Comcast, the biggest US residential internet service provider, has begun offering all its subscribers a service that warns them when their PCs are infected with botnet software that steals banking passwords and carries out other nefarious deeds. Over the next few months, the Philadelphia-based internet provider will roll out the …
"""Infected users will also find a semi-transparent banner that's superimposed over their web browser that warns “Comcast has detected that there may be a virus on your computer(s).”"""
I give it about 36 hours before someone (many someones, more likely) manages to paste false versions of these all over the net using various XSS vulns, which link to the popular scam AV download of the day, with a nicely typo'd Comcast endorsement. The sorts of people that need a banner to notice a malware infection also happen to be the exact ones who will give their credit card details to just about anyone with a website.
People who need this kind of thing just need to be dropped to a 'call your local nerd/geek' page :-)
Beer, because that's the minimum fee for answering the phone
Warning people that botnet-like traffic is coming from their network: good idea. Doing so by tampering with HTTP responses to display a banner: horrible idea.
▒▒ COMCAST HAS DETECTED A BOTNET ON YOU ▒▒▒
▒▒ COMPUTER PLEASES CLICK HERE: malware.net ▒▒
▒▒ IS VERY URGENT!!! ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
Send an email,
This is all very laudable but the method of execution does leave something to be desired.
I suggest sending the user a plain text email, with copy and paste links to what Comcast security researchers determine is the best removal tool for the infection(s) the user has. Along with a warning that after 5 working days of the email being viewed the infected machines user account will be blocked.
In addition, I presume Comcast users have an account of some sort that they log into to for billing info, usage or webmail etc. The user welcome page could be set up to inform them of the infection and provide links to removal software after they log into their account.
As AC:ugh mentioned, tampering with http responses is a no no for the reasons outlined by Nexox.
If we KNOW you have a bot, clearly identified by connectivity to a know bot server, or pattern of system behavior, then instead of an e-mail and banner, how about QUARANTINING THE USER CONNECTION!?!?! Make it accessible STRICTLY to pre-approved IPs of virus vendors and the OS vendor. Lock them offline from everything else until their PC is detected cleaned, or they provide a screen shot of the scan results of an approved and up-to-date scanning engine proving they're not infected in the first place, or until they call the helpdesk and (after paying a fee), demand open access even with an infected PC for 24 hours if they claim its business critical they not be blocked in the interim.
We can't do this for business class connections (other than notify them which they still should), but for residential accounts, I'd even go so far as to implement NAC systems for home users, only allowing a machine onto the open internet if all critical patches are installed and an approved (by 3rd party agency, not the ISP itself to avoid competition issues or vendor favoring) AV client is installed with the latest defs, and give them only a quarantined internet access otherwise. The vast majority of people on the internet are either too ignorant or too cheap or too lazy to secure their systems. these people should be quarantined unless they either comply or pay higher fees to not have to.
If they attempt to go to any web site other than an AV vendor, OS vendor, or pre-approved list of sites with cleaning and security tools, they get a simple DNS redirect instructing them to contact the help desk (without providing any direct links or phone numbers). Inform them they should seek help from Microsoft, Apple, Symantec, McAffee, or a list of other vendors, but provide only information, and not links. Tell them they should never see such a page containing links or apps to install directly. If they believe this page is in error call the help desk. If they believe they are being scammed, type comcast.com into their browser and log in to see the infection confirmation.
If all the ISPs did the same, and users were sent a copy of this screen in their next (and every) bill so they know it when they see it, we might get some people educated.
Why leave a known infected machine running online? Get it off so it can only get to IPs of known safe security vendors. If they feel the need to get online anyway without first cleaning their PC, make them pay a hefty fee for each 24 hours they wish to until clean. Let them get past "errors" and false positives by screen shotting a completed scan with an approved scanner.
and appointed you my nanny?
Set the wayback machine
To, oh, maybe 2001 or something like that. When pioneering small but perfectly formed UK ISP Metronet and usually-a-nightmare ISP NTL both had this kind of facility.
Neither exist now, but it's nice to see the idea isn't completely forgotten.
Hi Alex, hello James, (and Paresh), are you well?
I remember Alex...
...proper old-school BOFH :)
IIRC his method was to sandbox the connection and only allow a download of some AV to clean the machine(s).
That's the right way to do it.
So did Pipex. Indeed they informed my mother of an infection on her computer.
Apparently it worked by monitoring the bulk of mail going through the mail relay from each IP.
Simple, effective. (At the time, i understand a lot of malware dont bother with mail relays any more)
... as did Telewest, back in the Day
Cut me off, they did, and sent me one of those paper-emails to tell me that I was 'fected with Code Red.
Cue a rather painful conversation with a phone-mong who couldn't quite grasp that Code Red would have a heck of a time infecting my Lunix install (SUSE 7 IIRC), and perhaps he would be so good as to connect me the fuck back up right Goddamn now, pretty please.
Sandbox. Give them access to critical systems only. Give them a way past by calling the helpdesk and getting a lecture and paying a hefty fee if they can't simply run a scan and prove they're clean.
What detection techniques do they use?
It is important that Comcast, et al, tell people what they do to discover the infections.
A few years ago the Nanny sate of Singapore used their state-supplied InterNet network to inspect all connected connected computers and resulted in information that included information about copy software, etc.
Even the tame citizens of the near authoritarian regime of Singapore were outraged enough to protest and most became familiar with firewalls, etc. to ensure their privacy.
So it is critical that full disclosure be made to ensure whatever trust between ISPs and customers that exists is not reduced. After all Comcast has lied before, when it involved traffic shaping.
They monitor to see if you are attempting to connect to known bot net IP addresses from your PC, or exhibiting bot-like behavior (DDOS, spamming, etc). There's not software in the PC, and they're not monitoring where you go or logging your connection, only detecting when you try to go to certain places know to be bot houses, or trigger certain thresholds over certain protocols (like SMTP).
...a button that says "to fix the problem click here", linked to Ubuntu's downoad site.
You are right in the technical sense, given the recent figures for win32 versus *nix malware (> 99.9% for Windows), but the problem is those behind the PC.
They struggle to use windows as supplied with their PC, are generally clueless about what actually can/needs to be done to secure it, and in a lot of cases simply don't care! Installing a patch is way too much for most, let along booting a new OS. Add to this a whole new system of warning and you get the perfect opportunity for scamming them (and others who are free of infection, but gullible).
As already said, WTF is messing with web responses doing here? BT already screwed over its business customers with this trick to promote a help service, much the the irritation of their customers (broken backup systems, failed customer presentations, etc) and you really have to ask why and how they are able to intercept and modify in this way. Privacy anyone?
Why not include a letter with the paper bill telling folk if traffic is suspicious? And a good explanation of what they look at, and record, and why...
RE: How about
How about, you stop taking smug pills and realise that telling everyone and their mums to install linux, acheives nothing and helps nobody.
No, no, no!
Let everybody stay with Windows, poor viruses should have a home shouldn't they ? Otherwise they will migrate to other OSes.
"difficulty of explaining to Aunt Mildred..."
My "Aunt Mildred" uses Linux !
My daughter uses Linux
Has anyone who is running a european small business web server not blacklisted major parts of the comcast IP space due to repeated attacks?
Complaints about spam(from TX space) and DSL botnets fall on deaf ears. Sorry but comcast need to do more than this to restore any rep.
"Comcast's plan is admirable, but it's sure to confuse some subscribers. "
Computers are no different from anything else in life. Find a problem - contact a specialist to fix it!!!!
Broken pipe - call a plumber
Car won't start - call the AA
Strange rash appears on body - visit a Doctor
Computers should be no different - Comcast email just needs to state "We think you have a virus. If you don't know how to fix it, we suggest you contact a specialist". Comcast are really missing a trick - they should be doing a deal with some of the techie chains to clean infected computers at a discount rate. Chuck Bartowski to the rescue.
Yes, there are those of us who can mend our own pipe, fix our own car, or maintain our own computer. But most subscribers should just join the dots of life and contact a specialist, or at worst, same as life, the guy down the road who does it DIY.
What would you think/say/do
if a plumber will show up in front of your door telling you that he thinks you have a leaking pipe that must be fixed ?
Go one step further
let people complete a PC competency test (say, something simple from CompTIA a few steps even lower in level that A+ focussing on basic internet safety) Have this test cost a few bucks and be valid for say 5 years, though an independent authority not the ISP itself (so its portable).
b) If you have not passed the test, your home computer connection (and all computers used from that IP) are monitored by a NAC system, and each PC can't get online (except to a quarantined list of IPs like OS and Virus app vendors) without passing a simple security screening as any business PC does (is it patched, does it have AV, are the definitions current, has a scan been run within the last 14 days, is there a logon password set). This requires a NAC application to be installed on your OS. If you don't meed NAC policies, you'll be quarantined into a network segment that can only reach sites that can help you meet those restrictions (OS vendor, AV vendor, etc) until you do.
c) If you have passed the test, and proven yourself security aware, a setting in the NAC app lets your local machine MAC address bypass the screenings, (and you can add more MAC addresses online personally through your account admin page), and no software is required and your machine is not managed by NAC (but you'll still be notified if they detect an infection, and if critical you may be temporarily quarantined).
d) If you are quarantined, but absolutely have to get online anyway, you'll have to pay a fee to get 24 hour access if you are not in NAC compliance. If we detect a virus, that is repairable through current AV definitions, you may be put into this quarantine even if you are not subject to the NAC scanning rules (but only if it is a critical self propagating virus or one active in an active attack against other systems. Low threat viruses will only get you warned, not quarantined).
essentially, if you don;t know better, we "assist" you in making sure you;re secure. If you don't want the assistance, get certified to bypass it. You may be quarantined if you have a serious infection (but you can pay to temporarily bypass it, or provide a scan log showing you're clean and we'll call it a false alarm and credit you something.
not a valid scenario
A proper association is a city worker showing up and telling you that they detected large quantities of bleach coming from your home line connection at the street pipe, and they were cutting off your access from the home to the sewer until you fixed the issue. Or, the city water department noticing your water use went up 10 fold, and sees a big puddle in your back yard when they come to read the meter, and cuts you off.
I've experienced the latter (an automated sprinkler got stuck on while I was on a 2 week vacation, and ran my water bill from a normal $50 to over $300 before they caught it).
There's a hole over there with your name on it...please crawl bac into it at your earlies possible convenience.
Here I was, getting ready to scream ABOUT BLOODY TIME ISN'T IT?!!!
And yet I find that you have once again engaged in such EPIC FAIL with something so incredibly LAME I can't even give you that much credit.
I never used your Internet service, but boy am I glad I'm no longer paying you money for your tv service either.
Have a nice day,
a FORMER customer.
do I have to start checking another account now...
when we set up our Comcast account they "required" that I use their supplied email address as my primary means of contact.
I've checked it maybe three times in 3 years. Zero useful emails but a lot of advertising (both from them and spam - scary for an account I've never used)
I'll be a bit stuffed if they do decide we're infected and send me an email there.
Nice idea, but they need to get some of their house in order as well for this to really be welcome
They had best get it right...
I run an entirely Linux shop and have had my ISP inform me that my PC is infected with malware and must be cleaned or else no more service for me. Mistakes do happen. And as someone else pointed out this is a really good opportunity for the miscreants of the Internet to start a new scam.
just implement NAC security rules for anyone who does not opt to bypass them and have a basic PC security certification (something a step down from A+). Detection can be faulty, and false alarms are possible (though there should still be a simple bypass, like going to your account page, logging in, going to the "you've been quarantined" section, and hitting a "temporarily bypass quarantine" button, which should take like 5 minutes, and give you 24 hours to show your clean status or get turned back off). This should also be on a PC basis, not a network basis, and their router could do the heavy lifting blocking certain MACs and not others still letting clean PCs online even if some others are infected ir not in NAC compliance. The block should never be total, just a very short white list of sites to clean and secure and patch your PC.
I know it is their own fault, but what about those users who use pirate copies of Windows.
There must be many.
Patches are not an option are they.
A computer specialist may well refuse to work on such a system.
Yes, you can get free scans and repair from anti-virus mobs, but that doesn't solve the base problem that the OS is broken due to not having patches applied.
There are many reasons why people use 'pirated' Windows. So it's not simply a matter of saying 'tell them to buy Windows' or 'they deserve getting the chop if they use 'pirate' versions'.
Linux is not an option.
So what is?
"Linux is not an option."
Linux is the BEST option - there fixed it for you
Lazy, stupid, indifferent people, and shitty insecure OS creators (Microsoft) and the never ending scan fest called "Malware Wars" (say that fast 10 X).......
Uhhh fuck Microsoft and their deadbeat OS and useless and stupid users.
I went to Linux ages ago.