution is for all ISPs to block SMTP access to any email server except the one they provide with the account.
Advanced users could have a way of adding some other permitted SMTP servers, but that's no worry as the advanced users are not the problem.
That way the general muppet users PC will not be able to send out all the junk.
ISP's need an "infection parking lot"
Problem is that many lusers don't use their ISPs email address, and would never see these alerts. My personal favourite would be for ISPs to spot those bot infected PCs, and "park" them offline in a corner of their network.
If a PC is showing clear signs of bot infection, then force the PC to disconnect from the "normal" network, and drop them into a quarantine area. In this area, every web page that the customer tries to load, should be replaced with a single "you have been pwned" webpage. This can then include numerous links to anti-virus products and spyware cleaners.
Bonus points to those ISPs who attempt to recognize which infection it is, and put up links to specific disinfection tools.
From experience, it is not really feasible for the phone based support personal to talk the users through full disinfection. The phrase "Blind leading the Blind" comes to mind here. (And defiantly don't want these same support people "telling them to reinstall XP" as this is guaranteed to have that PC World effect of deleting all their valuable photos - a potential legal minefield).
See the list?
A browser toolbar that checks to see if you're on the list and if you are it tells you?
It'd probably get circumvented I suppose...
Need better DNSBLs, information and alerts
As I see it, there is a requirement concerning making information about known bot behaviour detections public. Making this information, e.g. through a DNSBL public enables MTA and other server operators to reject messages from such addresses. It also enables installation of automatic routine checks and alarms, e.g. as a standard part of operating systems. Not making this information public can only really be justified to the extent withholding this data helps catch and lock up the criminals behind these attacks.
ISPs should update acceptable usage policies to indicate that services to known compromised customer hosts will be filtered, redirected and blocked as appropriate. Redirecting outgoing port 80 requests from a bot to go to a web page explaining the problem and linking detection/cleanup resources and services is likely to the the most reliable and cost effective means to inform and help infected customers.
So why have you given these 'netbotters' the assassin (3 name) treatment? Is there a conspiracy in the making.........
Re: I say detect and delete
Shutting off service would make it hard to clean up the machine and get the latest patches. However, they could put infect machines on a smallband connection.
As for the cost of this extra work for the ISP... I think that spam bandwith usage is also costing them a lot.
The ISP's need to change T&C's etc - but 99% of UK ISP's are adding bandwidth limits and throttling anyway, they just need to extend this for "infected" users.
The ISP should total block the users internet access and only display a message asking them to phone a support line (premium rate of course!) where they must agree to fix the problem (by themselves or seek 3rd party help), once they agree then a partial service is re-instated which allows then to download updates and anti-virus tools.
If the problems persists and they fail to seek help then their contract should be terminated - Ignorance is no defense, its the users problem and the user should pay for it (not the ISP, and certainly not other users).
Not Just SPAM
Haku, Steve, and Jan: this is about more then just the inconvenience of spam. These same systems are DDOSing system among other nefarious deeds. I have thought about some of the suggestions above, mainly disconnecting users, but as posted that won't help as they won't be able to patch and update and would be almost instantly infected again once reconnected to the net. I believe something needs to be done at the ISP level and it would have to be more then just simply disconnecting users. I think Mark is on the right track there needs to be a portion of the ISP network used for quarantine where the user can only access web pages that would lead to solving the problem as well as providing a Windows update server on that segment of the network to make sure once the problem is removed that the users have a fully patched windows system, at least until they are own their own and not updating again.
It certainly seems that there is a business opportunity out there an Internet Sanitation Engineer. Taking some of these various pieces of advice and producing a product that can notify and assist bot sanitation efforts would almost certainly be a hit with ISP's and Corporate Networks alike.
Hell, I'd shell out a couple bucks more a month get my cholesterol down a few points based on reduced spam ingestion. I like phish, but generally prefer obtaining them from a fresh seafood market and not online.
Re: I say detect and delete
The ISP I am employed by in Manitoba Canada does blacklist people whose traffic, SMTP or otherwise, hits our honeypot and is flagged as virus activity. An account can be flagged as BL smtp mail only, limited browsing, or fully blocked all inet traffic. The customer does call in, claiming Connect No Browse, we tell them they've been flagged and blacklisted, and we remove them from BL after they tell us they've cleaned their machine up. We warn them that if the machine has in fact not been cleaned up sufficiently, they will be BL again as soon as their suspect traffic hits our honeypot.
Re: Network detachment for infected lusers
Cox Cable actually does disconnect infected users. I ran across this once, being the only techie in a home with four college guys. One of the roomies brought in a computer, and within an hour, bam! Our network was cut off and everyone trying to access the internet got a "Your access has been revoked" website. We called in, the drone checked our account and noticed it had been flagged. It's possible, and most T&Cs will have clauses stating that if any illegal activities or percieved hacking attempts are detected from your IP address, they will cut off your access. Most bots/bot viruses immediately attempt to infect other computers, which counts as both illegal and a hacking attempt.
Re: ISP's need an "infection parking lot"
Well, such 'quarantine' products exist already, however, they require a client on the desktop (the user's machine). Not very useful in that regard.
However, the idea of being able to restrict users to accessing a) Windows Update, b) Anti Virus company sites for downloading, and c) URLs for online updaters for those anti virus products is a sound one.
T&C's need to be adjusted, yes, but ultimately this is for the users' protection. Perhaps an opt-out clause that allows users to opt out of such a protection scheme by specifically requesting it, is an idea. However, that same opt-out would then need to be related to a more strict set of requirements and T&C's.
Re: Infection parking lot
This already exists, and detection is very practical, quick, and easy. Recovery however, is not. Our company has this in place at the "hub" of our network architecture, and individual machines get dropped off if they sent too much malicious traffic, within about 45 seconds of the commencement of an attack. The local admin and helpdesk gets an email, and they just make a quick phonecall to reconnect the box once it's back to normal levels.
We've had a BUNCH of disconnections at my site recently - and the really funny thing is that none of them have been on luser machines. They've all been our HELPDESK machines. Apparently our helldesk operators are suck at teh intarwebz. We've considered moving their machines under the same policy as luser workstations, but that inhibits their ability to actually fix problems. It's kind of frustrating, really.
Firewall at default
All ISP's -- especially 'consumer' ones should block just about everything at default - web diverts to the web proxy, and email to the email server, and allow a few of the 'typical' ones --- msn connections to the msn site etc.
However, the ability to open up what you want via a web interface (for example) should exist, -password protected- so those who know can open things up as they wish.
My Dad is on ADSL and just uses his computer for web sites and email - I put a unix router infront of it that runs its own web proxy and email server, and literally blocks everything else from his windows-pc.
He doesn't notice any difference - as I am sure most wouldn't.
First of all, all the T&Cs that I've had with my ISPs have had enough vague language in them to ensure their ability to drop connections for people like this many different ways, and some have even stipulated that they'd charge extra for such activities.
I do like the idea of the default firewall, except that lots of people that need incoming connections for things like skype, hosting game servers, whatever, would have some serious problems. Plus, how many ISPs do you think would impliment this sort of thing so that it doesn't get in my way? Cox would probably just force the firewalling on all consumer level accounts in order to force more sales of their buissness connections for an extreme markup.
Generally I'm not in favor of ISPs doing /anything,/ because more often than not it will be an action motivated by increasing profits and result in not much more than pushing the envelope of how far a gigantic corporation can screw its own customers.
Solutions to botnets available or nearly available
Greylists are becoming more popular.
This is where the mailserver sends a re-affirmation of the originator
when it discovers a mismatch between the email domain and the originated server.
Most spammers won't want to take that extra cost and it will stop much spam.
Open standards mail servers are becoming more popular with this ability.
The next thing to happen is Antivirus growing up and becoming a whitelist authenticator of software as part of a verification program to keep installations sanitized against a certified list of "known-good" software.
Microsoft is trying to do this in order to corner PC marketshare and controlling what goes on PCs. It has failed. But from this we now have 5 or 6 Whitelist startup companies. AVs like Norton and Trend will undoubtedly bring this sort of technology into their fold and we should get the current forms of nefarious activities under control.
This only slows criminals down. Where there is a criminal mind there is dark innovation.
ISPs too cheap to enforce security
Concerning the legality of ISPs providing security services to customers whose computers have been hacked and are being used as zombies.
1. If your computer is hacked, and your computer is being used to commit crimes, and anything you do on your computer is subect to surveillance by hackers, what sort of damages could you seek from an ISP who disconnected you from the internet?
In fact, if you were unaware of the problem, or if you didn't know how to clean your computer, your ISP would be preventing further damage to your interests by disconnecting you from the internet, because the ISP is preventing the hacker from accessing your computer.
(Of course good business practices mean working with customers to keep them happy. An ISP that wants to stay in business will use one of many methods to attempt to notify a customer of the problem and direct them to help to clean the computer.)
2. If a situation arises where the terms of a contract are forcing one party to commit or aid in the commission of a crime, that part of the agreement is generally void under common law.
Once an ISP is informed that a customer computer is likely a zombie computer being used in the commission of a crime, an ISP does not have to worry about the TOS getting in the way of fighting crime. (Although good customer relations means keeping the TOS up-to-date and understandable for consumers).
3. The question is the will of certain ISPs to do their part to fight crime.
Many ISPs still see customer and internet security as an unnecessary expense. They care about their internal security, and they care about their short term profits.
These (mostly small) ISPs have been putting people off with the claim that, "as common carriers we are not responsible for what goes on in our network without our knowledge". They try hard to avoid knowing what goes on by ignoring security complaints from others.
Hence, the cost of their dereliction of duty is not levied against them, and it never enters onto their balance sheet.
Some small ISPs even offload their email services to others. For them, the only expense of not providing security is a bit of additional local network traffic. Balance that against the costs of providing customer education, customer support, distributing security software free or at a nominal charge, and you can see that for these small carriers, pretending ignorance of problems is the cheaper solution.
Basically certain ISPs are failing to protect the common good of internet users and ISPs.
These ISPs are going to continue to fail to provide security services until existing laws are enforced, new laws are created and enforced, or the use of civil action against negligent ISPs becomes more common.
Re: ISP's need an "infection parking lot"
Stefan, you don't need a client app to make sure that a PC is put into a parking lot for infected PCs. All you need is an intelligent DHCP server that allocates an IP address for infected machines that's in a different subnet, based on a list of MAC addresses for the offenders. Then set your network policy for machines in that subnet appropriately. Easy.
My recommendation would be to send an e-mail to the customer whose machine has been blacklisted to state that he or she must clean up their PC or their account will be suspended after 30 days. End of story. If they need help to fix their PC, point them at me. I'll do it ... for a small fee. :)
BT already doing somtehing
BT are already using Content Forensics from StreamShield Networks to detect spam traffic and quarantining machines. This only appears to be targetting spam traffic though, no DDoS or other zombie activity.
Re: BT already doing somtehing
Very much so. BT gives you 24 hours to fix your PC or you're "cut off" until you confirm the machine is fixed. They provide a modicum of help, pretty much restricted to a few online av scans, but after that you're on your own.
And yes, the abuse team does look into zombie/dDos activity too. I believe they rely on third-party reports, primarily, but I do know that they have people specifically dealing with security issues other than spam-generation.