July 19, 2005 4:00 AM PDT

ISPs versus the zombies

(continued from previous page)

were directly linked to zombies, said Matt Tarothers, who manages the abuse department at the Atlanta-based cable company.

While some customers can just be handed a cable modem and will just take off, other less tech-savvy people need guidance from their provider, he noted. "There are more and more people getting online that don't have a technical background. If you are going to be a successful ISP, you have to have to hold the customer's hand a bit," Tarothers said.

Cutting off channels
Cox actively monitors its network for potentially malicious activity. It also defuses known zombies by cutting off remote control channels, Tarothers said. Zombies listen for instructions from their masters on Internet Relay Chat channels. Cox blocks traffic to the IRC servers used by zombies, which are rarely major IRC networks and are often run on another compromised machine, Tarothers said.

When a zombie is detected, Cox takes the affected PC offline. Instead of being allowed on the Web, the customer is directed to a special Web page with information on security, he said.

The attacks will get more sophisticated, Tarothers said. "It is an arms race. We come up with new proactive measures, and the Trojan makers come up with something new," he said. Tarothers said he expects more zombies will start listening for commands from their masters on peer-to-peer networks, which will preempt Cox's current defense.

Top 5 zombie homes

Tarothers said he is not worried about privacy concerns that closer monitoring of traffic might bring. "Far more of our customers are happy to see us take an active role than are paranoid about us looking at their traffic," he said.

EarthLink also monitors for potentially abusive patterns of traffic coming in and going out of its network, said Tripp Cox, the Atlanta-based ISP's chief technology officer. Suspected activity is investigated, and customers are contacted if EarthLink believes their PC has been turned into a zombie. "We routinely investigate, disable and shut down accounts. It is a daily activity," he said.

In the future, consumers will demand a safe Internet service, and if an ISP doesn't measure up on security, members will flee to a rival provider, Forrester analyst Stamp said. "Customers will absolutely demand a clean pipe," he said.

The technology is out there for Internet companies to be able to identify zombies and botnets, Stamp added. The will of the market just has to catch up to the technology that is available.

Ultimately, if an ISP's network becomes infested with zombies, other providers will block traffic from that network, Stamp predicted. "If you don't secure your own network, then others won't connect to you," he said. In one recent case, British ISP Telewest blacklisted more than 900,000 of its customers because their systems had been compromised by spammers.

Service providers could even make a business out of helping consumers, said Russ Cooper, a senior scientist at security company Cybertrust. "Consumers that have bots and are sending out spam should be isolated and should be charged by their ISP for being saved," Cooper said.

The detection of zombies is the easiest remedy open to ISPs, and it could be touted as a competitive feature by providers, Gartner analyst John Pescatore said. "They can do more of detecting when a PC is infected and then notify the customer," he said.

Pescatore sounded a note of caution about just how much Internet companies could be expected to do, given the sophistication and seriousness of the problem. "To say that ISPs could prevent botnets from being installed would be a stretch," he said.

Even so, preventative measures such as customer education could help service providers mitigate the problem. Many of their helpdesk calls today already deal with zombie code and other malicious software that land on PCs while customers traverse the Web. In fact, ISPs should be to home users what IT departments are to office workers, said Dave Rand, chief technologist for Internet content security at Trend Micro.

While customers can be urged and even compelled under threat of disconnection to keep their computers clean, the pressure is really on the ISPs themselves to act. The call for service providers to take more responsibility for tackling the threat is coming through loud and clear--from the government and the Internet community alike. Trend Micro's Rand, for example, said that with the number of zombies continuing to increase, ISPs have to take a more active role. "A hands-off approach has proven not to work," he said.

Previous page
Page 1 | 2


Join the conversation!
Add your comment
Why not..
Just give every customer a cd with Antispyware, Antivirus, and a firewall. All of these things can be found for free, so just make a cd that is sent when a customer orders an internet service.
Antispyware-Spybot S&D
Antispyware-Avg free edition (or maybe an ISP license)
Firewall-Zone Alarm free edition (or maybe ISP license)
Problem solved.
Posted by wazzledoozle (288 comments )
Reply Link Flag
Buy a Mac...
Problem solved.
Posted by Tui Pohutukawa (366 comments )
Link Flag
Consumers versus ISPs
Port 25 blocking is really cool. They sell you near-access to the Internet, and charge you $60 more for business access, which is... port 25 unblocked. That's it. Not even a QoS guarantee.

I've since moved ports on my remote server to allow me to continue to use my domains to send email; without this option, my domains would be largely useless to me. And port 25 blocking wouldn't save my ISP from being a zombie farm.

Port 25 blocking is not about keeping their customers zombie-free. It's a form of artifical denial of service to induce you to pay for a "premium" service. In short, they deliberately cripple the basic capabilities and then have to pay to have them restored. The only reason they can do this is because nearly every cable broadband provider has an effective monopoly.

Posted by Remo_Williams (488 comments )
Reply Link Flag
You obviously know everything there is about being an isp, so
why not run it yourself and cut out the middleman. I am so tired
of people thinking they know everything about everything.

We don't filter port 25 yet, but we are going to. We have hard
numbers on how this does make a difference. It may not be the
end all of malware, but it helps. If people want unrestricted
access, they will have a simple form to fill out.

If you have the answers to solving spam, zombies and other
malware, then submit them and we will honestly look at them,
but do not sit and act like you know all and the rest of the world
are idiots.
Posted by jasonemanuelson1 (82 comments )
Link Flag
Re:Consumers versus ISPs
There was a time many years ago when I was totally against any port blocking by ISPs. I just wanted to pay for a network pipe. The reality of spam, viruses and phishing has changed the landscape of the internet. As much as I hate the idea of port blocking, that is the most effective way I can see to cripple the bot nets.

I don't like paying business prices for residential service either but that's a different rant. That is the price that I have to pay to run my own mail, name and web servers.

Lets face it. Most consumers are not computer savvy enough to manage their computers. Dispite the popular misconception, personal computers are NOT comparable to microwave ovens. It's not enough to know how to run them. You also have to know how to maintain them.

The general public has neither the education nor inclination to adequately maintain their computer systems. This is in large part due to the current education system in the U.S. and elsewhere, that are hell bent on dumbing down society.

Instead of lowering the bar of expectations, we should raise it. Instead of avoiding responsibility, it should be a prerequisite. You want to use a personal computer? Demonstrate competency and be held accountable when your computer becomes a problem. Of course, I'm a hard ass. I think those requirements should be imposed on a lot of other things like cars and cell phones.

While I do use an ad/spy ware detector, I don't have anti-virus software on my computers. Why? Because they are only as good as the threats that the vendors are aware of. The existing threats routinely evolve or new ones are created. It's just another opportunity to bilk money out of the ingnorant. I'm also not wholly convinced that the anti-virus software vendors may also be writing some of the viruses. In any event, I haven't had a single virus, worm, etc, on my computers in over 5 years.

I've configured my firewall(s) to block all but a few incoming ports and I block all email connections from outside north america. I'm ok with that. There isn't anyone I need to communicate with outside CONUS anyway. The only spam attempts I get these days are from the compromised Winders PCs in north america. Those emails never make it to my Winders PC because I filter them at the mail server. Currently, Charter Communications seems to be the biggest offender followed by Comcast.

As far as I'm concerned, the general PC masses should have port filtering imposed. It will improve the quality of the internet for the rest of us.
Posted by (63 comments )
Link Flag
Wow.. what a simple solution..
Too bad it is worthless. Providing a CD doesn't mean people will actually install. Running these programs doesn't mean people will run them with proper settings.

Blocking port 25 and/or port blocking in general greatly detracts from the value of the connection.
Posted by 202578300049013666264380294439 (137 comments )
Reply Link Flag
Port blocking, etc.
Blocking port 25 is not necessarily a bad thing.
They should block outgoing port 25 connections
to everything but the ISPs relay. That way, all
mail routes through the ISP, who can assure that
the message can be traced to the infected
individual. This also doesn't affect client's
ability to send e-mail.

Blocking inbound port 80, like Verizon does, is
silly. Sure, it might stop the occasional
infection of somthing running IIS, but it's a
pain for customers that are dilligent. Moreover,
one can simply move to the popular port 8080 and
be just as infectable.

These silly responses decry a lazy ISP, lazy
consumers (who should secure their own machines,
or use systems that are much less apt to
infection). Why not make special rules for
Windows users -- the population causing the
problem -- requiring them to run special
anti-malware tools provided by the ISP that
validate themselves to the ISP before the
machine is provided access through the ISP?

For UNIX users, block in-bound telnet and maybe
FTP (use sftp instead) ports. Some ISPs might
even want to check if ssh servers are permitting
password-based logins (bad idea and

Those two things should be sufficient.
Posted by Gleeplewinky (289 comments )
Link Flag
Why can't ISP's do the virus-checking?
why can't ISP's apply antivirus and malware filters to all of the traffic that passes through their servers? That way nobody can receive most known viruses and we don't have to worry about what the customers know how to do...
Posted by Razzl (1318 comments )
Reply Link Flag
Why not?
Simple. No one wants to pay for it. No one wants them to touch
their machines. No one wants to be patient while the
technologies to do so mature.

To filter all incoming traffic is not just throwing a cheap Dell on
a rack and saying "filter me." It takes a serious amount of
money, resources, time and patience to get filtering to work
properly and effectively. Since writers of malware get better each
and every day, it is a daily struggle for this to work.

But, most people that have an internet connection absolutely
refuse to understand any of this. They want it all now, for free
and delivered yesterday. People think that being an ISP/ASP is a
walk in the park with grand paychecks and strong company
profits. Well, think again. Even the big boys of the industry have
problems with this.
Posted by jasonemanuelson1 (82 comments )
Link Flag
They do
A lot of them do just that. But anti-virus software isnt 100% proof against virii and trojans. It can only stop the programs it knows about.
Posted by (402 comments )
Link Flag
Because it is NOT FREE
Unless those customers are smart enough to download free antivirus software :)
Posted by 201293546946733175101343322673 (722 comments )
Link Flag
Protection? Yeah, right.
The fact is that most ISP-provided network securing software sucks, mainly because it is often client-centric rather than network-centric. People who use crappy services like AOL, I would argue, are nubes and dont know any better, so they need their hands held while they browse the big bad Internet. It is stupid to try and force the rest of us into a box for idiots where all the walls are padded and ports are blocked and our traffic is monitored for our safety. Who are ISP and security firms trying to kid? (It should not be overlooked that these security firms are actually drumming up more business every time they warn us about new security threats.)

ISP should not be permitted to monitor traffic from customers except as an aggregate of overall traffic, and simple measures like preventing one user from sending 10,000 emails out is a good place to start to curb the spamming problem. But not permitting certain ports or monitoring all traffic and cutting off the victims of a zombie infestation is wrong headed.

This all sounds to me like the ISPs are fishing for ways to make even MORE MONEY off us by disabling certain features of networks and then charging us to have them re-enabled. (All in the name of security, mind you.) ISPs seem to be taking a page from G.W. Bushs playbook, namely make people afraid so they can be controlled, tell them their security is at risk and only by giving up freedoms can they be protected. It is hogwash.

I dont want my government or my ISP telling me what to do. Less is more. Stay out of my computer; dont try to protect me by standing over my shoulder. Dont try to charge me for so called protection software that you the ISP want me to install so you can monitor my traffic. Dont tell me on one hand that you allow a spammer to pay you, the ISP, to send out 15,000 emails every hour using your network, but if I CC three of my friends with an email, itll be blocked. Dont try to tell me I cant run a website or game server off my home network or try to block protocols I want to use. In short, dont treat all of us like hackers and spammers when we all know that your efforts in the past to help us have been a rolling disaster. (Have you tried to use ISP-provided anti-spam software? It rarely works as intended, and spam from KNOWN SPAMMERS routinely makes it through the filters, even spam messages that have been circulating unchanged for weeks and even months arent blocked automatically.)

It comes down to ISPs tracking down spammers and putting them in jail. It comes down to not allowing anyone to send out huge numbers of emails to large mailing lists. We already have laws to prevent spammers from operating, but they arent being used effectively. It also comes down to making website hosts responsible for the web pages on their networks. If an ISP hosts a website with bots or other malicious code in it, then that page or site should be taken down by the host. (Not blocked at the clients end.) We already have search engines that can identify malicious code or bots on a webpage. A simple warning to the webpage owner to remove the bad stuff and then prompt removal for non-compliance would do wonders to protect end users or client machines. (In other words, kill the sources of this stuff, but dont make end users or client machines the bad guy and force them to install extra protection software.) ISPs can make the information about how to protect a computer easier to understand for the less tech-savvy people out there, and ISPs can offer to fix a computers security issues for a client. But the choice as to whether to use that service should always remain an opt-in choice, not something forced on all of us. After all, I know my computing needs better than my ISP does. And I wouldnt trust a blanket approach to firewall rule creation or even antivirus deployment.
Posted by (5 comments )
Reply Link Flag
okay, Mr. Smart
You want us to go after spammers? Okay, when you want
internet for $10/month, a pipe as wide as the Earth is round,
unlimited this and that, and expect us to have any money to go
after them with?

Real word now... you get what you pay for.
Posted by jasonemanuelson1 (82 comments )
Link Flag
If you know enough to ask...
Having default firewall policies on connections for customers that don't ask for open connections is not such a bad idea. If you know enough to ask to not have incoming and outgoing ports blocked, then you probably know enough to secure your system as well. If you don't, than you probably won't miss that functionality anyway.

UVA had a good policy in this regard. They blocked everything incoming from outside their network by default, but if you asked, they would open all ports to your ethernet jack. (it was probably giving you a reserved IP address and putting a hole in the firewall, but you get the idea).

The problem is when they try to make unblocked connetions a premium service. Having an open connection should just be an option you have as a paying customer. You paying for a connection, not their "internet experience" that they try to nudge you into when you install their software (which is often required to set up the connection).
Posted by CagedAnimal (67 comments )
Reply Link Flag
OS Makers should fill the holes
There are two problems with the current approach. 1. We are trying to fix the problem with bandaids. Just cleaning each infected PC is not solving the real problem. Let's find the authors of the bots and put them in jail for a long time. Let's also hold those who advertise using bots responsible monetarily and criminially.
The second problem is that programs can be run on Windows that are not traceable. In the new version of Windows (Longhorn) Microsoft should implement a system where absolutely no program can be run whatsoever unless it's been registered with Windows. Programs will no longer be able to install behind the users back, and run without trace. If you have a program that is causing problems, you approved its installation and will have a way to uninstall it, and set up its security parameters, preventing it from accessing parts of the system where it could do the most harm.
Posted by randyjohns (3 comments )
Reply Link Flag
So Hackers and Crackers......
...and virus writers are not responsible for causing Internet users all the hassles? :)
Posted by 201293546946733175101343322673 (722 comments )
Link Flag
untraceable programs?
I run Windows 98 SE and I have everything I need to see every process and application running on my PC given to me by Microsoft. Why dont ya try tinkering around with some of the stuff thats on your computer. Jeez, it's just that simple.. open one small program and Hey! I don't have to post stuff about untracable programs on Windows and look like a dingbat. Try running System Information for one.. gives you A LOT of information, even stuff not showed by Alt-Ctrl-Del. And instead of blaming OS makers, why isnt the AV industry stepping up, getting people to send in copies of the Bots, and make a fix against them? And better yet, why not use huerstic scanning to scan a pc for bot like programs running? Do some reasearch before posting, it'd save a lot of web space.
Posted by (75 comments )
Link Flag
What a pin head
Posted by thomcarl (72 comments )
Reply Link Flag
Hello Pin Head
<EOM> :)
Posted by 201293546946733175101343322673 (722 comments )
Link Flag
False: TeleWest black-listed 900,000
> British ISP Telewest blacklisted more than 900,000 of its customers because their systems had been compromised by spammers.


TeleWest black-listed *ZERO* customers.

The truth is that SPEWS black-listed an IP-range that could, in theory, have spanned over 900,000 of TeleWest's customers.

Just plain *BAD* technical-writing!
Posted by (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.