Half a million Telstra customers zombified?

Tests on Telstra's network have indicated that potentially half a million Telstra customers could be infected by malware that is designed to enlist their computers into a global zombie army.
Written by Michael Lee, Contributor

update Tests on Telstra's network have indicated that potentially half a million Telstra customers could be infected by malware that is designed to enlist their computers into a global zombie army.

At the Internet Industry Association's (IIA) iCode Review Forum this morning, Telstra's principal domain expert for broadband and internet, Barrie Hall, ran through the results of a trial that the telco has been running, using a network protection service from Nominum, a DNS software and analytics firm.

The trial looked at a million Telstra customer IP addresses, excluding mobiles which are known to have a lower rate of botnet infection, and found that about 54,000 of those million were infected; that amounted to an infection rate of about 5.4 per cent.

Extrapolating this to Telstra's applicable customer base, Hall said that "potentially, up to half a million customers are infected". Hall later clarified that further tests would be needed to confirm such a hypothesis.

Yet, even if the figures are correct, they are still well below the average infection rate for Australia.

Representatives from Nominum said that, from the company's previous experience, Australia's average rate of botnet infections was probably about 10 per cent for fixed-line connections and 5 per cent for wireless — far lower than the average of 40 per cent that the company said it had seen in places such as South America and Thailand.

Part of the reason for Australia's lower figures may be that most Australian customers are connected to the internet via home gateways and routers. These devices typically have a level of built-in hardware protection, unlike older network bridges, which are still in relatively wide use in the US and connect computers directly to the internet. Users connected in this way are only protected by a software firewall. Unfortunately, Hall said that, in his experience, these were regularly found to be turned off.

Stopping infections

Even a 5 per cent infection rate indicates that ISPs need to educate their users on the dangers of malware, how to tell if they are infected and what to do about it — all guidelines of the IIA's voluntary iCode, under which ISPs agree to notify their users if their computers are infected.

Internode security manager Derek Grocke, PPS Internet and Studentnet managing director Kevin Karp and Vividwireless CIO Claude Brown were unanimous in their support for how the iCode was progressing, highlighting that botnets were causing problems for their networks. But all three ISPs varied on how they educated or alerted their customers of infections.

Internode's Grocke said that taking the demographics of its users into account was important — creating a broad message and hoping for the best, wasn't good enough. Internode found that, because it had more "geeks" among its customer base than other ISPs, if it sent emails alerting users that their computer was infected, the savvy users tended to pass them off as phishing attempts.

By sending different emails to different demographic groups, Internode has reduced the number of users reporting its notifications as spam.

Vividwireless' sister company Unwired took a more hard-ball approach, opting to place infected customers in a gradually escalating "walled garden", where they were forced to read and acknowledge a notice that they are infected, before they can access the rest of the web.

Vividwireless itself only uses email notices, without any form of escalation, because the majority of its customers are behind home gateways and routers with some hardware protection, making it more difficult for malware to spread. More Unwired customers use unsafe network bridges, on the other hand, and the smaller packets issued by malware waste over 10 times the network resources compared to the Vividwireless network, due to its architecture.

Brown said that Unwired's walled-garden approach has caused some understandable backlash.

"If one customer gets it; they might be one helpdesk call that we have to deal with. But if they spread it to 50 customers, we want to prevent that before they call. We don't want to educate them, we want to stop it," Brown said.

This approach enabled the company to focus on ways that it could protect its network, without having to educate users who may not want to even listen. These included measures such making sure devices are shipped with passwords, with file-sharing ports blocked by default.

PPS Internet and Studentnet's Karp faces a different predicament, in that his company's customers are mostly corporate and educational organisations. Because of how they tend to view business relationships, this can make education extremely difficult.

"We're seen as being a vendor, and vendors are inherently untrustworthy. We've tried newsletters, we've tried webinars and we've tried brochures at conferences, and things like that. The single most successful means of educating our clientele is contacting them with a ... report saying that there's a problem on their network."

Karp said that it's only after a report is presented to them that customers ask what the iCode is; then the real education process actually begins.

Updated at 10.51am, Friday, 15 June 2012: added further comment from Brown.

Editorial standards