Is It Time To Quarantine Infected Pcs?

10/16/2012 3:19:11 PM

Nicole Kobie investigates the implications of taking malware-riddled computers offline

Malware could block your access to the internet - but in some cases by those on the right side of the security fence, who are deploying tactics such as blocked ports, letters in the mail and PCs quarantined from the net to combat the most damaging threats.

Last year, authorities - led by the FBI - arrested the criminals behind the DNSCharger operation, taking over their servers. The malware changed victims’ DNS settings, and unplugging the servers would have cut off the four million infected PCs from the web. The FBI won a court order allowing it to keep the servers running long enough to work with ISPs to warn infected customers and clean up machines. The 120-day grace period was extended once, but eventually the plug was pulled in July, with 250,000 machines still infected - 13,000 in the UK alone.

Description: Is it time to quarantine infected PCs?

Is it time to quarantine infected PCs?

While some described it as an “internet doomsday”, there were few reports of PCs suddenly refusing to find websites. This is partially because ISPs - including Virgin Media - stepped in to handle the DNS re-routing, meaning that some infected PCs are still being propped up.

The case raised questions about how far authorities can - or should - go to tackle the worst malware, and who is responsible if it all goes wrong.


One idea that’s been previously mooted is quarantining infected PCs. When malware is detected that PC would be blocked from openly accessing the internet. Microsoft’s vice president of trustworthy computing, Scott Charney, suggested the idea at the RSA security conference in 2010, asking, “Why don’t we think about access providers who are doing inspection and quarantine, and cleaning machines prior to access to the internet?” Microsoft has since pulled back, renaming it “internet health” and proposing PCs receive a “health check” before gaining access to networks.

Microsoft isn’t the first to consider the idea. A Dutch bank has previously blocked customers with infected PCs from accessing its online services, as it battled a particularly troubling trojan. “That bank made some waves among the population by sending notes and letters to its customers, saying we’re cutting off your banking,” said F-Secure Labs security advisor Sean Sullivan, noting that the European Commission has recently advised banks to assume that all of their customers’ PCs are infected with a trojan. “There’s a lot of talk suggesting that if you see anything strange in your customer base, block it - block your customers.”

ISPs also like the idea of isolating infected PCs, Sullivan said, as PCs spewing spam clog up their networks, with recent research from the Delft University of Technology suggesting that as much as 6% of UK traffic comes from compromised machines. “It’s a minority of the overall customer base, but 10% of all machines [globally] exhibiting bot-like behaviour is a huge free resource that can be commoditised for cybercrime,” said Sullivan.

However, there are problems to cutting off customers beyond angering them. “It’s tricky,” said Kaspersky Lab senior security researcher David Emm. “There’s a contract in place between myself and the ISP to provide me with a broadband connection. If it’s to sever that, there’s a potential problem.” He added that ISPs would need to include severance policies in their terms of service, since cleaning up computers without permission from users could be seen as “unauthorised modifications of a computing device” and would therefore be in breach of the Computer Misuse Act.

Whether or not users are cut off, more security work is being done at the network level - which becomes more important as users shift to tablets and smartphones. “You can’t have client-side solutions on such devices, as they’re all running different OSes, so they definitely want to invest in building network resources that will isolate machines into these walled repair gardens, and you can do that regardless of the device,” said Sullivan. “All these smart devices - you can’t have antivirus on your fridge... but you can build network resources; that’s where the technology is moving.”

Sick notes

There are less severe ways to tackle serious malware outbreaks. Google and Facebook displayed messages to those users they detected as having DNSChanger infections, offering advice on how to tackle the problem; since users are already logged into Google and Facebook, the messages are more likely to be trusted.

Description: DNSChanger

Virgin Media takes it a step further, sending letters to customers through the mail. While that may sound old-fashioned, it’s clear the message isn’t a phishing attack, since it’s obvious where it came from - and it’s offline. Virgin has sent two tranches of letters, to 1,000 and 1,500 customers each time. While the ISP doesn’t keep stats tracking the success of the programme, it believes it’s a useful tool for extreme cases of malware. It doesn’t look for botnet traffic actively across its own network, instead working with third-party security organisations that alert it to odd patterns and infected machines’ IP addresses.

The risk is that such messages will become too common, and will therefore be ignored. “There’s always that danger... that people become a bit saturated and blase about it,” said Emm, suggesting the technique should be reserved for the worst malware and remain targeted to only affected users. “It isn’t like putting out a circular on a web page... this is targeted, it’s more focused, so it isn’t dragging in people who aren’t impacted.”

Blocked ports

Other solutions are more proactive. In F-Secure’s home country of Finland, ISPs block specific ports that are rarely used by consumers but frequently targeted by criminals. “It was decided consumer ISP accounts don’t need outbound SMTP, as the typical consumer isn’t running an email server,” said Sullivan. “There’s a whole range of ports that malware can take advantage of that consumers typically never use... that the customer would be happy to opt out of and would make their node on the internet pretty useless to malware.”

Those who want access must buy a business account or call up the ISP to have it switched on, cutting down the number of open ports, meaning that “infecting a Finnish machine and trying to turn it into a spam bot is impractical,” said Sullivan. “It would be the beginning of a solution to cutting off these free resources to the bad guys.”

Malware control: what we think

Technical editor Darien Graham-Smith: It's no insult to suggest that the typical user may not realise when their PC is infected with malware. Modern trojans and worms are so good at concealing themselves that even security experts sometimes miss them - a case in point being the recent Flame worm, which circulated for at least two years before its malicious function was discovered. If ISPs can make customers aware of threats that might otherwise fly under the radar, it's hard to argue that they shouldn't.

The idea of suspending infected PCs' internet connections is troubling, however. Yes, it sends an unmissable message to subscribers who might otherwise ignore warnings, and it prevents them from infecting others. But for many people the internet today isn't a luxury but a lifeline, serving as their primary (or only) connection to friends, businesses and even the government. Even brief disconnection, bureaucracy being what it is, is a harsh and disruptive sanction. In five European countries internet access is now recognised as a basic human right, and it's surely only a matter of time before the UK follows. It isn't something to be withheld lightly - and certainly not from those whose only crime is unwittingly clicking on a dodgy link, or naively opening a malicious email attachment.

Top 10
Review : Sigma 24mm f/1.4 DG HSM Art
Review : Canon EF11-24mm f/4L USM
Review : Creative Sound Blaster Roar 2
Review : Philips Fidelio M2L
Review : Alienware 17 - Dell's Alienware laptops
Review Smartwatch : Wellograph
Review : Xiaomi Redmi 2
Extending LINQ to Objects : Writing a Single Element Operator (part 2) - Building the RandomElement Operator
Extending LINQ to Objects : Writing a Single Element Operator (part 1) - Building Our Own Last Operator
3 Tips for Maintaining Your Cell Phone Battery (part 2) - Discharge Smart, Use Smart
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 1)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 2)

- How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010 (Part 3)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8