AfterDawn: News

Should infected PCs be 'quarantined' by ISPs?

If an Internet Service Provider detects that a customer is running a PC infected with Gameover Zeus, or any comparable threat, should the default action be to quarantine that account until it is cleaned?

According to one security researcher, that's exactly what has to happen. Writing on his blog in the wake of the US-led operation that significantly disrupted the GOZeuS botnet yesterday, Vice President of Security Researchat Trend Micro, Rik Ferguson, argued that we should learn from this and act accordingly.



Internet Service Providers in several countries will be contacting customers who appear to be running an infected PC in order to assist them in cleaning up. Should this be considered part of ISP's long-term strategy against malware, botnets and all kinds of cybergarbage?

Botnets can be used to wreak havoc online. They can be used as part of distributed denial of service attacks, and of course to steal sensitive information from victims and funnel it to the gangs behind the malicious networks. They wouldn't function as well however if ISPs restricted Internet access upon detecting the threat.

"Systems that are known to be compromised should be isolated until they can be cleaned-up," Ferguson argues.

Even with all the media attention the actions taken against GOZeuS and the headlines warning about a limited window of opportunity to clean up infections now, Ferguson argues that most Internet users will forget all about it quickly.

"For the majority of internet users the story will simply pass them by," he writes. "Educational initiatives are largely only successful at preaching to the choir, so to speak "

Ferguson also goes on to raise a valid concern that news of security breaches and data losses may lead to "notification fatique", meaning people may cease to care. The solution, according to Ferguson, is to make ISPs play a much larger role in disrupting malicious threats as they attempt to propagate and act in the wild.

Ferguson's proposal: "ISPs on an on-going basis should take advantage of the threat intelligence feeds of the security industry to identify compromised systems connected to their networks. Those systems should be moved to quarantine, the account owners should be contacted and directed to resources which will enable them to clean up and rectify the situation. Until such time as the infection is remediated the computer should be able to access only limited Internet resources. Don't care will be made to care."



There's no doubt this would be an effective policy to undertake and it would be a massive blow to cybercriminals. So is Ferguson's suggestion something that needs to be pursued?

What do you think?


Sources and Recommended Reading:
It's time to quarantine infected computers: countermeasures.trendmicro.eu (by Rik Ferguson)


Written by: James Delahunty @ 3 Jun 2014 23:41

• Previous article

• Google to secure e-mail with End-to-End encryption extension for Chrome

• Next article

• Netflix HTML5 streaming supported by Safari on OS X Yosemite

• 16 comments

• hearme0

  I'm a network engineer and I say YES!!!!!!!!!!!!!!!!!!!
  
  
  No forgiveness for stupid computer users. Get a virus, then PAY someone to fix right away or remove on your own right away. Can't do either you say?????.......TIME FOR ISPs to START ENFORCING.
  
  If you're too dumb and a goof to know when a site is hacking your computer or you open an attachment from someone you don't know then TOUGH SH*T!!!!
  
  Serves you right!

  4.6.2014 21:16 #1

• mightyzog

  I think that all those grandmothers out there that just click every link in every email should either have to take a basic computer virus class or lose their computers. It's the naive and computer illiterate people out there that make the web dangerous and gives these douchebags a place to prey on people.
  
  I'm sorry grandma..... No more Facebook, FarmVille, trading stupid jokes in email, smiling cat pictures .... Etc for you anymore until you learn some basic computer skills.... And no, turning on the monitor is not a skill!!!

  4.6.2014 21:23 #2

• Menion

  If its something as serious as Gameover Zeus then I say yes, not necessarily a "Requirement" but I believe they should have the right to quarantine the infected PC and give the customer a friendly call advising them of the situation. I have had very few issues with Malware in the past but I like the safety net of being notified if something as such were on my device.
  

  5.6.2014 01:12 #3

• aldan

  ill second that one.
  

  5.6.2014 01:14 #4

• xboxdvl2

  i think isp should either fix the pc (or tell the customer how to fix it)or leave it alone.
  Its all good saying you have a problem but not telling someone how to fix it but disconnecting them from the net so they can't research it is not fixing it & doesn't solve the issue.
  
  @everyone what do you do when you have a malware problem and scans can't find it and logs show nothing?
  

  custom built gaming pc from early 2010,ps2 with 15 games all original,ps3 500gbs with 5 games all original,yamaha amp and 5.1channel surround sound speakers,46inch sony lcd smart tv.

  5.6.2014 01:55 #5

• mightyzog

  Originally posted by xboxdvl2:
  @everyone what do you do when you have a malware problem and scans can't find it and logs show nothing? Reinstall.... Easiest way to do it

  5.6.2014 06:12 #6

• Dela

  Originally posted by xboxdvl2: i think isp should either fix the pc (or tell the customer how to fix it)or leave it alone.
  Its all good saying you have a problem but not telling someone how to fix it but disconnecting them from the net so they can't research it is not fixing it & doesn't solve the issue.
  
  @everyone what do you do when you have a malware problem and scans can't find it and logs show nothing? I would say you'd have to change what you're using to try to find the source of the problem. Some rootkits for example can be used to make malicious files effectively invisible, but there are plenty of tools that can help to unmask even those.
  
  Are you having a specific problem? Maybe we can help!

  5.6.2014 08:35 #7

• xboxdvl2

  Originally posted by Dela: Originally posted by xboxdvl2: i think isp should either fix the pc (or tell the customer how to fix it)or leave it alone.
  Its all good saying you have a problem but not telling someone how to fix it but disconnecting them from the net so they can't research it is not fixing it & doesn't solve the issue.
  
  @everyone what do you do when you have a malware problem and scans can't find it and logs show nothing? I would say you'd have to change what you're using to try to find the source of the problem. Some rootkits for example can be used to make malicious files effectively invisible, but there are plenty of tools that can help to unmask even those.
  
  Are you having a specific problem? Maybe we can help! i posted logs to the forum a few months ago as i had flashupdater virus on my pc and logs showed system was clean.about a week ago i couldnt access any websites and contacted my isp who had me delete and reconect to my wireless network using the wifi key and nets working now but blocking redirect attamepts on almost every website i access.Also have an ssid feed show up on my wifi daily and net goes down for a few minutes been told its a zombie machine probably ddosing me.
  

  custom built gaming pc from early 2010,ps2 with 15 games all original,ps3 500gbs with 5 games all original,yamaha amp and 5.1channel surround sound speakers,46inch sony lcd smart tv.

  5.6.2014 09:48 #8

• Dela

  Originally posted by xboxdvl2: Originally posted by Dela: Originally posted by xboxdvl2: i think isp should either fix the pc (or tell the customer how to fix it)or leave it alone.
  Its all good saying you have a problem but not telling someone how to fix it but disconnecting them from the net so they can't research it is not fixing it & doesn't solve the issue.
  
  @everyone what do you do when you have a malware problem and scans can't find it and logs show nothing? I would say you'd have to change what you're using to try to find the source of the problem. Some rootkits for example can be used to make malicious files effectively invisible, but there are plenty of tools that can help to unmask even those.
  
  Are you having a specific problem? Maybe we can help! i posted logs to the forum a few months ago as i had flashupdater virus on my pc and logs showed system was clean.about a week ago i couldnt access any websites and contacted my isp who had me delete and reconect to my wireless network using the wifi key and nets working now but blocking redirect attamepts on almost every website i access.Also have an ssid feed show up on my wifi daily and net goes down for a few minutes been told its a zombie machine probably ddosing me.
  And what security software do you use??? If you posted logs here you might not have gotten an adequate reply, the forums have been very quiet here for some time now. Bleepingcomputer.com might be a good place to stop by, plenty of really good help to be found there as well as the tools to weed out and kill that scumware.
  
  Do one thing for me.. try to visit security-related websites like... avg.com, avast.com, symantec.com etc. what happens???

  5.6.2014 11:08 #9

• ddp

  rogers in canada emails you saying your computer is infected & you have 48-72 hours to fix it or they will cut off your internet. had that happen to 3 different customers, the most recent was last week.
  

  5.6.2014 14:50 #10

• Mrguss

  ISPs can't do anything about it, when infected computers use diff. Wi-Fi networks.
  
  Just saying.
  

  Live Free or Die.
  The rule above all the rules is: Survive !
  Capitalism: Funnel most of the $$$ to the already rich.

  5.6.2014 17:42 #11

• xboxdvl2

  @dela
  avast.com works and opens with no redirect attempt.avg.com works fine and opens with no redirect attempts. google.com.au and facebook.com also open fine no redirect attemps.
  im using avast 2014 free version as a scanner.
  

  custom built gaming pc from early 2010,ps2 with 15 games all original,ps3 500gbs with 5 games all original,yamaha amp and 5.1channel surround sound speakers,46inch sony lcd smart tv.

  6.6.2014 02:59 #12

• Mrguss

  @ xboxdvl2
  
  If I had your situation:
  I just reformat the machine 3 to 4 times; one after another ("45mins. each").
  Why re-reformat so many times over?
  If the Malware is "very-bad", The first formatting hardly can do anything. The second format provably will fix the Machine a 50%. But in the 3rd. or 4th. it can bring your PC to a factory settings.
  ....when the Computer work like new and if you want some or all of your files back [important to you] Just use Test-Disk that bring back files by date and time by whole C:\, D:\, F:\ etc. drive or by partitions.
  
  NOTE:
  As Test-Disk bring back your files by 500 items each. It also will bring the malware with it (Nothing to be afraid about, since the "viruses" are bring it back fragmented and can easily be removed with AVG trial versions working in the background).
  
  P.S.
  If you running W-7, Linux or a New Computer, you have a second options:
  Bring back files-formats specifically Only. Like: Videos, Pictures, Music, PDF's, etc. This way the whole process is more quicker.
  
  http://www.cgsecurity.org/wiki/TestDisk_Download
  
  Hope this help.
  

  Live Free or Die.
  The rule above all the rules is: Survive !
  Capitalism: Funnel most of the $$$ to the already rich.

  6.6.2014 15:52 #13

• Mez

  Originally posted by mightyzog: I think that all those grandmothers out there that just click every link in every email should either have to take a basic computer virus class or lose their computers. It's the naive and computer illiterate people out there that make the web dangerous and gives these douchebags a place to prey on people.
  
  I'm sorry grandma..... No more Facebook, FarmVille, trading stupid jokes in email, smiling cat pictures .... Etc for you anymore until you learn some basic computer skills.... And no, turning on the monitor is not a skill!!! You came down pretty hard on the 'ignorants'. Unless you use extreme measures (more than AV scanner and advanced fire wall) you are likely one of them. I employ several unusual 'traps' to catch intruders and even with massive security 'things' get in to my computer. They can't do much but I can tell that their was a break-in.
  
  Almost 4 years ago you could buy kits to create 'military grade' malware. Currently the kit costs 7K UDS. 3 years ago 80 of these were 'captured in the wild' and tested against the leading 3-5 security packages. None were able to detect or stop even one attack. The security companies disputed these finding. Once you are infected with one of these Severe Side Polymorphic Malware the only cure is format your C: drive. If you don't believe me Google it.
  
  A lead security analyst for McAfee stated since they see over 1 million new strains of viruses each week, they only take action on the destructive strains. If it is only a key logger they just ignore it.
  
  It would be fair to give users up to a week notice before blocking them. I would inform them their computer needs to be restored to factory settings. That would be a massive blow to the bad guys. Your average computer is infected for 95% of its life time. Just being connected to the internet without browsing you are pinged every second or 2. Most of these are malware testing your defenses. So if you connect to the internet to buy your security package, you will be infected before you have finished down loading it.

  9.6.2014 10:42 #14

• Mez

  Originally posted by mightyzog: Originally posted by xboxdvl2:
  @everyone what do you do when you have a malware problem and scans can't find it and logs show nothing? Reinstall.... Easiest way to do it The Only way to do it effectively!

  9.6.2014 10:46 #15

• Mez

  Originally posted by Dela: Originally posted by xboxdvl2: Originally posted by Dela: Originally posted by xboxdvl2: i think isp should either fix the pc (or tell the customer how to fix it)or leave it alone.
  Its all good saying you have a problem but not telling someone how to fix it but disconnecting them from the net so they can't research it is not fixing it & doesn't solve the issue.
  
  @everyone what do you do when you have a malware problem and scans can't find it and logs show nothing? I would say you'd have to change what you're using to try to find the source of the problem. Some rootkits for example can be used to make malicious files effectively invisible, but there are plenty of tools that can help to unmask even those.
  
  Are you having a specific problem? Maybe we can help! i posted logs to the forum a few months ago as i had flashupdater virus on my pc and logs showed system was clean.about a week ago i couldnt access any websites and contacted my isp who had me delete and reconect to my wireless network using the wifi key and nets working now but blocking redirect attamepts on almost every website i access.Also have an ssid feed show up on my wifi daily and net goes down for a few minutes been told its a zombie machine probably ddosing me.
  And what security software do you use??? If you posted logs here you might not have gotten an adequate reply, the forums have been very quiet here for some time now. Bleepingcomputer.com might be a good place to stop by, plenty of really good help to be found there as well as the tools to weed out and kill that scumware.
  
  Do one thing for me.. try to visit security-related websites like... avg.com, avast.com, symantec.com etc. what happens??? Dela, thinking you have a clue about this is dangerous!
  A case in point...
  My computer is infected right now. After finishing with my internet stuff I will format C: then restore a clean image. My son used my computer and by-passed some security because he is lazy. The malware is tied into MS remote services and the kernel. The malware was interfering with an application that uses most available memory and forced some errors. This computer is clean by all tests I can run. The cause of the reported problems in the details are not even real files. The real files are hidden by at least one level of redirection and probably several. My security software uses both 'black lists' and 'white lists' and 'nobody' saw anything. I spent 3 times longer looking at the problem than the time it will take me to fix the problem. I was curious to see how cleaver the malware is and I think it is REAL clever. If it was more clever I wouldn't have noticed it and would not have known my son had used my computer.
  
  ISPs hold the only real chance to slow down the malware expansion. They will probably only be able to report primitives. Military grade malware usually uses VPN for communication.

  9.6.2014 11:12 #16