Comcast pop-ups alert customers to PC infections

Comcast is launching a trial on Thursday of a new automated service that will warn broadband customers of possible virus infections, if the computers are behaving as if they have been compromised by malware.

For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus taking control of the system and using it to send spam as part of a botnet.

Comcast is launching a trial of a service that will warn customers via a browser pop-up that their computers may have been compromised by malware.

(Credit: Comcast)

The alerts are triggered "when we see computers on our network that are doing things that are known bot activities--say, a computer is spewing out thousands of spam e-mails," said Jay Opperman, senior director of security and privacy at Comcast.

The Philadelphia-based cable giant, which is the largest residential Internet service provider in the United States, with 15.3 million consumer customers, also is alerted to compromised customer computers when an IP address of one of its customers is identified as the source of spam on an industry spam list, Opperman said.

Customers in Denver are set to begin receiving notifications that their system may be infected with a virus or other malware via a pop-up message in the browser, as part of the new free service, called Comcast Constant Guard. The "Service Notice" will include a link to a Comcast security Web site where customers can follow a set of instructions to remove the malware from their computer.

If customers don't have antivirus software, they can download McAfee Internet Security Suite for free. Comcast also offers a Comcast Toolbar that includes spyware detection and removal, a pop-up ad blocker, antiphishing software, and antispam protection for e-mail.

The company first started notifying customers about the security issues about a year ago, with support representatives calling customers on the phone, Opperman said.

"We learned that customers love it," he said. "We wanted to reach more people and to automate the process."

This appears to be the first service through which a major ISP proactively notifies customers about security issues on their computers. For years, security experts have complained that ISPs are uniquely positioned, and should do more, to help customers combat security problems. But ISPs have been reluctant to assume additional responsibilities that are not central to their core service offering and for which they would then have to maintain a standard, going forward.

"I would hope that the government would do things to encourage this, if you alleviate some of the potential concerns that others may have about giving that kind of notification," said Jerry Upton, executive director of the Messaging Anti-Abuse Working Group. "I think it's the beginning of many ISPs and network providers realizing that customers need a little better knowledge of what the problems are out there."

Alissa Cooper, chief computer scientist for the Center for Democracy and Technology, said the organization welcomes Comcast's initiative.

"ISPs have a helpful role to play in helping subscribers mitigate these kinds of security threats," she said. "The challenge is...when users get these notices, do they understand them? Do they trust that they are real? Do they follow through to the point where they clean up their computers?"

The new service will eventually be rolled out in the rest of the country, replacing the phone calls Comcast has been using to notify customers to security problems, Opperman said.

Asked how many alerts have been sent to customers with Macintosh computers, Opperman said he could not provide a specific number but that there had been some.

Update 12:50 p.m. PDT October 9: Comcast is not the first to proactively monitor and help customers whose computers have been compromised. Qwest has been doing so for two years. Qwest's Customer Internet Protection Program displays a Web page with a warning to customers and offers a way to remove the infection for free before the customer can continue surfing the Web, a Qwest spokeswoman said.

And SBC (before it was part of AT&T) even quarantined customer accounts, George Ou reports on his Digital Society blog. While preventing infected computers from accessing the Internet until they are cleaned is going too far, he said, displaying warnings that could be faked by scammers might not be the answer either. Ou suggests a standardized "out-of-band notification mechanism that doesn't rely on the Web browser and can only be triggered by authorized entities," combined with remote management tools for automatic cleanup.

[moordrake]

Its just a matter of days until the hackers duplicate the look of Comcasts alert to trick people into installing even more malware.

[techman21]

Exactly the problem with this methodology.

[Random_Walk]

...'course, in teh case of email spam Comcast could just shut off port 25 from that box and wait for the user to call asking why his emails aren't sending. :)

[Renegade Knight]

@Random_Walk
My ISP already bocks ports and emails that i used. My loyalty doesn't exist for them anymore. DSL has one small step to cach up in speed...I'm hoping they take that last step.

[shellcodes_coder]

Just switch to Vista or 7, those operating systems are a night mare to hackers. For instance, just look at Charlie Miller who found writing exploits for OS X way too easy and had no idea on how to exploit security holes in Vista or 7 because of the security features implemented in Vista/7. 'Nils' who managed to exploit both Vista and OS X, chose to exploit firefox and safari hole in OS X because he admitted that on Windows 7, it would BE WAY TOO DIFFICULT like it was for him when writing exploits for IE 8 :)

[SactoGuy018]

What makes it even harder for Windows Vista and Windows 7 hacking is the fact both operating systems alert you to install a good Internet security suite. That's why I run Norton Internet Security 2010 (probably the best commercial Internet security suite out there because of its comprehensive protection and detection of malware and because NIS 2010 has done a very good job of reducing its resource usage).

[shellcodes_coder]

@SactoGuy018: Nope dude you are wrong, here's why: http://www.neowin.net/news/main/09/09/16/hacker-snow-leopard-less-secure-than-windows

I don't use any security suite on my Vista and 7 machines because I know how to keep my computer safe. And trust me, I've never had any malware infections till now. Used to use NIS when running XP long time back.

[shellcodes_coder]

*7

[ballmerisanape]

It was also harder to crack 7 because he didn't spend weeks orchestrating his attack.. one which needed physical access to the machine.. like he did with the Os X machine.

[Seaspray0]

@ballmerisanape. The only physical access required was typing in the URL of a webpage that was created by Charlie Miller. That was it. The web page itself contained the exploit and gained root access to the computer.

This means you are no safer than anyone else when you browse the web. If you goto a website that contains malicious code for mac, then your mac could become infected - just like it was in the pwn2own contest. Don't be dumb and not run antivirus software like shellcodes coder. Anyone who tells you that antivirus software isn't needed (regardless of the OS) will one day reap a dissaster and probabaly never know it.

[jasonatcomcast]

Some related documents available at:
http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation
and
http://tools.ietf.org/html/draft-livingood-web-notification

[Someone_stole_my_name]

This is a great thing. Many of the people who have these zombie machines out there are pretty unsophisticated. This will let them know that there are things that they need to do. It would be even better if the machines were blocked from the internet if the issues that led to the notice were not addressed.

[The_happy_switcher]

No problems on my Mac with Comcast internet.

[Vegaman_Dan]

.... that you know of. But then if your machine was compromised by a bot network, woudln't they go to lengths to make sure you didn't notice it and take action?

What you are doing now is the equivalent of sticking your head in the sand, hoping never to have a problem and refusing to believe it when you do. That's *EXACTLY* the sort of gullibility that criminals want you to have.

You are the prime target for such attention, not because you are ignorant, but because you are intentionally ignorant.

[The_happy_switcher]

You are a serious moron who just can't resist attacking me over and over again with no cause. How the hell do you know, or THINK you know, what I do or do not do on my computer? Ever heard of anti identify theft measures that alert you to this kind of nonsense. I don't need to lard up my computer with unnecessary software just because Horton hears a hoot. You sound like a shellshocked windows user who sees imaginary threats everywhere.

[Mergatroid Mania]

They will have to wait for more Macs to be in use before they have major malware problems.
Of course, we all know the reason there is very little malware for Macs is because they are so superior, not because hardly anyone uses them so it's not worth writing malware for them yet.

[Vegaman_Dan]

@The_Happy_Switcher:

I'm sorry, I was going by your previous comments where you went on at length how as a Mac user, you didn't have to take any steps at all to secure your system, it was perfect out of the box, etc. If you use other methods than what you have publically stated in the past (Mac users don't have to worry about internet security, as you've said before), then I must apologize in not knowing where you have posted this. Perhaps it was someplace other than CNET.

You might want to plead the fifth here. It may be your best option in this situation.

When I see BS, I can and will call you on it.

[sanenazok]

@switcher "You are a serious moron..." no I think the happy_switcher did the moronic thing by posting such obvious bait. Me thinks the ladey protest too much. If you don't want responses, don't post such BS.

[Seaspray0]

@happy switcher. I will attack you for not protecting your computer, just as I attacked shellcodes coder above. Two trolls at either end of the spectrum, both believing they don't need that nonsense protection. If you don't want to use it, I can't stop you, and it's not my decision. But DON'T either of you brag about it in forums like this. I don't want anyone to be swayed by stupidity.

[Vegaman_Dan]

@Seaspray0:

Shhhhh, there are folks in Russia's criminal syndicate relying on people like The_Happy_Switcher to be their unwitting pawns. Don't do anything to ruin their plans like educating the ignorant. It's far better to just let them move through life without knowing their passwords are being stolen, their machines turned into bots for hire, and personal data being shared out to whomever pays the most for it.

They don't need security. They have themselves.

[T_Hoff]

>> "We learned that customers love it," he said. "We wanted to reach more people and to automate the process."

Wow -- so Comcast customers actually like having their network traffic snooped on? Fascinating.

[jasonatcomcast]

No, I'd say more like customers like being advised when the ISP believes they have malware on their computer. And that malware of course may be key logging, stealing personal login info, participating in spam and DDoS attacks, hosting illegal files in a fast flux network, and lots more bad stuff. Customers kind of like knowing about that... And recommend you read our Network Management page at http://networkmanagement.comcast.net which describes the technical details well and transparently.

Jason

[Hunnter2k3]

All these things are automated.
Comments like this are the same kind of comments that make people think Google read their e-mails in Gmail because the ads are related...

[Vegaman_Dan]

I wonder if this is a candy coating to let Comcast start monitoring outbound traffic in some way of gaining metrics to start limiting/charging for uploading content? Already their 'unlimited' bandwidth has limits imposed now for downloads, and I expect they would like to control who has servers on their home connections by actively monitoring the upload usage accordingly.

I'm not at all positive this is about good will and concern for your computer's security.

[jasonatcomcast]

Not at all. We were able to figure out most of this via existing data feeds, such as from our email anti-spam system. This was a case of putting it all together and then letting customers know they have a problem. For years we have focused on the symptoms, and it seems time to fix the root issue.

From our FAQs:
How did Comcast determine that I may have a virus-bot on a computer in my home? (CG, AV)
We identify infected computers in several ways. First, we get data from reputable Internet research groups that specialize in bot identification. The data we get includes a list of Internet Protocol (IP) addresses that are infected and those that belong to bot command and control channels. Second, we look for malicious behavior exhibited by bots such as spam, distributed denial of service attacks and repeated connections requests to known command and control channels. We then aggregate this data to confirm whether one or more of your computers has been infected.

[sanenazok]

Dan: it's Comcast's network, if they don't want you attaching a server to it, then they should be able to say no? Paying $60 a month isn't a license to eat all bandwidth.

[Vegaman_Dan]

@jasonatcomcast:

Is there an option to opt out of this program? I prefer to not have Comcast snooping at my packet traffic, thanks. Even for good intentions, there are just so many ways this can be misused and turned into yet another way ISP's can use to charge more money for the service I do not get now.

I do wish there was a meter setup for actual usage though. Treat cable and internet usage like you do with electrical power. Let us pay for only what we are using. When Comcast's signal goes down for hours/days at a time, I'm still paying a monthly bill regardless if I get any actual use of it or not. Granted, they are pretty good about getting someone out to fix it in 48-72 hours, but you don't get any service credit either.

It would be nice if there was a Service Level Agreement. If Comcast doesn't meet up with the requirement to provide a usable signal for internet/television usage, then there is no bill until it is corrected.

But that's just a pipe dream.

[jasonatcomcast]

@Vegaman_Dan - You can't opt-out of us telling you we believe you have a bot, though you certainly may choose to not care to remove it. One of the problems with bots in particular is that they end up doing things like attack other computers on the network, send spam, etc.

[Seaspray0]

@jasonatcomcast. Ty for the info. Is any client software required for this service? I do not have any software from comcast loaded on any of my computers and I want them to remain that way.

[Dalkorian]

I was also surprised that it seemed like conjob was trying to do good, but then I ran across this tidbit:

"Comcast also offers a Comcast Toolbar that includes spyware detection and removal, a pop-up ad blocker, antiphishing software, and antispam protection for e-mail."

Ah, now I get it. Install our software and trust us in telling you what it does! I'm becoming firmly of the belief that ISP's should NOT be allowed to serve content.

[Vegaman_Dan]

@jasonatcomcast:

"You can't opt-out of us telling you "

That's all you have to say right there. That sums up the entire story right there alone.

Okay, that's fine, you can snoop on my packets. Go right ahead. They are rather boring since the most exciting thing I do is visit CNET here.

I do prefer to do my own security and do not care to have someone else watching what I am doing all the time like that. Yes, looking for abnormal activity makes a lot of sense, however to do so means you need to be monitoring my connection for it. THAT is something I don't like.

It's sort of like having the Federal Government being permitted to bug every single phone in the US... you know, just in case you might have a terrorist using it without your knowledge. Or child porn. Or your uncle Joe talking about his Barbie collection he's taking to BarbieCon 2010 this winter and then being arrested for being a sexual offender.

Are you Comcast's official representative here on CNET? Does Comcast know you are posting in their representation? Some of your comments here raise more eyebrows than they need to and makes me wonder if this is actually authorized. A lot of your replies so far are such that most company's PR contacts would say 'no comment'.

[smith20132]

Yet, still no broadband meter.

[warpsix]

I have spent years telling everyone Not to click on boxes like that. Plenty of better options comcast should use.

[ps2os2]

This is almost ridiculous. No one in their right mind would trust *ANYTHING* COMCAST would put out warning about anything. They have essentially zero credibility. I use them only as a means for a connection to the internet. Their email is almost a joke, their support is pretty much the same way. In other words I wouldn't let any COMCAST person near my computer.

[XangatiPress]

For the record, Mikrotec Has Been Doing this with Xangati Since Early 2008.

[terminalblue]

SOOOO can you opt out of it, or are they nice enough to snoop on your traffic without your permission anytime?

[Vegaman_Dan]

Jasonatcomcast has posted here already that you do not have the ability to opt out. They will be monitoring your connection and traffic without your approval.

I guess this means you better make sure you only go to clean healthy websites that Comcast approves of. ;)

[steveupallnight]

Comcast causes the problem by distributing McAfee Suite with all the default security set to 'log only'. Unbelievable - it logged everything!

My PC got infected again after right a major AV upgrade which reset all the settings.

Also, it is not obvious how to change the settings and the dialog box is off the bottom of the screen. You need to know it is there.

I can only imagine they do this to make people think they need to buy the retail McAfee version.

[AkumaKuruma]

The one thing that is not explained anywhere is how does this service even get the popup on your screen? is this built into the browser toolbar? is it a framed DNS redirect? Does it only show up on the comcast.net webpage? I know that you cannot just arbitrarily send a web popup to someone if they do not have a method for receiving it.

[AkumaKuruma]

To answer myself, I found the following which desribes the system.

http://tools.ietf.org/html/draft-livingood-web-notification-00

[sam99999999]

@AkumaKuruma

Great post! That IETF draft was very useful. So it's done with on-the-fly Javascript insertion which will alter an HTTP response from any desired website. Not sure how I feel about that, or how it plays with regard to copyrighted website content, but I understand Comcast's intent.

[eriew]

Comcast doesn't offer their security suite for Windows 7 Beta or RC (at least the last time I tried).

Does anyone know when Comcast plans to offer McAfee for 7?

[Seaspray0]

Elinor Mills, Please follow up on this story. The notification part of this plan leaves a lot of holes on how it's going to work. How is comcast going to notify the IP address? Is it going to require any software on the client to get the notification? If by email, how will they match the IP address to an email address? I've gone looking for some answers and haven't found them yet. Can you help?

[AkumaKuruma]

based on the link i posted a few posts up, If you are tagged for a notice, they will temporarily route your HTTP sessions thru an HTTP proxy they run so as to overlay the message. once you have been notified (aka. you click it off) it removes you from the http proxy and goes back to normal

[JPSaltzman]

For the record, the anti-virus software Comcast offers for free is PC-only. They do not offer anything for the Mac -- which, considering McAfee's history, is probably a good thing.

[wanderson]

How does this move by Comcast affect users of Apple Mac OS X and GNU/Linux operating system (OS) software?

Surely Comcast cannot accuse users of these OS of spreading infections that cannot enter their computers.

A statement to such case should have been made by the company.

W. Anderson
wanderson@kimalcorp.org

[ertem0]

An ISP's job is to get bits from here to there. Nothing else. How those bits behave, what those bits do, their timing is none of the ISP's business. They are a carrier, period.

If a voice carrier, say Verizon, started to listen in to your phone conversations and notified you that you were yelling too much, or using profanity, or that you had an accent, what would your reaction be? So why allow Comcast to monitor the bits you're sending to another place?

Does UPS look inside your packages? They only deliver them. An ISP's job is to get bits delivered. They are not in the content business, they are in the delivery business.