ISPs should quarantine infected computers, researchers say

Forcing users to clean their infected computers on an ongoing basis would be more disruptive to cybercriminals than botnet takedowns

The recent effort to disrupt the Gameover Zeus botnet includes plans for Internet service providers to notify victims, but some security researchers think ISPs should play an even bigger role in the future by actively quarantining infected computers identified on their networks.

Law enforcement agencies from several countries including the FBI and Europol announced Monday that they worked with security vendors to disrupt the Gameover Zeus botnet, which is estimated to have affected between 500,000 and 1 million computers.

"Individuals in the U.K. may receive notifications from their Internet Service Providers that they are a victim of this malware and are advised to back up all important information -- such as files, photography and videos," the U.K.'s National Crime Agency said in a statement on its website.

Notifying Internet users of malware infections, especially when their computers become part of known botnets, has become a relatively common practice for some ISPs in recent years.

For example, in the U.S., Comcast introduced security alerts for its Xfinity service subscribers back in 2010, while in Germany the government partnered with ISPs to notify users whose computers are infected with malware on an ongoing basis and help them clean their machines.

However, ISPs should take even a bigger role in the fight against botnets as "desperate times call for desperate measures," said Rik Ferguson, global vice president of security research at Trend Micro, Monday in a blog post.

Despite widespread media coverage of the Gameover botnet's takedown, press conferences by law enforcement agencies and security alerts issued by computer emergency response teams (CERTs), for the majority of Internet users "the story will just pass them by," Ferguson said.

The researcher argues that even those users who do normally pay attention to IT security-related news might grow tired of learning of the multitude of data loss incidents and eventually might cease to care, which is why a more aggressive approach is needed.

"ISPs on an on-going basis should take advantage of the threat intelligence feeds of the security industry to identify compromised systems connected to their networks," Ferguson said. "Those systems should be moved to quarantine, the account owners should be contacted and directed to resources which will enable them to clean up and rectify the situation. Until such time as the infection is remediated the computer should be able to access only limited Internet resources. Don't care will be made to care."

A computer infected with malware is a threat not only for its owner, but for other Internet users as well in a similar way in which a defective car endangers its driver and everyone else on the road. That's why cars are subject to an annual check, Ferguson said.

Isolating infected computers and forcing their owners to take action is a good idea that could affect the cybercriminal ecosystem as a whole, said Bogdan Botezatu, a senior e-threat analyst at Bitdefender, Tuesday via email. "These compromised computers are the most precious assets for cybercriminals. The smaller their number, the lower the revenue for crooks and the smaller the incentive to keep infecting random computers."

Some ISPs might not be able to take such actions because of local legal frameworks and privacy-related reasons, but if a significant number of them start doing it, botnets could become much smaller, restricting their operators' ability to invest in new command-and-control infrastructure or new attacks.

There are a number of issues that ISPs might face when implementing such a program, Botezatu said. "For instance, their customer base might complain that their traffic is being inspected or that they have lost connectivity when they needed it most. The initial investment for a malicious traffic pattern monitoring technology on the ISP's side could also be one of the factors that would postpone its implementation."

Join the CSO newsletter!

Error: Please check your email address.

Tags EuropolNational Crime Agencyonline safetytrend microsecurityDesktop securityfbimalwarebitdefender

More about Comcast CableEuropolFBITrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place