Is it time to knock infected PCs off the internet?

3 Sep 2012
Security cabinet

Nicole Kobie investigates the implications of taking malware-ridden computers offline

Malware could block your access to the internet – but in some cases by those on the right side of the security fence, who are deploying tactics such as blocked ports, letters in the mail and PCs quarantined from the net to combat the most damaging threats.

Last year, authorities – led by the FBI – arrested the criminals behind the DNSCharger operation, taking over their servers. The malware changed victims' DNS settings, and unplugging the servers would have cut off the four million infected PCs from the web.

There's a contract in place between myself and the ISP to provide me with a broadband connection. If it's to sever that, there's a potential problem

The FBI won a court order allowing it to keep the servers running long enough to work with ISPs to warn infected customers and clean up machines. The 120-day grace period was extended once, but eventually the plug was pulled in July, with 250,000 machines still infected – 13,000 in the UK alone.

While some described it as an "internet doomsday", there were few reports of PCs suddenly refusing to find websites. This is partially because ISPs – including Virgin Media – stepped in to handle the DNS re-routing, meaning that some infected PCs are still being propped up.
The case raised questions about how far authorities can – or should – go to tackle the worst malware, and who is responsible if it all goes wrong.

PC quarantine

One idea that's been previously mooted is quarantining infected PCs. When malware is detected, that PC would be blocked from openly accessing the internet. Microsoft's vice president of trustworthy computing, Scott Charney, suggested the idea at the RSA security conference in 2010, asking, "Why don't we think about access providers who are doing inspection and quarantine, and cleaning machines prior to access to the internet?" Microsoft has since pulled back, renaming it "internet health" and proposing PCs receive a "health check" before gaining access to networks.

Microsoft isn't the first to consider the idea. A Dutch bank has previously blocked customers with infected PCs from accessing its online services, as it battled a particularly troubling trojan. "That bank made some waves among the population by sending notes and letters to its customers, saying we’re cutting off your banking," said F-Secure Labs security advisor Sean Sullivan, noting that the European Commission has recently advised banks to assume that all of their customers’ PCs are infected with a trojan. "There's a lot of talk suggesting that if you see anything strange in your customer base, block it – block your customers."

ISPs also like the idea of isolating infected PCs, Sullivan said, as PCs spewing spam clog up their networks, with recent research from the Delft University of Technology suggesting that as much as 6% of UK traffic comes from compromised machines. "It's a minority of the overall customer base, but 10% of all machines [globally] exhibiting bot-like behaviour is a huge free resource that can be commoditised for cybercrime," said Sullivan.

However, there are problems to cutting off customers beyond angering them. "It's tricky," said Kaspersky Lab senior security researcher David Emm. "There's a contract in place between myself and the ISP to provide me with a broadband connection. If it's to sever that, there's a potential problem."

He added that ISPs would need to include severance policies in their terms of service, since cleaning up computers without permission from users could be seen as "unauthorised modifications of a computing device" and would therefore be in breach of the Computer Misuse Act.

Read more