Comcast is launching a trial on Thursday of a new automated service that will warn broadband customers of possible virus infections, if the computers are behaving as if they have been compromised by malware.
For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus taking control of the system and using it to send spam as part of a botnet.
Comcast is launching a trial of a service that will warn customers via a browser pop-up that their computers may have been compromised by malware.
(Credit: Comcast)The alerts are triggered "when we see computers on our network that are doing things that are known bot activities--say, a computer is spewing out thousands of spam e-mails," said Jay Opperman, senior director of security and privacy at Comcast.
The Philadelphia-based cable giant, which is the largest residential Internet service provider in the United States, with 15.3 million consumer customers, also is alerted to compromised customer computers when an IP address of one of its customers is identified as the source of spam on an industry spam list, Opperman said.
Customers in Denver are set to begin receiving notifications that their system may be infected with a virus or other malware via a pop-up message in the browser, as part of the new free service, called Comcast Constant Guard. The "Service Notice" will include a link to a Comcast security Web site where customers can follow a set of instructions to remove the malware from their computer.
If customers don't have antivirus software, they can download McAfee Internet Security Suite for free. Comcast also offers a Comcast Toolbar that includes spyware detection and removal, a pop-up ad blocker, antiphishing software, and antispam protection for e-mail.
The company first started notifying customers about the security issues about a year ago, with support representatives calling customers on the phone, Opperman said.
"We learned that customers love it," he said. "We wanted to reach more people and to automate the process."
This appears to be the first service through which a major ISP proactively notifies customers about security issues on their computers. For years, security experts have complained that ISPs are uniquely positioned, and should do more, to help customers combat security problems. But ISPs have been reluctant to assume additional responsibilities that are not central to their core service offering and for which they would then have to maintain a standard, going forward.
"I would hope that the government would do things to encourage this, if you alleviate some of the potential concerns that others may have about giving that kind of notification," said Jerry Upton, executive director of the Messaging Anti-Abuse Working Group. "I think it's the beginning of many ISPs and network providers realizing that customers need a little better knowledge of what the problems are out there."
Alissa Cooper, chief computer scientist for the Center for Democracy and Technology, said the organization welcomes Comcast's initiative.
"ISPs have a helpful role to play in helping subscribers mitigate these kinds of security threats," she said. "The challenge is...when users get these notices, do they understand them? Do they trust that they are real? Do they follow through to the point where they clean up their computers?"
The new service will eventually be rolled out in the rest of the country, replacing the phone calls Comcast has been using to notify customers to security problems, Opperman said.
Asked how many alerts have been sent to customers with Macintosh computers, Opperman said he could not provide a specific number but that there had been some.
Update 12:50 p.m. PDT October 9: Comcast is not the first to proactively monitor and help customers whose computers have been compromised. Qwest has been doing so for two years. Qwest's Customer Internet Protection Program displays a Web page with a warning to customers and offers a way to remove the infection for free before the customer can continue surfing the Web, a Qwest spokeswoman said.
And SBC (before it was part of AT&T) even quarantined customer accounts, George Ou reports on his Digital Society blog. While preventing infected computers from accessing the Internet until they are cleaned is going too far, he said, displaying warnings that could be faked by scammers might not be the answer either. Ou suggests a standardized "out-of-band notification mechanism that doesn't rely on the Web browser and can only be triggered by authorized entities," combined with remote management tools for automatic cleanup.
This graph shows how spam volumes dropped 80 percent after McColo was shut down and are crawling back up two weeks later.
(Credit: MessageLabs)Spammers knocked offline two weeks ago when their hosting company, McColo Corp., are finally coming back online, security researchers said on Wednesday.
San Jose, Calif.-based McColo was believed to be responsible for up to 75 percent of all spam, according to Brian Krebs of The Washington Post, who broke the initial story.
Spam volumes, which dropped about 80 percent when McColo was shut down on November 11, remained relatively flat since then until a few days ago when they started climbing up, said Matt Sergeant, senior antispam technologist at MessageLabs, now owned by Symantec.
Since Sunday, the spam volume has risen to about 37 percent of what they were before McColo was unplugged, MessageLabs said.
McColo was hosting command and control servers that were being used to send instructions--like send spam or Trojans--to bot software that has been planted on PCs, mostly in the U.S., according to Sergeant. "With no work orders to process, the machines simply stopped spamming," he said.
Some of the botnets, with names like "Srizbi," "Asprox," "Rustock," and "Mega-D," are back up after connecting to different domains, Sergeant said. Some are connecting to ISPs outside the U.S., which will make it very difficult to shut them down again, he said.
"The problem now is that it was a lot easier to get a U.S.-based ISP shut down than it will be to get, for example, this Estonian ISP shut down," Sergeant said.
"We've stunted the spammers for a couple of weeks, which is a good thing for the Internet," he said. "We've increased their costs and, hopefully, that might put some spammers out of business."
Researchers are collaborating on the matter and providing information to U.S. law enforcement agencies, said Paul Ferguson, an advanced threat researcher at Trend Micro.
Some of the bots are programmed to connect to a new domain after a certain amount of time of inactivity, he said.
Researchers have been able to get some registrars to suspend some domains being used and have filed abuse complaints with some ISPs that appear to be unwitting hosts, Ferguson added.
Microsoft is listed fifth in the Top 10 list of the worst spam service ISPs compiled by Spamhaus.org.
Spammers are advertising links to sites that "peddle fake pharmacy products, porn, and Nigerian 419 scams" on Microsoft's Live.com and Livefilestore.com sites because they know that the Microsoft sites won't get blocked by antispam groups, writes Brian Krebs on his Security Fix Blog at the Washington Post.
Spamhaus has been alerting Microsoft to the problem for some time, but to no avail, Richard Cox, Spamhaus' chief information officer, told Krebs. Other security companies, including McAfee and Marshal, have also been warning about increases in spam and scams on Microsoft-hosted sites.
A Microsoft spokesman responded to a request for comment with this e-mailed statement:
Spam and other abuse scenarios are not Microsoft-specific. Microsoft offers Windows Live, a suite of software and services that provides opportunities for customers to post and share their own content through Windows Live Hotmail, Windows Live Spaces, Windows Live SkyDrive, and other free services. As such, spammers have multiple avenues to target consumers with malicious activities. We take protecting our customers' security and privacy seriously and are continually working to improve their experiences while making industry-leading progress to mitigate such attacks through both oversight and technology advancements. Using Windows Live services for spam is explicitly prohibited by the terms of service, and Windows Live accounts that are found to be used by spammers are aggressively removed.
Interestingly, Verizon.com is listed at No. 9.
Microsoft's Live.com and Livefilestore.com are riddled with spam and online scams, Spamhaus.org says.
(Credit: Spamhaus.org)
Arbor Networks found that DDoS attack size (in gigabits) nearly doubled in 2008 from the previous year.
(Credit: Arbor Networks)
Internet service providers now spend most of their IT security resources detecting and mitigating distributed denial-of-service attacks, concludes a report from Arbor Networks.
The fourth edition of the Worldwide Infrastructure Security Report, released Tuesday, was based on how 70 lead security engineers responded to 90 questions. As in the previous three reports, ISPs reported attacks where their networks were overloaded with packets, what's called a distributed denial-of-service (DDoS) attack. However, this year, the ISPs indicated the attacks were not only larger in size but that most of them were stretching the upper limits of their security resources in order to deal with such attacks.
Rob Malan, founder and chief technology officer of Arbor Networks, said the DDoS attacks seen this year broke the 40-gigabit barrier, nearly double the volume of last year's attacks. He warned that if next year's attacks again double in size, "most carriers will be unable to deal with those attacks."
In assessing the attacks, Arbor Networks found "brute force," a catch-all term, was the dominant method used. The security firm looked at traditional means of DDoS--syn flood, udp flood--as well as anything else that artificially created network congestion. Malan told CNET News that despite the massive size, the attacks themselves demonstrated "little sophistication" and were simply "trying to overwhelm network bandwidth."
One consequence of this method was that upstream providers of the targets were increasingly being affected. "If an attacker takes out capacity of (the upstream) routers you're (also) starving the target," he said. Malan said attackers were also using reflective attacks, which use different pieces of DNS structure to redirect traffic away from a target.
While flood-based attacks represented 42 percent of the attacks reported, followed by protocol exhaustion-based at 24 percent, Arbor Networks also saw a sharp increase this year in application-based attacks, which accounted for 17 percent of the attacks.
Malan explained that with application-based attacks, bot-infected computers worldwide make connections to a targeted site, then "use an application protocol to deliver a perfectly valid request, not a vulnerability, not something that an IDS or other type of firewall would necessarily flag." For example, a botnet might instruct its zombie computers worldwide to do a back-end query off a database. "By itself it's not bad, but if you have multiple such requests, then you tie up the application--in this case database--resources on the back end," he said.
The report does contain some good news. Arbor Networks found detection and mitigation of these attacks to be increasing as well. Fifteen percent of the respondents said, on average, they can mitigate an attack within 10 minutes of detection. However, 30 percent said mitigation still takes them over an hour.
But finding the criminals responsible for these attacks is not a high priority. Arbor Networks found that ISPs have little time to involve law enforcement. "It's hard on carriers," said Malan. "They get paid on traffic, not to do forensic analysis. So it's hard from their perspective to make the economics work."
(Credit:
Arbor Networks)
- prev
- 1
- next
