Comcast Warns Customers Suspected of Bot Infection 196
eldavojohn writes "Comcast is pushing a new program nationwide that warns customers if they might have a bot infection. It puts a semitransparent overlay on the top of the website you're viewing, warning you that you may have a bot installed if the provider detects botnet traffic from your residence. Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
Mixed feelings (Score:2, Insightful)
It's good that Comcast is actually doing something, but I'm not really sure how effective it will be, and the precedent it sets makes me a little leery. Not sure how I feel about this.
Re:Mixed feelings (Score:4, Insightful)
Comment removed (Score:5, Insightful)
Re:Mixed feelings (Score:4, Insightful)
Because people will ignore the email.
Just one more piece of spam.
Re: (Score:2)
Something like "HEY, YOU, Customer #4572953, have a virus and this is your ISP, Comcast, telling you so. Please call our tech support at 1-888-IPGOUGE for removal help, and you should probably verify that phone number against your own documents before calling it."
Re: (Score:3, Insightful)
Re: (Score:2)
What if it had your home address, name, censored billing information (credit card xxxx....1234) etc?
Re: (Score:2)
Very creepy spam? I know I wouldn't even get far enough into reading it to realize.
Re: (Score:2)
And all the people who use ISP-independent email (which is good practice anyway as an ISP change will be easier) won't even receive it.
Having said that, the overlay is about the worst way they could have used the WWW.
What about a redirection of all www traffic to a warning page?
After you click a checkbox that says OK I got it but I'm in a hurry let me finish surfing which sets a session cookie, or after n http requests or n minutes since the first recent http request normal behavior would be restored.
This i
Re: (Score:2, Troll)
True, maybe an automated phone call with a, "Press 1 to speak with a Comcast representative"?
Re: (Score:3, Informative)
Re: (Score:2)
I don't know about you. But as soon as I realize it is a call from an autodialer, I hangup.
One trick if you don't recognize the caller ID is to pick up the phone and just listen. If it's complete silence on the other end, it's an autodialer and it will hang up after five seconds or so. Bonus points if you play the "number not in service" tone -- download that from here [voip-info.org] and play the "ss-noservice" file.
Re: (Score:2)
I just play a message telling the caller to press 1 to speak to me, wait 3 seconds then send them to the fax if they don't press any key. Actually, pressing any key routes the call to me. I swear, it is pretty efficient.
Playing the SIT tone (Zapateller) as you suggest might cause you to miss legitimate calls. In my case, the worst that happens is that legitimate callers have to call twice if they were distracted and not quick enough to punch in a key the first time.
If you do not have a fax, you could always
Re: (Score:2)
Many of comcast's cable customers are also phone service customers, they could just unobtrusively add a voicemail message to those accounts.
And I don't see why they shouldn't be able to send voicemails out-of-network, too. There's no reason the phone needs to actually ring for this, if it's in your voicemail you'll get the message eventually.
Re: (Score:3, Insightful)
How about a message that comes with the monthly bill in snailmail?
Re: (Score:2, Insightful)
An email to the address they have on file would be much less creepy and more effective, IMO
I agree but not everyone uses Comcast email.
Re: (Score:2, Insightful)
If the customer fails to address the issue promptly, then Comcast should disable their connection. When they call in, Comcast could easily ask them for a email address to forward such communications to.
I work for an ISP and this is how we handle it. (Of course, we're small, so we also call the customer on the phone number(s) on their account.)
Re: (Score:2)
Of course, we're small, so we also call the customer on the phone number(s) on their account.
You mean you're considerate and rational. Technically, there's nothing keeping the big players from doing the same thing. (besides being inconsiderate and irrational)
Re: (Score:3, Funny)
That, and they seem to have an increasingly small workforce which is able to communicate effectively in English over the phone. ...Oh yeah, like you said.
Re: (Score:2)
Comcast cannot be trusted to not "mistake" torrent traffic for virus traffic, especially if the MAFIAA tried to either bribe OR extort them to tell their techies to look the other way before being able to tell the difference.
They've already been caught red handed screwing with torrents once before. Giving them plausible deniability with an opportunity to cover it up as virus quarantine is not a good idea.
Re: (Score:3, Insightful)
Yes, but your business plan is probably just to profit from providing internet bandwidth to customers.
Comcast has a whole 'nother agenda.
Re: (Score:2)
The people most likely to get an infection are exactly the ones that need a blunt warning like this.
Re:Mixed feelings (Score:5, Informative)
That's a good point, but the screenshot [krebsonsecurity.com] does look pretty reasonable. It could have been done a lot worse, but it looks like they're at least acknowledging the trust issue.
That being said, it's not difficult to figure out which ISP a certain IP belongs to and for someone to forge these things.
Re: (Score:2)
"E.. mail? You mean that thing that our marketing dept uses to send out propaganda? Who reads that shit?" -- Comcast Exec
Re: (Score:2)
A thought that just struck me - if Comcast is using web overlays to pass on this info, it will, if anything, serve to legitimise the "Your computer is infected click here and give us your credit card details to fix it" pop-ups.
Any thoughts from people who know more than me as to whether comcast just didn't think of this, or did and just doesn't care? On the one hand, they are comcast and don't have a reputation for forward thinking. On the other hand, they are comcast and don't have a reputation for giving two shits about their customers.
Any chance this is just the path of least resistance to say "Hey, we tried to help, but you ignored our warnings, the malware took you over your quota and you owe us $400," not caring if the us
Re:Mixed feelings (Score:5, Interesting)
What about a phone call? My ISP does this. Granted, it only has about 1.5 million customers. The way it goes is first, a phone call, if they are unable to talk to the person, they disable the modem until they call back. They only do this for large botnets, unless they receive a complaint about an IP.
But it *IS* effective.
Overlays and emails will only teach people to click on fake antivirus warnings, like you said...
Re: (Score:2)
You're right, but it *also* legitimizes the act of an ISP editing your data stream.
Norton? Really? (Score:2)
we offer free Norton with internet service so there's no reason you can't protect yourself from some of the common threats.
You mean the common threats like Norton? The only people who should install Norton is computer experts, and the only reason they would want to is so they can figure out how to uninstall it.
Re: (Score:2)
Anyone who would install Norton is no "expert".
Re: (Score:2)
The only people who should install Norton is computer experts
Anyone who would install Norton is no "expert".
Noob. An expert would have read the second half of the sentence: "... and the only reason they would want to is so they can figure out how to uninstall it." Because, as you now know, uninstalling it makes this wonderful 'whoosh' sound.
Re: (Score:2)
Re: (Score:2)
Customer education is an issue with this one. I haven't talked to someone with that issue but we offer free Norton with internet service
What is wrong with you? No, really? Have you actually used the recent Norton versions? I reckon a fair share of those who actually have would agree that Norton's presence on one's PC is actually worse than most malware infections.
Re:Mixed feelings (Score:4, Insightful)
Re: (Score:2, Informative)
FTFA:
Douglas said the bot intelligence is coming from Damballa, an Atlanta-based security company that monitors botnet activity and identifies botnet control networks. If Damballa spots a Comcast Internet address that is phoning home to one of these botnet command centers, Comcast’s system flags that customer’s address for a service notice.
Re: (Score:2)
So as long as they're doing it to make you more secure, it's OK if they inspect your traffic? I know you're not saying that.
I'd bet that we could get a dozen better ways from readers here to isolate bot-infected computers and prevent their spread without having to resort to letting Comcast move into your house and make s
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
Who wants to bet that torrent trackers and users of uTorrent will end up with these "overlays"?
Re: (Score:2)
You're right to feel leery. Comcast should not be altering the content of your web pages AT ALL. In addition, the effectiveness of this tactic over time is questionable: Malware and scam artists are already using popup-style alerts.
The canvas of a web page is simply the wrong context for security alerts. An email would be a bit better, and a US mail postcard or phone call would be better still.
Re: (Score:2)
Well, at least it seems to beat Comcast waiting on reports like this one before taking action with an infected customer. Maybe they realized that all that unwanted traffic cost them money after all.
From abuse-report@myhost Thu Sep 2 08:52:54 2010
Date: Thu, 2 Sep 2010 08:52:03 -0400
From: abuse-report@myhost
To: abuse@comcast.net
Subject: Report of abuse from one of your IP: 75.149.85.71
Hello,
An IP from your network is scanning one of our machine
Culprit IP on YOUR network: 75.149.85.71
Victim IP on OUR network:
That's Weird... (Score:3, Funny)
Bots are a terrible infection to have (Score:4, Funny)
I saw this one video where the bot was basically pulled right out of the infection with tweezers. In another, the bot broke off halfway out and the guy had to have the rest removed by a surgeon, but not without great pain.
Normal insecticide and pest repellent doesn't even work with these things. You really need to keep your netting clean and free of holes. One small hole and you'll wake up with bots dug into your skin and larva chewing at your subcutaneous layer of fat.
Re: (Score:2)
I heard that if you hold a lit cigarette over the infection, the bot will back out on his own.
Re: (Score:3, Funny)
Excellent idea (Score:2)
I'm not a big fan of Comcast, but this is an excellent idea. If all broadband providers would do this, they could put a serious dent in bot nets and reduce the amount of spam and the phishing attacks.
Re: (Score:2)
In my opinion people should get a warning next time they pay their monthly fee and if they do nothing about it maybe a stupid-tax or something.
Re:Excellent idea (Score:4, Interesting)
What happened to the good old days of ISPs where if your computer was being a menace the ISP phoned you, and if you still didn't fix it they cut off your internet access until you did?
It worked. and it worked well.
Re: (Score:2)
Re: (Score:2)
Simple.
They got taken over by the days where we got fed up with chicken shit companies abusing their power and losing our trust to let them have internet police powers.
I think an ISP should be able to block downstreamers who are spewing spams.
Trusting them to do so and leave alone torrents and the like, however, is another story.
Re: (Score:2)
It will backfire as people will be un-taught the 'dont click on popups' lesson being taught now.
Begging for phishing (Score:2)
Comcast is creating a system where unrelated websites will notify you of problems in your computer. This is the "Virus detected click here to install antivirus 2011!", except being legitimate it tells people to trust what a random website tells them. Way to train users to trust any website popup, I expect this will result in new phishing scams.
The only upshot is that the people who are infected are often the ones who already install anything that a popup warning tells them to.
Wait, what? (Score:4, Interesting)
The method they chose for notification is to man-in-the-middle my connections? Are they injecting Javascript into sites I visit? Does this mess with protocols other than HTTP? Why can't they just send an email to the account holder, or call them with a recorded message? Why break your service in order to fix it?
Re:Wait, what? (Score:4, Insightful)
A risk - in theory - is that when people see this popup, they'll say "I'm supposed to not interact with these things" and just click "Close," rather than understanding what it says. On the other hand, if your computer is infected with some sort of 'bot, you probably click through things like this anyway.
Re: (Score:2)
No, doing this to people's connections is inexcusable. If they're being a problem on the network, then they should be cut off. But inserting yourself into their communications is simply wrong.
That would solve the "how to get in touch with them" problem... They'll come to you!
Re:Wait, what? (Score:4, Insightful)
Let's look at the following:
1. By definition, an internet service provider IS a man in the middle. To everyone whining about using this method - welcome to the real world. A man in the middle approach is the easiest one for the man in the middle to take.
2. Perhaps the ISP should just terminate the accounts of users of infected machines, since I am sure running an infected machine on the net is a violation of the TOS somewhere.
I WANT them to break the service and force people to upgrade, instead of continuing to spew their filthy zombie attacks all over the net. The more dramatic and attention getting, the better. Face it - your mission critical systems should not be on a residential account anyway, RIGHT? That's what the premium priced business packages are for... So what if grandpa has to click on some links to download some software and fix his machine before he can read his paper today. It's worth it to clean up the net.
You just don't get it (Score:3, Insightful)
Let's look at the following:
1. By definition, an internet service provider IS a man in the middle. To everyone whining about using this method - welcome to the real world. A man in the middle approach is the easiest one for the man in the middle to take.
No. By definition, an internet service provider is a bridge and router. It is not supposed to mess with your traffic. It is not supposed to be looking at these layers. Comcast has shown many times they don't care about that, though. They messed with all H
Re: (Score:3, Insightful)
I still think this is a gross and intrusive tactic, but so is how they hijack DNS redirects to show you a custom "search" page with ads on it. At least they give you an option [comcast.net] of turning that "service" off.
Re: (Score:2)
Thanks for the link. Will be updating our account today!
Re: (Score:2)
If your IP is not on the list of infected customers, they won't affect you. But, if it is, they redirect your port 80 traffic to their proxy server that injects the HTML. Specifics, like how it does the overlay, I don't know. Maybe it wraps a frame or div. You'll have to fake being infected to see. Use HTTPS, or an SSH tunnel to a proxy of your own, to avoid it while being infected. If you can't be infected, then your own risk is if your ordinary traffic trips their infection detector.
Re:Wait, what? (Score:5, Informative)
They do send an e-mail, at first. If the traffic continues unabated, they redirect port 80 traffic (only) through a proxy which adds the notice to the server response (the web page you request). It doesn't break or tamper with anything else.
Personally, I don't see a problem with this, since, if you're allowing botnet traffic, you're already abusing the TOS (with or without your knowledge -- and after the notice, certainly ignorance isn't an excuse), and as such you're not really entitled to "unbroken" service, or any service at all for that matter. I think providing this notice is a good compromise.
Rather than making a separate post, I also want to address one of the points in TFS: "Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
This is rather missing the point -- realistically, if any machine inside your network has been compromised, you should assume that the entire network has been compromised, and you should be inspecting/sanitizing/protecting all of the machines accordingly. You should likewise assume that all of your online accounts have been compromised, change your passwords from a trusted location, and check for any unauthorized activity.
Re: (Score:3, Informative)
I didn't say they don't deserve service, I said they don't have a right to it. What people deserve is only rarely related to what they get. Moreover, their presence on the network is necessarily degrading the experience for everyone else who's being responsible with their activity. Do responsible users *deserve* to be inundated with attacks from the machines of people who, for whatever reason, aren't "advanced user interested in computers and all things technical?" What if we were discussing dogs instea
Re: (Score:2)
Saying that those who don't fall into that category and get infected don't deserve any service because they've fallen afoul of their TOS is pig ignorant.
Time for a car analogy... is that a bit like saying that those who don't know how to drive well and are a danger to others don't deserve a license is pig ignorant? The problem here is not what these computers are doing to themselves, it's what they are doing to innocent victims on the net who know how to run their computers. Besides, even if something i
Re: (Score:2, Insightful)
Re: (Score:3, Insightful)
Anyone that throws out mail from comcast can just as easily ignore the overlay. Besides, it's not comcast's responsibility to tell you if you have a bot running on your machine. This would be a little like your car putting an overlay on your windshield if your windshield wipers are in need of replacing, it's just ridiculous.
Also,
Re: (Score:2)
Re: (Score:2)
There is a reason ISP TOSs are written in blood...
I have three comcast commercial accounts (Score:2)
none of them REQUIRED an email to sign up for.
I still have the paperwork scanned in to PDF- just opened the files.
strangely, if you go to the comcast site and create a comcast ID, they require a "non comcast email address" in case they need to get in touch with you...
says lots about their faith in themselves.
It's about damned time the ISPs get involved. (Score:2, Interesting)
If you're infested with a botnet you are doing harm. In short infested computers create attackers and ISPs need to take responsibility for the attackers on their networks. I was more concerned that ISPs have NOT done this until now.
Re: (Score:2)
They should get involved by turning off your service and have you call them to turn it back on, routing you only to a in-house site for cleaning the PC.
Re: (Score:2)
Exactly!
I'm not 100% on-board with the method used in this article, but anything is better than just leaving the crap infested and causing trouble.
Antivirus2010 (Score:5, Insightful)
ComcastAntiVirus have detected a infection or your computer. To run free virus removal click here!
www.c0mcast.net/antivirus.exe
Re: (Score:2)
maybe I should try .com instead of .net
"Might have a difficult time" - perhaps not (Score:5, Funny)
Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection
Not if you only have one Windows system.
Only about ten years late. (Score:2)
Ten years ago they said I was mad for proposing this.
Thanks, comcast, you arrogant incompetents, for taking a decade to listen to your customers.
But I already moved to FIOS, along with my ENTIRE NEIGHBORHOOD, so tough luck.
Well it's about friggin' time! (Score:3, Interesting)
Now if every other ISP would do something similar. Maybe block access until a user reads a notice or something.
That said, Comcast's way of doing this might look to me like the website I was looking at was trying to sell me malware... like one of those "YOU'RE INFECTED! SCAN NOW?" popups.
Re: (Score:2)
I say exponentially decay their bandwidth as if it was an RC circuit with a time constant of about three days. In about a week I'm sure they'll be calling to complain about the Internet speed...and then you'll have their undivided attention.
Re: (Score:2)
when people's connections are slow, they switch providers (because providers all advertise based on how fast their network is (of course without ever giving out numbers))
what makes people call and complain is if you cut off their service.
This is what ISPs used to do, it's too bad they don't anymore.
I use a router... (Score:2, Interesting)
But I didn't have a hard time determining which machine it was. My son was visiting and he was running Windows. Everything else is Linux and one Mac. Not hard to figure it out.
Re: (Score:2)
Change/add your wireless key.
Re: (Score:2)
Did you scan them with an AV scanner that was already on there? Most malware these days makes at least a cursory effort to avoid AV scanners, and if it didn't block it in the first place, what makes you think it'll detect malware that's already resident?
Comcast offers free bot infection for up to 7 PCs! (Score:2)
From Krebs' article:
Comcast also is offering free subscriptions to Norton Security Suite for up to 7 computers per customer — including Mac versions of the Symantec suite.
At least most bots have the decency to let you use your own computer. Norton (and in my experience, McAfee) security suites are much less inclined to leave enough free resources for that to be possible.
Legality (Score:2)
Re: (Score:2)
Re: (Score:2)
Well, websites are copyrighted documents, and websites with extra ISP-injected code are unauthorized derivative works of those documents. Aaaaaaaaaaaand GO.
I'd normally be against this... (Score:2)
I kid, I kid. Settle down.
That's great! But.. (Score:2)
Excellent move!
Unfortunately malware authors will be updating their Fake AV attacks to emulate that banner in a matter of weeks, so it's only a temporary improvement.
ten bucks on .... (Score:3, Insightful)
Good idea, but a bad implementation (Score:3, Insightful)
My own ISP does something similar, but a little better (again, IMHO). A few weeks ago I opened my wireless network because one of my devices was choking on WPA2. Sure enough, someone must have hopped on it and sent a fair bit of spam. So my ISP killed my connection and changed the DNS server so everything resolved to their "Call tech support now" page (although it took a while to for me to figure that out since I wasn't using their DNS server, but I digress). A quick call had me talking with a representative with an explanation, and I was reconnected. (Obviously I re-enabled WPA2 and blocked/logged port 25 at the router in case I really did get rooted.)
Do we really want botnets to go away? (Score:4, Interesting)
When ACTA inevitably becomes the law of the land, DDoS will be one of the few weapons we plebes will have left against corporatism.
The Case For Internet Licenses (Score:3, Insightful)
"Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
If you call turning off your machines and running them one at a time to check each machine's response "difficult", then you can damn well pay the neighbor kid to come over and do it for you, just like you paid him to come over and get your Internet Explorer brand computers surfing on the infotube highway in the first place. While he's there, have him take out that "MOE - DEM" thingy. Those blinking lights are just slowing things down.
Re: (Score:3, Insightful)
IPv4 isn't a serious problem, and that part of
Re: (Score:3, Insightful)
I think that most of the people who are qualified to setup and maintain their own router are also qualified enough to determine exactly which of their machines are infected
1) You go to best buy and plug $59 for a 4 port router box.
2) You take it home and plug it into the wall.
3) You plug the WAN port on the router to the cable or dsl box. - this is the hardest part to get right
4) You plug your computers into the other ports and start accessing the internet
People qualified to do the above are not qualified t
Re: (Score:2)
No, but neither are those people qualified to disinfect a single computer connected directly to the Internet. In either case, the solution is the same: unplug the cable modem and call a nerd for help.
Re: (Score:2)
...at which point the nerd will tell you to fuck off [xkcd.com].
(I'm quite aware that said comic has nothing to do with virus removal, but the phone call would be so similar that the nerd won't listen...)
Re: (Score:2)
I don't want to firewall every damn device on my LAN when I can throw up a single firewall at the choke point.
No thanks.
Re: (Score:2)
With IPv6 (or with IPv4 for that matter) you can still throw up a single firewall. To duplicate the protection you get from using NAT, just make it reject all incoming connection requests.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
the bot intelligence is coming from Damballa, an Atlanta-based security company that monitors botnet activity and identifies botnet control networks. If Damballa spots a Comcast Internet address that is phoning home to one of these botnet command centers, Comcast’s system flags that customer’s address for a service notice.
It's akin to the ISPs being told that someone is pirating music/movies on p2p. They aren't detecting it themselves, good for privacy I guess, bad for reliability.