iiNet trial clears way for 'zombie' code

iiNet trial clears way for 'zombie' code

Summary: The Internet Industry Association (IIA) will press ahead with its new internet service provider security code, with plans to launch a "quarantine" proposal for infected computers by around June this year.


The Internet Industry Association (IIA) will press ahead with its new internet service provider security code, with plans to launch a "quarantine" proposal for infected computers by around June this year.

The voluntary code for internet service providers (ISPs) will attempt to address the threat of computers that have been hijacked as part of a spam or phishing operation. That is, computers that have been lured into a botnet operation that has command and control functionality.

The decision on whether to proceed with the code was based on privacy questions.

One measure the IIA plans to introduce in its ISP code is that a customers' connection be "quarantined" if it becomes infected, otherwise known as "walled garden" approach to security. The technique allows the infection to be remediated in isolation from a botnet's command centre.

But to introduce the measure, the IIA wanted clarity over whether permission to carry this out could be granted by a customer in writing, for example, in an ISP's customer relationship agreement. The agreement would allow the ISP to use information gleaned from specific accounts for the purpose of identifying whether connected computers were zombie machines, and then take actions to resolve the issue.

IIA chief Peter Coroneos told that the Federal Court ruling by Justice Cowdroy on the iiNet copyright case had settled the issue.

Australian Federation Against Copyright Theft (AFACT) had wanted iiNet to leverage usage information that it held to corroborate evidence of AFACT's that certain internet protocol addresses were being used to infringe copyright — an entirely different purpose to what the IIA has in mind.

Cowdroy had ruled that one of iiNet's defences — that privacy clauses in the Telecommunications Act would have prevented it from following AFACT's requests to match a customer's network activities to a specific account — was invalid.

"That was the sticking point. It was the lack of clarity around the ability to use customer information in the way that we had envisaged. But I think it can be covered by consent," Coroneos said. In effect, the customer would permit their information to be used for "network management" purposes.

"In this case it's for network management, so it's hardly controversial. We wanted to ensure that it was beyond any legal doubt, so that we can encourage members to adopt it when [the code] is complete," he said.

Coroneos said that the code would not propose that a computer be "cut off" if it had become part of a botnet, but rather that it be temporarily quarantined until the infection was remediated.

"There wasn't ever going to be disconnection. It will suggest a range of options — a possible escalation process — but as we see it, the highest measure that it would entail would be a temporary quarantining of PC on the network," he said.

A draft is expected to be released for industry feedback by the end of March, with a view to publish the actual code by June.

Topics: Security, Government AU, Privacy, Telcos, Tech Industry

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Can someone define a "botnet operation"?

    Is my computer suddenly going to be "quarantined" at 2am because instead of logging off and shutting down, it connects into the SETI cluster?

    If I'm bit-torrenting a file to which I have a legal right, and my download is now complete, am I going to be considered a "botnet operation" because my machine is still "seeding" that file?

    If I get one of those emails that uses my own address list to forward spam to my friends, is that a "botnet operation"?

    Please define what it is they want to stop.
  • Supposedly it should be

    computers compromised by trojans/similar that are being controlled remotely without the owner's knowledge. It makes sense to notify the owners of such systems and get the problem sorted out for many different reasons.

    The question is (as Mic is possibly hinting at), what will their detection methods be? Will there be false-positives, or will the criteria be unreasonably loose?
  • Should work well

    Keep in mind that it's in ISPs best interest not to pi$$ off their users and that this is a voluntary code. I suspect a lot of "common sense" practices will be adopted, such as working with customers with infected computers, not just kicking people off the Internet without warning with nothing more than a popup saying "you're infected!"
  • How compromises are detected.

    Detection is generally achieved when security experts take over Trojan C&C servers.
    Almost all BotNets connect back to a control system. These control systems can be either taken over completely/ the domains redirected or the C&C server infiltrated without the bot masters knowledge. When this is done the list of connecting IP addresses is recorded and sorted and then given to the ISPs that own the particular blocks. From there the ISP converts the IP into the customer who was using it at the time. The chance of false positives is very low as the address was fully confirmed connecting to the C&C server so it MUST be infected.
    When it comes to virus/spam sending Trojans well all email headers contain the from IP where it originated so its just a matter of converting that back to a user.
  • Cost and Duration

    Has a question been raised on how the infected computer will be cleansed and who pays for the service? Given that standard virus protection on a PC is obviously not going to do the job.

    Will the ISP use this as an opportunity for generating revenue? Or will this gap be exploited by others keen to make a buck or two - will this new found industry require to be monitored as we certainly don't want increased attacks because a dollar can be made to clean the PC's.

    How long will an impacted computer be temporarily quarantined? until the infection is remediated - really, so how long is that? What is the maximum time expected for a quarintined PC? I forsee many loopholes that can be exploited if the consumer isn't on top of their game.
  • spoof someones IP to have them blocked?

    So can a hacker spoof someone's IP with packets that like like a worm on a botnet & result in having that IP blocked? Sounds very plausible to me.
  • Re: How compromises are detected.

    "all email headers contain the from IP where it originated"

    The origin IP can easily be spoofed & in-fact is generally done for the legitimate purpose when some ISP clients can only use port 25 through their own ISP's smtp servers rather than other email servers that may be hosting their domains.
  • Standard/substandard

    Of course 'standard virus protection on a PC' will do the job.
    Its just that so many idiot users use substandard virus protection such as Norton and McAffee trials that come with their PCs and never renew the subscriptions after the 60 day trial period has expired because they believe that are protected because they have the AV icon on their desktops.

    I don't know about others, but you can bet that Telstra will use it as as a revenue generator to sell their own crappy and bloated AV product instead of just getting customers to use MS's own very good Security Essentials program.
  • YAY

    And about time. If a filthy, polluting, unmaintained car is on the road, it is temporarily removed or at least given 21 days to be fixed before it is removed. If it is dangerous, it is removed immediately.

    Computers should be no different. Give them 21 days to fix the problem, then require removal.

    Costs should be borne by the owner of the PC, and if that is a pensioner or low income person then so be it - they have to fix their car from their own pocket (or do it themselves), a computer should be the same! If their cordless phone dies they have to buy a new one. If their tv is broken they have to pay the repair man themselves.

    The quicker this comes in, the better!
  • The origin IP can easily be spoofed

    AFAIK, you can't spoof an originating IP for a TCP connection as there is no way for the ACK packet to get back to the client, thus no connection will be established.

    The only way I know to spoof the IP for a TCP connection (apart from when no connection is intended ie SYN flooding) is to go through a proxy.
  • Of course 'standard virus protection on a PC' will do the job.

    Not true, not true at all. Many AVs miss trojans, the rate of production is far to high for them to keep up with signatures.

    Some never catch up, some take days, weeks or even months to catch up.

    How do I know?

    I write [free] software for removing many of the trojans that join botnets, I have seen what ALL AVs miss.
  • spoof someones IP to have them blocked?

    Not for a TCP connection, no.