Australia mulls botnet takedown scheme Australia is considering the adopting of a code that would oblige ISPs to contact, and in extreme cases perhaps even disconnect, customers with malware-infested computers. The voluntary eSecurity Code is designed to put a squeeze on the estimated 100,000 zombies in Australia, each of which might be capable of kicking out 10, …
i think this an start to be a net neutrality issue at what point do we consider a machine infected and what if the person is sending mass mailing and one doesn't like the email they get. do you knock the entire server off because of one bad review if everyone else likes the emails? what about competitors abusing the system could i disconnect your business with enough reports that you ip is bad
I think it would be a great move for ISPs to let their customers know if a pc was spewing out spam, etc. So long as that's all the involvment of the ISP is, and they don't try/end up being forced to police all traffic, I think checking for smtp servers and loads of email is a good move.
I got a call the other day from a friend telling me his PC was infected with something.
I advised an update of virus defs and a full scan.
Later the same evening, i got another call, the AV had not seen it but Windows Defender was going on about a 'trojan'.
Click ok and see what happens.
Later still i get another call saying that nothing much has changed there still seems to be warnings coming up and stuff but the AV installed and Windows Defender are not doing anything.
This suggests to me that most (given that my experience is the same) virii do not get easily removed by AV.
I went to I client who is on SKY BB in the UK and his internet had been switched off because the computer was spamming other people and they would not switch it back on untill he did a format install on the PC.
I would assume that all IPs screen their networks for this type of activity but obviously not
I'm astonished that our luddite southern cousins have actually come up with a sensible idea.
Anyone who's ever tried to shut down a phishing or spam host knows that the ISP is the point of contact, and that that's where it ends.
I expect they'll bleat and moan about the difficulty of this but the ISP is the choke point for malware, and they're the only ones who can enforce action on a customer who doesn't know or doesn't care less. Not doing so is like flogging guns to people without background checks and then denying responsibility for the consquences.
The "walled garden" in particular is a nice idea, and no harder to implement than cutting them off.
Please, can we have legislation like this in the UK?
My experience is that they take far more of your CPU time than you would wish, and function mainly as a continuing source of revenue for their publishers.
Yes, they do, on occasion, stop a genuine virus. Firefox, NoScript, FlashBlock and AdBlock seem to prevent most of them from gaining a foothold, though. I have never had any warnings from the anti-virus on my work PC. Maybe it does its work silently, or maybe I just don't visit the right websites.
My other PC runs Linux, so that's taken care of.
I'm sure Paris knows about virii....
A while ago - when they were very small, and before they became very commercialised - a Danish ISP had found an ingenious way of stopping spam mails and bot nets from their networks, it was very simple, and non-intrusive, maintaining the person's privacy.
They fingermarked the body of each mail issued from the user, and once the finger marking indicated that the body of the mail was the same for a number of emails, they would start analysing the number of emails issued from the customer, and the degree of similarity - all by finger printing, and algorithmic, not by viewing the mails.
Eventually this would result in an alert, where the customers mails were held, and not sent on, and an administrator was called to have a look at the logs - making sure not to breach privacy - and if the mail sent was excessive, like 1000's or more emails, with very similar content was detected in the logs, then administrator would send a note to the offending user with the something like.
"We have detected an extraneous amount of mail from your account, and if it really is your intention to spam the internet, please accept a surchage of 50 cents per email, which brings your total to $...... (usually $10 000 or more) - all of your mail is being held by our servers until payment has been made, however, if it is not your intention, then please clean up your machine, and check for trojans, and this time, we will choose to wave the email charge."
mind you the administrator who was in charge at the time, had a funny sense of humor, however, it worked very well, because it scared people into not spamming, and cleaning their machines. Most people would get a fright, and would scan their machines, and clean up, and those actually intentionally spamming left the ISP very quickly, but there was never a single bill ever issued from the ISP, but they had no problem with spammers. The company did however, make it very clear that if you did not take preventative action, then you would have to pay the bill.
Similar approaches could be used for most botnets, block the botnet traffic, and the botnet traffic only, and send a notice.
Simple effective, doesn't require laws, or shutting down people's internet connections, with internet connections in Australia, always being volume limited, most people would appreciated the heads up, I'm sure.
This would apply mostly to residential customers. Youre not permitted under your terms of service to be mass mailing using a =residential account. That by itself it terms for disconnection (and worse) by nearly every ISP.
Businesses would I'm sure still be notified of the issue, but would not face disconnection, blocking, or throttling.
This also isn't based on someone's "report" of a bad messagge being received, or common but LEGAL Spam issues, this is the detection of known infected systems where not only is SPAM flowing from the network, but specific types of Spam sent through non-traditional relays while maintaining connections to IRC or other Bot network controll chanels. Its confirmation of an INFECTED machine, not confirmation you;re sending spam...
Now, i would like to see a few things (on residential accoutns):
1) ISPs can charge an additional $10 per month if you can not prove that your machines (any MAC address they can detect behind your firewall (via packet headers, not by penetrating your network), are secured by a commonly accepted current release of a security program.) This should be for any machine they can determine is in use at your location for at least 3 weeks in 1 calender month (eliminates hassles of having to provide proof of guest machines family and firends bring over). Simple proof would be in the form of a screen shot of the active security application pluys a comand window showing the machine address. This proof should only be required upon suspicion of a specific infection by the ISP. Further, the charge should NOT be automatic, and should ONLY result if you both do not have a supported security application and fail to acquire one (including freeware) within 7 days of confirmation of receipt of the infection report (and ISPs can not ASSUME you got it, but must confirm receipt).
1B) It's not necessary to clean the virus/infection to avoid the charge, only to show the presence of active detection/removal software. (which can be installed either before or after the wanring notice, so long as you do install it). The charge is ONYL for those who fail to make an attempt to secure their machines.
1C) ISPs enforcing a charge (or blocking/throttling in extreme cases), should be required to offer security software free to all subscribers. The use of the offered software however is not required, so long as a commercially accepted package is installed (aka, AV-test.org or other AV testing firms have tested the application and confirm it is a valid antivirus/security application.
2) ISPs can charge $10/month if your wifi device is not secured. (no open guest networks).
3) detection of an infection must never be based on utilization, but on actual detected virus activity (mass mailing, connection to known botnets, viruses outgoing in normal e-mail, DDoS activity, etc). This must be documented, including everythign known about the infected machine (mac address, IP, if known the virus name, etc).
The theory sounds good; I've seen one ISP do this for payment (basically the 'walled garden' approach: all you can access is their own billing site), so they could easily do it once a compromised host is detected. It's the detection - and verification - which is difficult, of course; I know Dan Bernstein's servers occasionally get cut off by his university IT department for "suspicious" activity (in his case, hosting some mailing lists and a DNS server), and I'd hate to see that spread.
As long as the activity is verified as malicious (e.g. actually distributed viral content, Viagra ads etc) and it's easy to restore connectivity I'd be happy to see this implemented; I wouldn't bet on any government getting it working properly though, more likely people will get cut off at the drop of a hat for P2P usage or have to wait days to get back online after emailing one big attachment to a couple of people from their own MTA showed up as "excessive port 25 usage".
This may be the only way to educate the average user about security. I have long thought that ISPs are the best placed to identify compromised PCs that are generating spam or other bot-net related output. There is little difficulty in identifying spam e-mails that are in circulation, and identifying PCs that are generating them would not be rocket science, although it would likely involve a significant investment in compute power and packet inspection.
Taking infected systems off the net is the only way to both solve the problem and educate the user community at the same time. The problem would be in finding the funding to put this in place.
"""do you knock the entire server off because of one bad review if everyone else likes the emails"""
There is a pretty large distinction between a spamming botnet host and a legitimate mail server. There are many, many ways to tell the two apart, which I won't get into, because it's clear that you didn't even get so far as reading the draft:
"""ISPs can typically find out about malicious activity and compromised computers in two
ways:
(a) by active monitoring as part of normal network management activities; and/or
by notification
(b) by trusted third party sources. (Note that a list of sources is
included in Schedule 2 to this Code.)"""
That means random people won't be able to "review" an email server, or whatever you're afraid will happen.
I personally doubt that many people will be able to fix a modern malware problem without buying a new computer. Botnet software these days typically disables antivirus products, installs backup copies of itself, patches system files, installs rootkits, etc. Frequently the only way to deal with an infestation is to boot into a read only WinPE or Linux distro, copy data over the network or to an external drive, virus scan all of it, then reformat and reinstall. My grandma isn't going to do that, and she will probably keep clicking malware attachments in her email 3-8 times a day no matter what.
The first thing to do if you want to truly clean an infected PC is remove all installed AV and spyware apps since they are compromised and can interfere with removing files. Remove the infection(s) then reinstall, update and full scan.
Every infected PC i've seen has AV on there ranging from Norton 2004 (!!) to the latest AVG, McAfee or Norton 360 or whatever. The best AV you can get is free with your brain - common sense. Unfortunately not everyone keeps theirs up-to-date...
Sounds like a great idea. Misbehave and you get grounded. As long as there's reasonable oversight and a way to appeal in a court of law, I can't see how this should be any worse than not being allowed to harass random people on the street. First reasonable thing I've seen coming out of Oz for a long time - that firewall-idea of yours is not doing your reputation any good, fellers...
Having for worked for a couple of Large Aussie ISP's, I can say that whilst this is a great idea in principal, it's execution is not a simple matter.
As you mentioned there is already a system in place in Aus that advises ISP's of infected hosts.
What they fail to mention is that this project while well intentioned, didn't really provide anything that wasn't allready in place. Services such as mynetwatchman, and dshield were already established and able to notify ISP's of infected hosts. But more to the point the problem has never been identifying the infected hosts, the problem is the point where someone has to pick up a telephone, and tell a 60 year old granny that her windows 98 computer is infected with a virus.
What's that son? - Microsoft recommends I reinstall my OS from scratch? I should really download Ubuntu on a neighbors PC and burn it on to a disk?
I believe the only way forward is an automated walled garden approach that can be standardised and subsidised. - This could be as clumsy as the user being assigned a special dns server with a catchall redirect to a miiror server full of simple instructions and open source tools to identify/remove and protect.
Unlike censorship, eliminating virus-like malware is fundamentally a worthy goal. Still this definitely has the potential to go wrong.
If it can be accomplished without deep packet inspection I think it might actually be a viable plan. Otherwise the mission creep / slippery slope danger would be very worrisome.
Why not have a system where any computer suspected of being a spam-bot gets put on a special list at theie ISP?
While on the bot list, every email that PC transmits would not be sent by the ISP but bounced back to the users email account with a message and confirmation link;
ie: We think your computer is infected..... click the following link to confirm that you really want to send the following email. To remove this message and requirement, clean your frigging machine OK?
Perhaps this is too simple...
OK, I know the topic is a lot more tricky/involved than this...
but... instead of doing deep packet inspection on all outgoing traffic, why not just block ports for each individual user? Leave the "obvious" ports open for traffic, IM, etc. that the average non-savvy user will use, but block ports for VNC, mail servers, etc.
Then have a handy webpage where the user can specifically unblock those ports. Individually. That way if I *want* to run a mail server I can, but if I get infected and a mail server installed, it's blocked.
Wouldn't that allow us to be protected from the malware-infected-grannies, while not forcing the grannies to do anything different, while not risking slippery slope?
I know there are still ways to hide the malware signals through http traffic and similar, and that requires packet inspection to detect... but... wouldn't we have at least cut out a large chunk of the problem?
"...to detect that your PC is sending spam, why can't any existing AV products do it?"
They do. The better AV products limit what programs are allowed to send mail and often limit the sending of emails to more than a certain number of destination addresses and limit the number of emails that can be sent per unit time.
As for the legislation, it is a bit draconian. It would be easy to get the wrong guy. It might be better to require ISPs to act on allegations of abuse/infection from machines in their networks and fine them if they don't.
Bring it on, then I can read my email without having to delete 90% of them. I can get some work done, I can enjoy my online private life, the net will be faster.......
We ALL need this.
And as for the net neutrality oiks in this thread.... do you know what net neutrality is? I think your confused.
How about verifiying the email address, most spam has forged headers and from addresses, so could a the receiving ISP not query the sending ISP to verify the return addrees is ligit?
E.g. email is received by ISP1 for aaa.bbb.@ISP1 from bbb@ccc@ISP2, ISP1 then queries ISP2 as to whether the address is ligimate, it if is not ISP1 drops the bogus email = spam dead.
Of course it only short step for the spammers to use ligit address, but that would identify compromised email address.
People: It's "viruses", not "virii", fer cryin' out loud!
http://linuxmafia.com/~rick/faq/plural-of-virus.html
http://ancienthistory.about.com/cs/latinlearning/f/virusplural.htm
http://homepages.tesco.net/~J.deBoynePollard/FGA/plural-of-virus.html
...and many others.
*grinds teeth in frustration*
And BTW it's "waive", not "wave". Sorry, this one's not intended to be a rant, just thought I'd mention it.
@Michael C: You know, buying a virus scanner subscription is not the only way to secure a system. And it's not the only way to clean up an infection. In fact, installing a virus scanner after-the-fact is generally useless for any virus worth a damn.
Wiping a system clean and re-installing the OS is VERY affective at removing a virus and does not require a purchase. How do you take a screenshot of that?
Throwing away a system and buying a new one is just as effective and doesn't require the purchase of anti-virus software.
There's also ClamAV.
I find it interesting that your scheme considers proof of the effort to be superior to the actual effort of cleaning up. Beware of unintended consequences, my friend: people WILL game the system. Adding more rules to prevent it will just make a mess of things. Apply the KISS principle here: if you can detect an infection, you can detect when it's been cleaned up. Giving people an "A" for effort is all very friendly but doesn't solve any problems, because the infection is still there, and it complicates the situation by requiring elaborate methods for providing proof and locks out some very effective eradication methods. If the customer wipes out his OS and starts over, and his infection goes away and he stops spamming or botnetting or whatever, by your scheme you would continue to charge him!
What if he decides never to acknowledge your E-mail? He gets a free ride.
It's also a very elaborate scheme for making the ISP keep detailed logs, provide hands-on analysis, notify, verify, and so on.
I think your heart's in the right place but I think you're over-thinking this one. By bending over backwards to give the individual the benefit of the doubt you've put a tremendous amount of effort on the ISP and made it impossible to employ. Don't be so concerned about the rights of the individual that you forget the rights of the community.
If I've got a car parked outside my house, but have been careless enough to let a set of keys for it fall into the hands of a criminal and he uses it every weekend to go out and rob banks, I'd expect to get in trouble. So why not go ahead and apply this logic to PC's. Let's face it, ignorance doesn't usually stand up well in court if culpability is clear, even through plain old negligence.
Giving the users the ability to monitor this themselves would be a total waste of time though. We're talking about users who really have no idea what's going on with their machines in the first place, and the point is if they were the kind of user who'd check that kind of stuff, they won't be the kind of user with an infected machine.
Someone mentioned e-mailing people with a link in the e-mail to confirm they really want to send the e-mails - pretty bad idea - these kind of users need to be encouraged that links in e-mails are generally NOT to be trusted. When I get e-mails from companies, particularly financial ones, that include links they generally get back a snotty one from me. PayPal are one of the worst for this.
Better idea: Mandate that no two computers may have the same instruction set and/or addressing schema. This would ensure that code compiled for one computer could never be run on any other computer; and thus malware could never spread, except in Source Code form where it could easily be dealt with.
I'm a small web host provider. I have sent about 100,000 mails to ISPs complaining about zombie attempts to deliver mail, or brute force attack SSH, FTP, POP3 accounts, with a small amount of success over the last year.
My argument is that outgoing port 25 on residential computers should be blocked to anywhere other than the ISPs own mail servers, unless the user asks for it. If the user doesn't know what it is, then they don't need it. While this would cut down zombie spam, it wouldn't prevent http distributed denial of service attacks.
Some providers like myself don't accept mail from foreign IP pools, so 'man and dog' operations wanting to send newsletters this way probably won't have much success anyway.
It should be mandatory for ISPs to have a valid abuse address available in the whois record.
Some don't. Some do. Many just ignore it or set a ridiculously low quota to reject all attempts at contacting them. Some ISPs appear to care like earthlink, verizon, cox, bt, but many just don't give a toss, such as tpnet.pl, ttnet.net.tr and I just blanket ban all their IP addresses. If Google, Hotmail and Yahoo did the same, then perhaps they would take their users' security more seriously.
I've evolved a fairly sophisticated system now that fights back.
1st line defence: zen.spamhaus.org, bl.spamcop.net, dnsbl.sorbs.net, cbl.abuseat.org, SPF, DK, DKIM
2nd line: RDNS checks, 5 sec delay
3rd line: mailscanner/spamassassin - high score --> feedback to SA, fwd to nonregistered@coldrain.net and spamcop.net
medium score --> grey folder for manual checking --> feedback to SA, fwd to nonregistered@coldrain.net and spamcop.net or release from queue to user.
spamtrap addresses --> unscanned to nonregistered@coldrain.net
zombies that attempt to deliver too many msgs cause the systems to ban the ip address, add to an rbl and automatically complain to the ISPs with extracts of logs and timezone, after checking with a local blacklist of delinquent ISPs.
Similarly for SSH, FTP and POP3 attacks.
In spite of the many messages sent, I do get some replies from thankful people and I'm glad to be making a small difference.
I hope that all ISPs around the world will take more responsibility for their users and the wider community. Collectively we can make a difference to purge the net of the criminals.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
