ZDNet | July 18, 2005
Internet service providers face mounting pressure to keep their networks free of pests--not only for the benefit of their customers, but also for the good of the Internet in general.
By Joris Evers
In the next few months, ISPs in the United States will begin receiving reports on the zombies, or PCs open to control by hackers, that lurk on their networks. The data will be sent out by the Federal Trade Commission, which said in May that zombies have become such a serious problem that more industry action is required.
Analysts said that if service providers resist the call and take a hands-off approach, people could lose their trust in online activity--and the consequences of that could be severe.
Internet service providers face mounting pressure to keep their networks free of zombies, which are increasingly used to launch phishing and other attacks.
If ISPs don't assume more responsibility for cleaning up, people could lose their trust in online activity and the Internet take a hit, experts warn.
More stories on zombies
"The Internet would eventually grind to a halt," said Paul Stamp, an analyst with Forrester Research.
Given the growth of zombie-fed threats such as phishing, ISPs can no longer afford to leave the task of securing users' PCs to the consumers themselves, critics say. But taking more responsibility to protect Internet traffic would mean monitoring activity on their networks more closely--a move that has implications for customer privacy and for their bottom line.
The FTC has called on ISPs to identify zombies on their networks, quarantine those hijacked PCs and help customers clean them. Consumers and Microsoft are also urging service providers to act.
Zombies are put to work to relay marketing spam and to send messages used in phishing scams, which attempt to steal sensitive personal data, for example. They have also been used to host the faked Web sites in phishing scams or to mount denial-of-service attacks against online businesses targeted by extortion schemes. In addition, they're used to compromise more PCs, which are added to the networks of zombies, called "botnets."
Incidents involving the malicious code that turns PCs into zombies, also known as "bot" code, reached 13,000 from April through June, according to a recent report from McAfee. That's quadruple the number tracked by the antivirus software maker in the previous three months.
But ISPs have not been sitting idle. At a minimum, they provide online security guidance for customers and apply virus and spam filters to incoming e-mail. Bot code often hides in Trojan horses sent in spam, or is spread via e-mail or instant-message worms.
Some, including America Online, EarthLink and Cox, offer free desktop security software suites that include antivirus, firewall and sometimes anti-spyware software. These additional shields offer protection against infestation by other means than just e-mail.
Several ISPs have also taken measures to prevent zombie PCs connected to their network from sending out junk mail. A technique called "port 25 blocking" allows a provider to make sure that members' computers only send out e-mail that originates from its own server and not from a spammer's server. In addition, most service providers use techniques such as rate limiting, which control the number of e-mail messages that a member can send.
But those measures are not enough, some experts say. To take down zombies, ISPs should monitor their networks closer for traffic generated by the compromised PCs, said Dmitri Alperovitch, research engineer at CipherTrust, a security vendor in Alpharetta, Ga.
Additionally, service providers should improve customer education and could also force people to scan their PC for known vulnerabilities before going online, Alperovitch said. This could help prevent so-called drive-by installs, which deposit bot code on a PC when the owner uses an unpatched browser to visit a malicious Web site.
Others have suggested that companies cut off Internet connections for customers who don't carry out preventive measures.
"ISPs allow these machines to communicate with the rest of the world. They have the power to do a lot about the zombie threat, and they should be doing a lot about it," Alperovitch said.
A start for Internet companies would be for them to participate more actively in security groups and to use data on zombies collected by third-party security companies such as CipherTrust, he said.
A few ISPs are open about their efforts--Cox and EarthLink, for example. Others hold their security cards close to their chest, so as not to tip off the bad guys. Comcast, one of the largest broadband providers in the United States, is an example of that.
Cox, which has 2.7 million broadband customers, said it received about 30,000 complaints about its users in May. About one-third of those were directly linked to zombies, said Matt Tarothers, who manages the abuse department at the Atlanta-based cable company.
While some customers can just be handed a cable modem and will just take off, other less tech-savvy people need guidance from their provider, he noted. "There are more and more people getting online that don't have a technical background. If you are going to be a successful ISP, you have to have to hold the customer's hand a bit," Tarothers said.
Cutting off channels
Cox actively monitors its network for potentially malicious activity. It also defuses known zombies by cutting off remote control channels, Tarothers said. Zombies listen for instructions from their masters on Internet Relay Chat channels. Cox blocks traffic to the IRC servers used by zombies, which are rarely major IRC networks and are often run on another compromised machine, Tarothers said.
When a zombie is detected, Cox takes the affected PC offline. Instead of being allowed on the Web, the customer is directed to a special Web page with information on security, he said.
The attacks will get more sophisticated, Tarothers said. "It is an arms race. We come up with new proactive measures, and the Trojan makers come up with something new," he said. Tarothers said he expects more zombies will start listening for commands from their masters on peer-to-peer networks, which will preempt Cox's current defense.
Tarothers said he is not worried about privacy concerns that closer monitoring of traffic might bring. "Far more of our customers are happy to see us take an active role than are paranoid about us looking at their traffic," he said.
EarthLink also monitors for potentially abusive patterns of traffic coming in and going out of its network, said Tripp Cox, the Atlanta-based ISP's chief technology officer. Suspected activity is investigated, and customers are contacted if EarthLink believes their PC has been turned into a zombie. "We routinely investigate, disable and shut down accounts. It is a daily activity," he said.
In the future, consumers will demand a safe Internet service, and if an ISP doesn't measure up on security, members will flee to a rival provider, Forrester analyst Stamp said. "Customers will absolutely demand a clean pipe," he said.
The technology is out there for Internet companies to be able to identify zombies and botnets, Stamp added. The will of the market just has to catch up to the technology that is available.
Ultimately, if an ISP's network becomes infested with zombies, other providers will block traffic from that network, Stamp predicted. "If you don't secure your own network, then others won't connect to you," he said. In one recent case, British ISP Telewest blacklisted more than 900,000 of its customers because their systems had been compromised by spammers.
Service providers could even make a business out of helping consumers, said Russ Cooper, a senior scientist at security company Cybertrust. "Consumers that have bots and are sending out spam should be isolated and should be charged by their ISP for being saved," Cooper said.
The detection of zombies is the easiest remedy open to ISPs, and it could be touted as a competitive feature by providers, Gartner analyst John Pescatore said. "They can do more of detecting when a PC is infected and then notify the customer," he said.
Pescatore sounded a note of caution about just how much Internet companies could be expected to do, given the sophistication and seriousness of the problem. "To say that ISPs could prevent botnets from being installed would be a stretch," he said.
Even so, preventative measures such as customer education could help service providers mitigate the problem. Many of their helpdesk calls today already deal with zombie code and other malicious software that land on PCs while customers traverse the Web. In fact, ISPs should be to home users what IT departments are to office workers, said Dave Rand, chief technologist for Internet content security at Trend Micro.
While customers can be urged and even compelled under threat of disconnection to keep their computers clean, the pressure is really on the ISPs themselves to act. The call for service providers to take more responsibility for tackling the threat is coming through loud and clear--from the government and the Internet community alike. Trend Micro's Rand, for example, said that with the number of zombies continuing to increase, ISPs have to take a more active role. "A hands-off approach has proven not to work," he said.