Is it time to knock infected PCs off the internet?
By Nicole Kobie
Posted on 3 Sep 2012 at 15:27
Malware could block your access to the internet – but in some cases by those on the right side of the security fence, who are deploying tactics such as blocked ports, letters in the mail and PCs quarantined from the net to combat the most damaging threats.
Last year, authorities – led by the FBI – arrested the criminals behind the DNSCharger operation, taking over their servers. The malware changed victims' DNS settings, and unplugging the servers would have cut off the four million infected PCs from the web.
There's a contract in place between myself and the ISP to provide me with a broadband connection. If it's to sever that, there's a potential problem
The FBI won a court order allowing it to keep the servers running long enough to work with ISPs to warn infected customers and clean up machines. The 120-day grace period was extended once, but eventually the plug was pulled in July, with 250,000 machines still infected – 13,000 in the UK alone.
While some described it as an "internet doomsday", there were few reports of PCs suddenly refusing to find websites. This is partially because ISPs – including Virgin Media – stepped in to handle the DNS re-routing, meaning that some infected PCs are still being propped up.
The case raised questions about how far authorities can – or should – go to tackle the worst malware, and who is responsible if it all goes wrong.
One idea that's been previously mooted is quarantining infected PCs. When malware is detected, that PC would be blocked from openly accessing the internet. Microsoft's vice president of trustworthy computing, Scott Charney, suggested the idea at the RSA security conference in 2010, asking, "Why don't we think about access providers who are doing inspection and quarantine, and cleaning machines prior to access to the internet?" Microsoft has since pulled back, renaming it "internet health" and proposing PCs receive a "health check" before gaining access to networks.
Microsoft isn't the first to consider the idea. A Dutch bank has previously blocked customers with infected PCs from accessing its online services, as it battled a particularly troubling trojan. "That bank made some waves among the population by sending notes and letters to its customers, saying we’re cutting off your banking," said F-Secure Labs security advisor Sean Sullivan, noting that the European Commission has recently advised banks to assume that all of their customers’ PCs are infected with a trojan. "There's a lot of talk suggesting that if you see anything strange in your customer base, block it – block your customers."
ISPs also like the idea of isolating infected PCs, Sullivan said, as PCs spewing spam clog up their networks, with recent research from the Delft University of Technology suggesting that as much as 6% of UK traffic comes from compromised machines. "It's a minority of the overall customer base, but 10% of all machines [globally] exhibiting bot-like behaviour is a huge free resource that can be commoditised for cybercrime," said Sullivan.
However, there are problems to cutting off customers beyond angering them. "It's tricky," said Kaspersky Lab senior security researcher David Emm. "There's a contract in place between myself and the ISP to provide me with a broadband connection. If it's to sever that, there's a potential problem."
He added that ISPs would need to include severance policies in their terms of service, since cleaning up computers without permission from users could be seen as "unauthorised modifications of a computing device" and would therefore be in breach of the Computer Misuse Act.
Is your business a social business? For helpful info and tips visit our hub.
"Your machine is infected with malware so we're cutting off your internet connection" *is* a fairly unpalatable message. However, "here is an essential security update, we've blocked your internet connection until you've installed it and rebooted" is much more reasonable.
Indeed I'd find this much better than Microsoft's current policy of automatic reboots which can lead to data loss if you miss the messages. It would be better for both the user and the internet if Microsoft took this approach.
By JohnAHind on 3 Sep 2012
If Only it was That Easy.....
My ISP (BT) doesn't allocate fixed IP addresses and so ours changes fairly regularly.
On almost every occasion when our IP address is changed by BT we end up with a new IP address that is 'SpamHaus' or 'Abuseat' block listed and so have to go through the PITA process of removing the blocks.
This plan will only work if fixed IP addresses are the norm and something along the lines suggested above by JohnAHind is also implemented.
By jontym123 on 3 Sep 2012
No issues with taking customers offline
"There's a contract in place between myself and the ISP to provide me with a broadband connection. If it's to sever that, there's a potential problem"
And most of those contracts say that if you affect other internet users the provider reserves the right to withdraw the service.
Spamming, DDoSing and malware propagation would, I'd have thought, all fall into that category. It would also be in the interests of ISPs to stop the traffic from these sources to reduce network overhead and associated costs from these compromised sources.
I think that compromised users should be redirected to a specific webpage of the ISP's choosing with a message explaining that internet access has temporarily been blocked due to breaking terms of the contract, then the reason, such as spamming DDoSing etc and provide a solution on the page, e.g. hosted up-to-date copies of malware removing tools, whether it be their own or third party's tools.
The page could also suggest contacting the ISP for confirmation of the issue and support to resolve the issue. Once all the computers are cleared the ISP can also be the point of contact for checking for resolution and resuming the service.
Yes, it's a pain the backside to suddenly lose your internet connection because a family member's laptop has been compromised, but I bet that those companies that are DDoSed off of the internet also find it a pain in the backside that zombie PC's are able to be used to blackmail their businesses.
For jontym123 the blocking can be done via the MAC address of the modem to prevent people rebooting their modem to get around the block.
By Assassin8or on 3 Sep 2012
Before we do that...
...I'd like someone, ANYONE, to teach users how to change their account to a STANDARD account instead of running as full admin all day long.
I've tried but mags would prefer to write articles on how they don't like Windows 8
By rhythm on 3 Sep 2012
I meant that Microsoft should block the connection in the client machine, not at network level. This also has the advantage that only the infected machine would be blocked, not any others that may be sharing the connection.
By JohnAHind on 4 Sep 2012
Something simple could be extremely effective - for example when malware is detected by an ISP the customer is put through a captive portal (with CAPTCHA to prevent the malware bypassing it) every day, containing a warning thay have malware. This would then allow the user to continue using the connection, so no change to the service provided. This could be implemented in conjunction with a media awareness campaign, that if the warning is seen, to not trust anything on the computer and take to a computer repair shop that is part of a malware removal scheme.
By HowAbout on 4 Sep 2012
- 20 years of PC Pro: our best covers
- Why we've closed the PC Pro forums
- How to turn off Google Location Tracking
- 20 years of PC Pro: our greatest review mistakes
- 20 years of PC Pro: our first A-List
- Wikipedia's "right to be forgotten" protest hits the wrong note
- 3D printing hits the high street for plastic selfies
- 20 years of PC Pro: What amazed us in our first issue
- How Google Glass ruined my lunch hour
- Smartphone battery packs: can a USB power pack beat the festival battery blues?
- How to write your company's IT security policy
- The key to choosing a secure password
- Please stop reposting fake Facebook messages
- Is Facebook safe for business?
- Don't rely on Chrome's password vault
- Facebook Graph Search: don't panic
- Gmail drafts and Pastebin: could they evade the email snoops?
- Applying for a job at GCHQ? Here's your plain-text password
- Google two-step verification: a must for business email
- Yes, I write down my passwords