July 19, 2005 4:00 AM PDT

ISPs versus the zombies

(continued from previous page)

were directly linked to zombies, said Matt Tarothers, who manages the abuse department at the Atlanta-based cable company.

While some customers can just be handed a cable modem and will just take off, other less tech-savvy people need guidance from their provider, he noted. "There are more and more people getting online that don't have a technical background. If you are going to be a successful ISP, you have to have to hold the customer's hand a bit," Tarothers said.

Cutting off channels
Cox actively monitors its network for potentially malicious activity. It also defuses known zombies by cutting off remote control channels, Tarothers said. Zombies listen for instructions from their masters on Internet Relay Chat channels. Cox blocks traffic to the IRC servers used by zombies, which are rarely major IRC networks and are often run on another compromised machine, Tarothers said.

When a zombie is detected, Cox takes the affected PC offline. Instead of being allowed on the Web, the customer is directed to a special Web page with information on security, he said.

The attacks will get more sophisticated, Tarothers said. "It is an arms race. We come up with new proactive measures, and the Trojan makers come up with something new," he said. Tarothers said he expects more zombies will start listening for commands from their masters on peer-to-peer networks, which will preempt Cox's current defense.

Top 5 zombie homes

Tarothers said he is not worried about privacy concerns that closer monitoring of traffic might bring. "Far more of our customers are happy to see us take an active role than are paranoid about us looking at their traffic," he said.

EarthLink also monitors for potentially abusive patterns of traffic coming in and going out of its network, said Tripp Cox, the Atlanta-based ISP's chief technology officer. Suspected activity is investigated, and customers are contacted if EarthLink believes their PC has been turned into a zombie. "We routinely investigate, disable and shut down accounts. It is a daily activity," he said.

In the future, consumers will demand a safe Internet service, and if an ISP doesn't measure up on security, members will flee to a rival provider, Forrester analyst Stamp said. "Customers will absolutely demand a clean pipe," he said.

The technology is out there for Internet companies to be able to identify zombies and botnets, Stamp added. The will of the market just has to catch up to the technology that is available.

Ultimately, if an ISP's network becomes infested with zombies, other providers will block traffic from that network, Stamp predicted. "If you don't secure your own network, then others won't connect to you," he said. In one recent case, British ISP Telewest blacklisted more than 900,000 of its customers because their systems had been compromised by spammers.

Service providers could even make a business out of helping consumers, said Russ Cooper, a senior scientist at security company Cybertrust. "Consumers that have bots and are sending out spam should be isolated and should be charged by their ISP for being saved," Cooper said.

The detection of zombies is the easiest remedy open to ISPs, and it could be touted as a competitive feature by providers, Gartner analyst John Pescatore said. "They can do more of detecting when a PC is infected and then notify the customer," he said.

Pescatore sounded a note of caution about just how much Internet companies could be expected to do, given the sophistication and seriousness of the problem. "To say that ISPs could prevent botnets from being installed would be a stretch," he said.

Even so, preventative measures such as customer education could help service providers mitigate the problem. Many of their helpdesk calls today already deal with zombie code and other malicious software that land on PCs while customers traverse the Web. In fact, ISPs should be to home users what IT departments are to office workers, said Dave Rand, chief technologist for Internet content security at Trend Micro.

While customers can be urged and even compelled under threat of disconnection to keep their computers clean, the pressure is really on the ISPs themselves to act. The call for service providers to take more responsibility for tackling the threat is coming through loud and clear--from the government and the Internet community alike. Trend Micro's Rand, for example, said that with the number of zombies continuing to increase, ISPs have to take a more active role. "A hands-off approach has proven not to work," he said.

Previous page
Page 1 | 2


Join the conversation!
Add your comment
Why not..
Just give every customer a cd with Antispyware, Antivirus, and a firewall. All of these things can be found for free, so just make a cd that is sent when a customer orders an internet service.
Antispyware-Spybot S&D
Antispyware-Avg free edition (or maybe an ISP license)
Firewall-Zone Alarm free edition (or maybe ISP license)
Problem solved.
Posted by wazzledoozle (288 comments )
Reply Link Flag
Consumers versus ISPs
Port 25 blocking is really cool. They sell you near-access to the Internet, and charge you $60 more for business access, which is... port 25 unblocked. That's it. Not even a QoS guarantee.

I've since moved ports on my remote server to allow me to continue to use my domains to send email; without this option, my domains would be largely useless to me. And port 25 blocking wouldn't save my ISP from being a zombie farm.

Port 25 blocking is not about keeping their customers zombie-free. It's a form of artifical denial of service to induce you to pay for a "premium" service. In short, they deliberately cripple the basic capabilities and then have to pay to have them restored. The only reason they can do this is because nearly every cable broadband provider has an effective monopoly.

Posted by Remo_Williams (488 comments )
Reply Link Flag
Wow.. what a simple solution..
Too bad it is worthless. Providing a CD doesn't mean people will actually install. Running these programs doesn't mean people will run them with proper settings.

Blocking port 25 and/or port blocking in general greatly detracts from the value of the connection.
Posted by 202578300049013666264380294439 (137 comments )
Reply Link Flag
Why can't ISP's do the virus-checking?
why can't ISP's apply antivirus and malware filters to all of the traffic that passes through their servers? That way nobody can receive most known viruses and we don't have to worry about what the customers know how to do...
Posted by Razzl (1318 comments )
Reply Link Flag
Protection? Yeah, right.
The fact is that most ISP-provided network securing software sucks, mainly because it is often client-centric rather than network-centric. People who use crappy services like AOL, I would argue, are nubes and dont know any better, so they need their hands held while they browse the big bad Internet. It is stupid to try and force the rest of us into a box for idiots where all the walls are padded and ports are blocked and our traffic is monitored for our safety. Who are ISP and security firms trying to kid? (It should not be overlooked that these security firms are actually drumming up more business every time they warn us about new security threats.)

ISP should not be permitted to monitor traffic from customers except as an aggregate of overall traffic, and simple measures like preventing one user from sending 10,000 emails out is a good place to start to curb the spamming problem. But not permitting certain ports or monitoring all traffic and cutting off the victims of a zombie infestation is wrong headed.

This all sounds to me like the ISPs are fishing for ways to make even MORE MONEY off us by disabling certain features of networks and then charging us to have them re-enabled. (All in the name of security, mind you.) ISPs seem to be taking a page from G.W. Bushs playbook, namely make people afraid so they can be controlled, tell them their security is at risk and only by giving up freedoms can they be protected. It is hogwash.

I dont want my government or my ISP telling me what to do. Less is more. Stay out of my computer; dont try to protect me by standing over my shoulder. Dont try to charge me for so called protection software that you the ISP want me to install so you can monitor my traffic. Dont tell me on one hand that you allow a spammer to pay you, the ISP, to send out 15,000 emails every hour using your network, but if I CC three of my friends with an email, itll be blocked. Dont try to tell me I cant run a website or game server off my home network or try to block protocols I want to use. In short, dont treat all of us like hackers and spammers when we all know that your efforts in the past to help us have been a rolling disaster. (Have you tried to use ISP-provided anti-spam software? It rarely works as intended, and spam from KNOWN SPAMMERS routinely makes it through the filters, even spam messages that have been circulating unchanged for weeks and even months arent blocked automatically.)

It comes down to ISPs tracking down spammers and putting them in jail. It comes down to not allowing anyone to send out huge numbers of emails to large mailing lists. We already have laws to prevent spammers from operating, but they arent being used effectively. It also comes down to making website hosts responsible for the web pages on their networks. If an ISP hosts a website with bots or other malicious code in it, then that page or site should be taken down by the host. (Not blocked at the clients end.) We already have search engines that can identify malicious code or bots on a webpage. A simple warning to the webpage owner to remove the bad stuff and then prompt removal for non-compliance would do wonders to protect end users or client machines. (In other words, kill the sources of this stuff, but dont make end users or client machines the bad guy and force them to install extra protection software.) ISPs can make the information about how to protect a computer easier to understand for the less tech-savvy people out there, and ISPs can offer to fix a computers security issues for a client. But the choice as to whether to use that service should always remain an opt-in choice, not something forced on all of us. After all, I know my computing needs better than my ISP does. And I wouldnt trust a blanket approach to firewall rule creation or even antivirus deployment.
Posted by (5 comments )
Reply Link Flag
If you know enough to ask...
Having default firewall policies on connections for customers that don't ask for open connections is not such a bad idea. If you know enough to ask to not have incoming and outgoing ports blocked, then you probably know enough to secure your system as well. If you don't, than you probably won't miss that functionality anyway.

UVA had a good policy in this regard. They blocked everything incoming from outside their network by default, but if you asked, they would open all ports to your ethernet jack. (it was probably giving you a reserved IP address and putting a hole in the firewall, but you get the idea).

The problem is when they try to make unblocked connetions a premium service. Having an open connection should just be an option you have as a paying customer. You paying for a connection, not their "internet experience" that they try to nudge you into when you install their software (which is often required to set up the connection).
Posted by CagedAnimal (67 comments )
Reply Link Flag
OS Makers should fill the holes
There are two problems with the current approach. 1. We are trying to fix the problem with bandaids. Just cleaning each infected PC is not solving the real problem. Let's find the authors of the bots and put them in jail for a long time. Let's also hold those who advertise using bots responsible monetarily and criminially.
The second problem is that programs can be run on Windows that are not traceable. In the new version of Windows (Longhorn) Microsoft should implement a system where absolutely no program can be run whatsoever unless it's been registered with Windows. Programs will no longer be able to install behind the users back, and run without trace. If you have a program that is causing problems, you approved its installation and will have a way to uninstall it, and set up its security parameters, preventing it from accessing parts of the system where it could do the most harm.
Posted by randyjohns (3 comments )
Reply Link Flag
What a pin head
Posted by thomcarl (72 comments )
Reply Link Flag
False: TeleWest black-listed 900,000
> British ISP Telewest blacklisted more than 900,000 of its customers because their systems had been compromised by spammers.


TeleWest black-listed *ZERO* customers.

The truth is that SPEWS black-listed an IP-range that could, in theory, have spanned over 900,000 of TeleWest's customers.

Just plain *BAD* technical-writing!
Posted by (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.