Dear ISP, it's time to quarantine your malware-infected customers

Dear ISP, it's time to quarantine your malware-infected customers

Summary: In a perfect world, you will not just get a notification from your ISP about your participation in a botnet, you may easily get "quarantined" until you meet certain "security awareness" requirements combined with proof that you're no longer infected.

SHARE:
78

Are you infected with malware, that is unknowingly wasting your bandwidth to spread more malware/spam and phishing attacks, in fact even host the majority of these?

In a perfect world, you will not just get a notification from your ISP about your participation in a botnet, you may easily get "quarantined" until you meet certain "security awareness" requirements combined with proof that you're no longer infected.

What's the current international attitude towards this approach? What are the pros and cons of such an action taking into consideration? What do key security experts and cybercrime fighters think about it? Let's find out.

In a MAAWG survey released in 2010, 65% of the users blamed their ISPs and ESPs for the spread of computer viruses, fraudulent emails spyware and spam in general, followed by antivirus vendors. Most recently Microsoft proposed a pubic health model for Internet-connected PCs :

“If a device is known to be a danger to the Internet, the user should be notified and the device should be cleaned before it is allowed unfettered access to the Internet, minimizing the risk of the infected device contaminating other devices or otherwise disrupting legitimate Internet activities,” Charney declared.

The proposal once gain puts the spotlight on Internet Service Providers.

An Internet Service Provider is in the unique position to make change. The thing with ISPs from my perspective is that, even though they are in the best position as a distribution channel to monetize and offer (security) value to their customers as a service, the majority are not tailoring their propositions using the right technologies.

There's no shortage of solutions, and even though some ISPs claim they need a decent incentive to offer security services -- besides common sense since it's their network's reputation at stake and the potential revenue increase -- I think that offering their customers the wrong choice is even worse. In Australia, for instance, ISPs are offered a voluntary code of conduct aiming to limit Internet connectivity to malware-infected customers. Germany has been doing that for years using the "walled garden" concept, and though the German Anti-Bot Initiative.

If only would an ISP's marketing folks realize that the right security-as-a-service proposition, can be their most valuable asset in the overall differentiation strategy, meaning happy customer and a socially-oriented ISP with industry credibility for truly caring about its network reputation/customers.

Let's consider the competitive advantages and disadvantages from business perspective when quarantining the customer of a particular ISP. If a random ISP decides to participate, but the rest don't, ISP becomes less competitive as the only thing that the end user cares about is his access to the net, which he's not prevented from accessing. However, a clean backyard means better network performance and a socially-oriented attitude that every major ISP should have already established.

What ISPs should do is reposition themselves as socially oriented company, and migrate from being a reseller of antivirus software to actually educating the end user before and in between offering him Internet access. From disconnecting and alerting malware-infected customers, to quarantining them and educating them efficiently through a standard security awareness course in the form of a game, or simple educational questionnaire.

It's time for a change, a radical one.

Of the three approaches, quarantining, disconnecting, or alerting, which one do you think is most feasible when dealing with botnets?

What do you think?

Talkback.

Topics: Browser, Malware, Security, Telcos

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

78 comments
Log in or register to join the discussion
  • RE: Dear ISP, it's time to quarantine your malware-infected customers

    That is not their job.
    james347
    • RE: Dear ISP, it's time to quarantine your malware-infected customers

      It might not be their JOB "although you might want to actually look at the law(s) before you say that" but it is their business. Failing to "manage" your "business" usually ends up in "regulation" and or loosing your job.

      Perhaps what would be best is for an ISP to initially offer a "Secure Domain" where traffic in and out as well as the users system are state-fully scanned. Users are warned not to open Quarantined "Known-Infected" pages or e-mail. If they do they use up credits toward a limit which gets them sent back to the "Unsecured Domain".

      Finally "People change their behavior because they want something". If they do not receive any personal value from the "Secure Domain" they will not use it!

      It's voluntary, proportional and already deployed as an effective technology by many corporate IT departments.
      panamman
      • Right and wrong.

        @panamman
        Here is where you were right:

        "Failing to "manage" your "business" usually ends up in "regulation" and or loosing your job."

        You were wrong on your other ideas. First off, the whole "secure domain" idea is screwball. What you are suggesting is not just a security measure to cut back on security problems, your also inflicting a punishment. And when it comes to inflicting punishment your obviously taking the same viewpoint the vast majority take...that is right up to the point where the punishment is going to be inflicted on you or someone you care about. Trust me, I know of what I speak.

        Punishment always sounds great, the more the merrier when its not being inflicted on you. Keep in mind, while many of these infections do occur due to repeated poor or even reckless on line behavior, there is also a great deal of it that comes about by accident or uninformed behavior. In many cases it will not really merit punishment of any sort, quite often the person is as much a victim as anyone. People who say who cares are just people who hasn't had it happen to them yet.

        Secondly, what effectiveness is such a plan guaranteed to have? Count on not much of a guarantee at all. First off, count on the hackers working to find a way to circumvent the whole secure domain idea. I'm not going to make any claims about how likely they would be able to accomplish it, but if there is anything that they could do at all, they would eventually do it. And after, there isn't much that guarantees that once back into the unsecured domain they wouldn't fall back into the same problem in short order. In short, more then anything it might actually amount for the most part as a punishment against thousands and thousands of users without stopping a whole lot of security problems in the long run.

        Thirdly, if an ISP decides to pull this on someone then the first thing the majority of users would do is change ISP's. Now if your going to have a built in way to prevent this then your going to have to involve a much more complex infrastructure of administration and maybe even hardware to make it work. In short, it sounds like a cool idea to those people who figure it will never fall on their head (or someone they care about) but it may turn out to be quite impractical to implement to the degree where it would have some effectiveness.

        While companies do have to manage their business, you always have to decide what exactly their business is before you start heaping particular tasks upon them that you feel they should be "managing".

        Always keep in mind that if you start passing laws telling ISP's they are now legally responsible for disciplining users who fall prey to hackers and spammers that the odds of crafting those laws so perfectly that the ISP's can rest assured that they will know exactly with precision what they must do to keep from running afoul of this new law and that at the same time will not unfairly punish users, well, never has any law been crafted so perfectly. In stead your going to end up with clogged up courtrooms with ISP's and users battling it out with the government on who did what when where, who is really responsible and why who did nothing wrong. In short its simply an invitation to give lawyers a whole new bunch of clients, some with deep pockets, others not so deep.

        I don't think there is anything right now about the nature of the ISP business that puts the task of putting an end to internet abuse on the heads of ISP's. They should be doing what they can to take all reasonable care, perhaps in certain cases further then that but we don't need the ISP's to start acting like the internet gestapo for the general public.

        Finally, there is the issue of abuse. And I mean by the ISP's. If you tell the ISP's they now not only have the power to do this kind of policing but that they must do it, you can count on them erring on the side of caution and putting all sorts of users in a needlessly difficult position as opposed to risking their own legal position. And that kind of action almost always seems to develop into abusive behavior where a company finds out its to their advantage to exercise their new found power/responsibility in ways that are not always conducive to the general publics well being.

        In short, your idea is not the way to go.
        Cayble
      • RE: Dear ISP, it's time to quarantine your malware-infected customers

        Finally "People change their behavior because they want something". If they do not receive any personal value from the "Secure Domain" they will not use it!<a href="http://www.affordabledegrees.com/ADA/mp.asp">online masters degree</a>
        <a href="http://www.affordabledegrees.com/ADA/ap.asp">online associate degree</a>
        <a href="http://www.affordabledegrees.com/ADA/dp.asp">online doctorate degree</a>
        <a href="http://www.affordabledegrees.com/ADA/hp.asp">diploma high school</a>
        jordanhawk
    • RE: Dear ISP, it's time to quarantine your malware-infected customers

      @james347 I'm with you on this one man. Does anyone else feel like if you give the ISP's power here they might abuse it? I feel like they have no right to stop any bandwidth coming to or from my IP at anytime because they think that its activities are "suspicious." This is right up the alley of Net Neutrality.
      jay.bruno
      • RE: Dear ISP, it's time to quarantine your malware-infected customers

        Jay,

        The "Net Neutrality" crowd are very consistent with their views on "Negligent and or Criminal Behavior" on the net. They are very cognizant of the fact that any critical infrastructure must be regulated to maintain it's pervasive availability. They do not endorse firing all the traffic cops and taking down all the speed limit signs.

        They concentrate on preventing ISP from using their monopoly(s)to unfairly shift bandwidth and market share away from their competitors.

        Believe me, they know they have their hands full with that Noble task.
        panamman
    • RE: Dear ISP, it's time to quarantine your malware-infected customers

      @james347:
      I disagree. Who's job is it if not the ISP? Is it my job to sort through the piles of useless crap that fill my inbox? Well, me and the millions of others that are in the same boat? If all the bot computers out there are quarantined, as they certainly should be, it stops a HUGE amount of spam from sucking up bandwidth.

      Only few days ago, I finally had to get our IT guys to block all email from an acquaintance of mine. His computer has been sending out spam for months. He has been told clearly that this is happening, yet he does nothing about it. How much you want to bet that he would clean up his act if his email service was shut down? Why should I and hundreds of others in his address book suffer because he is too lazy to care?

      <i>That is not their job. </i>
      shawkins
    • Ditto that, @james347

      People are responsible to clean their own machines. I don't want a nanny state ISP dictating that. That's not their job just because some people are too lazy to do it themselves.
      LTV10
    • RE: Dear ISP, it's time to quarantine your malware-infected customers

      @james347 I couldn't agree more. The construction crews who build the roads shouldn't be responsible for policing them. They have every incentive to NOT start quarantining users. Can you imagine the law suits? They get sued if there's a false positive and someone is quarantined who shouldn't be. They get sued if an infected user gets through and infects somebody else. They get sued for violating freedom of speech, privacy, and the list goes on and on. It's a legal nightmare that will never end.<br><br>On top of that, the cost is astronomical. Who helps the infected users clean their PCs? Does the ISP have the right to demand that the user do it, even when they can't afford it? If not, then the ISPs have to foot the bill for cleaning millions of PCs per year. Trying to pass those costs to their customers would require them to become uncompetitive unless they cut costs in other areas (probably by slowing down R&D and future expansion).<br><br>And we haven't even touched the problem of the infrastructure required to effectively scan the entire Internet for malware. After all, inspecting the packets isn't enough, you have to check them against virus signatures too.<br><br>No, the ISPs will never do this on their own. The mild potential incentives don't outweigh the legal risks and costs they will incur. The only way they would do it is if the government made them, and the government will never make them do it because A) the ISPs will spend millions lobbying against it, and B) the government doesn't want the whole freedom of speech issue on their hands.<br><br>ISPs quarantining their users is a pipe dream. The ISPs should be part of the solution, but laying the whole malware mess at their feet will get us nowhere.
      rascellian
    • RE: Dear ISP, it's time to quarantine your malware-infected customers

      :(
      www.awwgame.com
      lariosshow
  • RE: Dear ISP, it's time to quarantine your malware-infected customers

    One way or another, Joe Users need to become more security conscious. Going online and clicking on everything, ignoring the UAC, and clicking on everything on Facebook isn't it.

    Yes, kick their sorry asses offline until they can learn to be responsible.
    The one and only, Cylon Centurion
    • RE: Dear ISP, it's time to quarantine your malware-infected customers

      @Cylon Centurion 0005

      Ah, you are forgetting that so many stupid people are still on Windows XP. I'll be blunt: even if I had to pirate Windows 7, it would be installed on all my machines.
      Lerianis10
      • RE: Dear ISP, it's time to quarantine your malware-infected customers

        @Lerianis10

        I guess that would work in Microsoft's favor then in getting people to ditch that insecure OS. I hate XP with a passion burning more than a thousand suns.
        The one and only, Cylon Centurion
      • RE: Dear ISP, it's time to quarantine your malware-infected customers

        Stupid people will be stupid regardless of the OS. You can't fix stupid. And it's not that they are "stupid" really, they just don't know any better and/or don't care to learn. You have to remember that your average mom/pop/grandparent/youngster just wants to get online and email and send pictures and videos of their family/friends/dog/cat/vacation to all their family and friends. They don't know what half the warning windows and programs do on their computer and don't care, they just want it to work and have a repeatable process on how to open their browser, go to a page, check their email, and upload said pictures or videos. Heck, most just want and even rely upon a few specific icons on their desktop. If the icon isn't there or changes, it's broken for them.

        I don't know that you can make an "idiot proof" OS that connects to the internet. Exploits exist in every OS in existence whether that is Linux, Apple, or Microsoft. Yes, it is the OS manufacturers responsibility to provide updates and fixes for exploits as they are found and be transparent and non-intrusive when doing so. But they cannot be responsible for how their OSes get used.

        If a person either intentionally or unintentionally goes to a malicious website, you can popup all the warnings in the world and it will just confuse these types of people (most of which just click "OK" or "Yes" to any dialog window that pops up). I think it falls to having a web filter of some kind. As most people are clueless to implement one, I think it falls to the ISPs to provide that type of protection.

        Here's my thought. I think all ISPs need to offer their basic internet connections with web filtering of all malicious websites. If you want unfiltered access, you have to request it, and they provide it, but there should be some simple type of online web compitancy test before you can upgrade to the unfiltered service. That service should be offered with NAP, where you are blocked from accessing the internet if you do get infected. If you get infected, after you are cleaned, you are returned to the filtered internet for a time being (maybe three months) and must retake the web compitancy test to go back to the unfiltered service.

        I think most people would be just fine with the filtered service. If you don't like the filters, you can apply for the unfiltered, but at that time you most prove your compitancy and take responsibility for your own actions online with repercussions if you get infected.

        Just my two cents...
        JPatrickF
      • RE: Dear ISP, it's time to quarantine your malware-infected customers

        Gee, CC... do you hate your old car too? Win95 users loved XP.
        RDrrr
      • RE: even if I had to pirate Windows 7, it would be installed on all my mach

        @Lerianis10

        NOT for me, I ditched all of that WindoZE nonsense, and switched to Linux.
        fatman65535
    • RE: Dear ISP, it's time to quarantine your malware-infected customers

      @Cylon Centurion 0005

      MS needs to sort it's act out, even in guest mode on W7 you can download and run an exe !
      Alan Smithie
    • RE: Dear ISP, it's time to quarantine your malware-infected customers

      [i]I hate XP with a passion burning more than a thousand suns.[/i]

      I still have it on one of my machines and it will be on there until 2014. Get over it.
      LTV10
  • RE: Dear ISP, it's time to quarantine your malware-infected customers

    Time Warner is taking a step in the right direction with this. If it detects a user is infected, when that user brings up a web browser it redirects it to another web page (hopefully local on the router) saying they are infected with malware and will not allow them to go further until their system is cleaned up.
    Loverock Davidson
    • RE: Dear ISP, it's time to quarantine your malware-infected customers

      Time Warner/Road Runner does not scan for malware. Time Warner will disconnect a customer when they receive a complaint of bulk email spam. Part of investigation is for customer to run a scan of computer and forward that log.

      Time Warner/Road Runner has available to there customers CA Internet Security Suite for download. Currently Time Warner is leaving it up to the user to police there own computers.
      daikon