AfterDawn: Tech news

Should infected PCs be 'quarantined' by ISPs?

Written by James Delahunty (Google+) @ 03 Jun 2014 23:41 User comments (16)

Should infected PCs be 'quarantined' by ISPs? If an Internet Service Provider detects that a customer is running a PC infected with Gameover Zeus, or any comparable threat, should the default action be to quarantine that account until it is cleaned?
According to one security researcher, that's exactly what has to happen. Writing on his blog in the wake of the US-led operation that significantly disrupted the GOZeuS botnet yesterday, Vice President of Security Researchat Trend Micro, Rik Ferguson, argued that we should learn from this and act accordingly.

Internet Service Providers in several countries will be contacting customers who appear to be running an infected PC in order to assist them in cleaning up. Should this be considered part of ISP's long-term strategy against malware, botnets and all kinds of cybergarbage?

Botnets can be used to wreak havoc online. They can be used as part of distributed denial of service attacks, and of course to steal sensitive information from victims and funnel it to the gangs behind the malicious networks. They wouldn't function as well however if ISPs restricted Internet access upon detecting the threat.

"Systems that are known to be compromised should be isolated until they can be cleaned-up," Ferguson argues.

Even with all the media attention the actions taken against GOZeuS and the headlines warning about a limited window of opportunity to clean up infections now, Ferguson argues that most Internet users will forget all about it quickly.

"For the majority of internet users the story will simply pass them by," he writes. "Educational initiatives are largely only successful at preaching to the choir, so to speak "

Ferguson also goes on to raise a valid concern that news of security breaches and data losses may lead to "notification fatique", meaning people may cease to care. The solution, according to Ferguson, is to make ISPs play a much larger role in disrupting malicious threats as they attempt to propagate and act in the wild.

Ferguson's proposal: "ISPs on an on-going basis should take advantage of the threat intelligence feeds of the security industry to identify compromised systems connected to their networks. Those systems should be moved to quarantine, the account owners should be contacted and directed to resources which will enable them to clean up and rectify the situation. Until such time as the infection is remediated the computer should be able to access only limited Internet resources. Don't care will be made to care."

There's no doubt this would be an effective policy to undertake and it would be a massive blow to cybercriminals. So is Ferguson's suggestion something that needs to be pursued?

What do you think?


Sources and Recommended Reading:
It's time to quarantine infected computers: countermeasures.trendmicro.eu (by Rik Ferguson)

Previous Next

Related news

 

16 user comments

14.6.2014 21:16

I'm a network engineer and I say YES!!!!!!!!!!!!!!!!!!!


No forgiveness for stupid computer users. Get a virus, then PAY someone to fix right away or remove on your own right away. Can't do either you say?????.......TIME FOR ISPs to START ENFORCING.

If you're too dumb and a goof to know when a site is hacking your computer or you open an attachment from someone you don't know then TOUGH SH*T!!!!

Serves you right!

This message has been edited since its posting. Latest edit was made on 04 Jun 2014 @ 21:16

24.6.2014 21:23

I think that all those grandmothers out there that just click every link in every email should either have to take a basic computer virus class or lose their computers. It's the naive and computer illiterate people out there that make the web dangerous and gives these douchebags a place to prey on people.

I'm sorry grandma..... No more Facebook, FarmVille, trading stupid jokes in email, smiling cat pictures .... Etc for you anymore until you learn some basic computer skills.... And no, turning on the monitor is not a skill!!!

This message has been edited since its posting. Latest edit was made on 04 Jun 2014 @ 21:24

35.6.2014 1:12

If its something as serious as Gameover Zeus then I say yes, not necessarily a "Requirement" but I believe they should have the right to quarantine the infected PC and give the customer a friendly call advising them of the situation. I have had very few issues with Malware in the past but I like the safety net of being notified if something as such were on my device.

45.6.2014 1:14

ill second that one.

55.6.2014 1:55

i think isp should either fix the pc (or tell the customer how to fix it)or leave it alone.
Its all good saying you have a problem but not telling someone how to fix it but disconnecting them from the net so they can't research it is not fixing it & doesn't solve the issue.

@everyone what do you do when you have a malware problem and scans can't find it and logs show nothing?


custom built gaming pc from early 2010,ps2 with 15 games all original,ps3 500gbs with 5 games all original,yamaha amp and 5.1channel surround sound speakers,46inch sony lcd smart tv.

65.6.2014 6:12

Originally posted by xboxdvl2:

@everyone what do you do when you have a malware problem and scans can't find it and logs show nothing?
Reinstall.... Easiest way to do it

75.6.2014 8:35

Originally posted by xboxdvl2:
i think isp should either fix the pc (or tell the customer how to fix it)or leave it alone.
Its all good saying you have a problem but not telling someone how to fix it but disconnecting them from the net so they can't research it is not fixing it & doesn't solve the issue.

@everyone what do you do when you have a malware problem and scans can't find it and logs show nothing?
I would say you'd have to change what you're using to try to find the source of the problem. Some rootkits for example can be used to make malicious files effectively invisible, but there are plenty of tools that can help to unmask even those.

Are you having a specific problem? Maybe we can help!

85.6.2014 9:48

Originally posted by Dela:
Originally posted by xboxdvl2:
i think isp should either fix the pc (or tell the customer how to fix it)or leave it alone.
Its all good saying you have a problem but not telling someone how to fix it but disconnecting them from the net so they can't research it is not fixing it & doesn't solve the issue.

@everyone what do you do when you have a malware problem and scans can't find it and logs show nothing?
I would say you'd have to change what you're using to try to find the source of the problem. Some rootkits for example can be used to make malicious files effectively invisible, but there are plenty of tools that can help to unmask even those.

Are you having a specific problem? Maybe we can help!
i posted logs to the forum a few months ago as i had flashupdater virus on my pc and logs showed system was clean.about a week ago i couldnt access any websites and contacted my isp who had me delete and reconect to my wireless network using the wifi key and nets working now but blocking redirect attamepts on almost every website i access.Also have an ssid feed show up on my wifi daily and net goes down for a few minutes been told its a zombie machine probably ddosing me.

custom built gaming pc from early 2010,ps2 with 15 games all original,ps3 500gbs with 5 games all original,yamaha amp and 5.1channel surround sound speakers,46inch sony lcd smart tv.

95.6.2014 11:08

Originally posted by xboxdvl2:
Originally posted by Dela:
Originally posted by xboxdvl2:
i think isp should either fix the pc (or tell the customer how to fix it)or leave it alone.
Its all good saying you have a problem but not telling someone how to fix it but disconnecting them from the net so they can't research it is not fixing it & doesn't solve the issue.

@everyone what do you do when you have a malware problem and scans can't find it and logs show nothing?
I would say you'd have to change what you're using to try to find the source of the problem. Some rootkits for example can be used to make malicious files effectively invisible, but there are plenty of tools that can help to unmask even those.

Are you having a specific problem? Maybe we can help!
i posted logs to the forum a few months ago as i had flashupdater virus on my pc and logs showed system was clean.about a week ago i couldnt access any websites and contacted my isp who had me delete and reconect to my wireless network using the wifi key and nets working now but blocking redirect attamepts on almost every website i access.Also have an ssid feed show up on my wifi daily and net goes down for a few minutes been told its a zombie machine probably ddosing me.

And what security software do you use??? If you posted logs here you might not have gotten an adequate reply, the forums have been very quiet here for some time now. Bleepingcomputer.com might be a good place to stop by, plenty of really good help to be found there as well as the tools to weed out and kill that scumware.

Do one thing for me.. try to visit security-related websites like... avg.com, avast.com, symantec.com etc. what happens???

105.6.2014 14:50

rogers in canada emails you saying your computer is infected & you have 48-72 hours to fix it or they will cut off your internet. had that happen to 3 different customers, the most recent was last week.

115.6.2014 17:42

ISPs can't do anything about it, when infected computers use diff. Wi-Fi networks.

Just saying.

This message has been edited since its posting. Latest edit was made on 05 Jun 2014 @ 17:44

Live Free or Die.
The rule above all the rules is: Survive !
Capitalism: Funnel most of the $$$ to the already rich.

126.6.2014 2:59

@dela
avast.com works and opens with no redirect attempt.avg.com works fine and opens with no redirect attempts. google.com.au and facebook.com also open fine no redirect attemps.
im using avast 2014 free version as a scanner.


custom built gaming pc from early 2010,ps2 with 15 games all original,ps3 500gbs with 5 games all original,yamaha amp and 5.1channel surround sound speakers,46inch sony lcd smart tv.

136.6.2014 15:52

@ xboxdvl2

If I had your situation:
I just reformat the machine 3 to 4 times; one after another ("45mins. each").
Why re-reformat so many times over?
If the Malware is "very-bad", The first formatting hardly can do anything. The second format provably will fix the Machine a 50%. But in the 3rd. or 4th. it can bring your PC to a factory settings.
....when the Computer work like new and if you want some or all of your files back [important to you] Just use Test-Disk that bring back files by date and time by whole C:\, D:\, F:\ etc. drive or by partitions.

NOTE:
As Test-Disk bring back your files by 500 items each. It also will bring the malware with it (Nothing to be afraid about, since the "viruses" are bring it back fragmented and can easily be removed with AVG trial versions working in the background).

P.S.
If you running W-7, Linux or a New Computer, you have a second options:
Bring back files-formats specifically Only. Like: Videos, Pictures, Music, PDF's, etc. This way the whole process is more quicker.

http://www.cgsecurity.org/wiki/TestDisk_Download

Hope this help.

This message has been edited since its posting. Latest edit was made on 09 Jun 2014 @ 16:01

Live Free or Die.
The rule above all the rules is: Survive !
Capitalism: Funnel most of the $$$ to the already rich.

149.6.2014 10:42

Originally posted by mightyzog:
I think that all those grandmothers out there that just click every link in every email should either have to take a basic computer virus class or lose their computers. It's the naive and computer illiterate people out there that make the web dangerous and gives these douchebags a place to prey on people.

I'm sorry grandma..... No more Facebook, FarmVille, trading stupid jokes in email, smiling cat pictures .... Etc for you anymore until you learn some basic computer skills.... And no, turning on the monitor is not a skill!!!
You came down pretty hard on the 'ignorants'. Unless you use extreme measures (more than AV scanner and advanced fire wall) you are likely one of them. I employ several unusual 'traps' to catch intruders and even with massive security 'things' get in to my computer. They can't do much but I can tell that their was a break-in.

Almost 4 years ago you could buy kits to create 'military grade' malware. Currently the kit costs 7K UDS. 3 years ago 80 of these were 'captured in the wild' and tested against the leading 3-5 security packages. None were able to detect or stop even one attack. The security companies disputed these finding. Once you are infected with one of these Severe Side Polymorphic Malware the only cure is format your C: drive. If you don't believe me Google it.

A lead security analyst for McAfee stated since they see over 1 million new strains of viruses each week, they only take action on the destructive strains. If it is only a key logger they just ignore it.

It would be fair to give users up to a week notice before blocking them. I would inform them their computer needs to be restored to factory settings. That would be a massive blow to the bad guys. Your average computer is infected for 95% of its life time. Just being connected to the internet without browsing you are pinged every second or 2. Most of these are malware testing your defenses. So if you connect to the internet to buy your security package, you will be infected before you have finished down loading it.
This message has been edited since its posting. Latest edit was made on 09 Jun 2014 @ 10:44

159.6.2014 10:46

Originally posted by mightyzog:
Originally posted by xboxdvl2:

@everyone what do you do when you have a malware problem and scans can't find it and logs show nothing?
Reinstall.... Easiest way to do it
The Only way to do it effectively!

169.6.2014 11:12

Originally posted by Dela:
Originally posted by xboxdvl2:
Originally posted by Dela:
Originally posted by xboxdvl2:
i think isp should either fix the pc (or tell the customer how to fix it)or leave it alone.
Its all good saying you have a problem but not telling someone how to fix it but disconnecting them from the net so they can't research it is not fixing it & doesn't solve the issue.

@everyone what do you do when you have a malware problem and scans can't find it and logs show nothing?
I would say you'd have to change what you're using to try to find the source of the problem. Some rootkits for example can be used to make malicious files effectively invisible, but there are plenty of tools that can help to unmask even those.

Are you having a specific problem? Maybe we can help!
i posted logs to the forum a few months ago as i had flashupdater virus on my pc and logs showed system was clean.about a week ago i couldnt access any websites and contacted my isp who had me delete and reconect to my wireless network using the wifi key and nets working now but blocking redirect attamepts on almost every website i access.Also have an ssid feed show up on my wifi daily and net goes down for a few minutes been told its a zombie machine probably ddosing me.

And what security software do you use??? If you posted logs here you might not have gotten an adequate reply, the forums have been very quiet here for some time now. Bleepingcomputer.com might be a good place to stop by, plenty of really good help to be found there as well as the tools to weed out and kill that scumware.

Do one thing for me.. try to visit security-related websites like... avg.com, avast.com, symantec.com etc. what happens???
Dela, thinking you have a clue about this is dangerous!
A case in point...
My computer is infected right now. After finishing with my internet stuff I will format C: then restore a clean image. My son used my computer and by-passed some security because he is lazy. The malware is tied into MS remote services and the kernel. The malware was interfering with an application that uses most available memory and forced some errors. This computer is clean by all tests I can run. The cause of the reported problems in the details are not even real files. The real files are hidden by at least one level of redirection and probably several. My security software uses both 'black lists' and 'white lists' and 'nobody' saw anything. I spent 3 times longer looking at the problem than the time it will take me to fix the problem. I was curious to see how cleaver the malware is and I think it is REAL clever. If it was more clever I wouldn't have noticed it and would not have known my son had used my computer.

ISPs hold the only real chance to slow down the malware expansion. They will probably only be able to report primitives. Military grade malware usually uses VPN for communication.
This message has been edited since its posting. Latest edit was made on 09 Jun 2014 @ 11:16

Comments have been disabled for this article.

Latest news

Plex now available for PS3, PS4 with limitations Plex now available for PS3, PS4 with limitations (17 Dec 2014 22:56)
A little over a month after Plex released an app for the Xbox 360 and Xbox One, the personal media streaming company has released apps for the PS3 and PS4.
U.S. to blame North Korea for Sony Pictures hack U.S. to blame North Korea for Sony Pictures hack (17 Dec 2014 21:52)
According to numerous media outlets, U.S. government officials will announce tomorrow that North Korea was indeed behind the devastating hack on Sony Pictures.
1 user comment
Sony has no plans to ever release 'The Interview' - no DVD, Blu-ray, no VOD, no TV Sony has no plans to ever release 'The Interview' - no DVD, Blu-ray, no VOD, no TV (17 Dec 2014 20:30)
Sony Pictures has now decided against ever releasing 'The Interview' in any form, almost guaranteeing themselves a $100 million loss on the film.
8 user comments
Nearly everyone in Hollywood is outraged by Sony and the movie theater chain's 'act of cowardice' in canceling 'The Interview' Nearly everyone in Hollywood is outraged by Sony and the movie theater chain's 'act of cowardice' in canceling 'The Interview' (17 Dec 2014 20:00)
Following news that all the major U.S. movie theater chains would not be showing 'The Interview,' Sony Pictures announced it was canceling the release of the film, which was slated to open on Christmas in the U.S.
1 user comment
The hackers win: Sony cancels release of 'The Interview' as movie theaters bail The hackers win: Sony cancels release of 'The Interview' as movie theaters bail (17 Dec 2014 19:39)
Just hours after major U.S. theater chains said they would not screen the film following terrorists threats, Sony has canceled the release of 'The Interview,' a comedy in which Seth Rogen and James Franco are sent to North Korea to assassinate Kim Jo
3 user comments

News archive