Nicole Kobie investigates the
implications of taking malware-riddled computers offline
Malware could block your access to the
internet - but in some cases by those on the right side of the security fence,
who are deploying tactics such as blocked ports, letters in the mail and PCs
quarantined from the net to combat the most damaging threats.
Last year, authorities - led by the FBI -
arrested the criminals behind the DNSCharger operation, taking over their
servers. The malware changed victims’ DNS settings, and unplugging the servers
would have cut off the four million infected PCs from the web. The FBI won a
court order allowing it to keep the servers running long enough to work with
ISPs to warn infected customers and clean up machines. The 120-day grace period
was extended once, but eventually the plug was pulled in July, with 250,000
machines still infected - 13,000 in the UK alone.
Is
it time to quarantine infected PCs?
While some described it as an “internet doomsday”,
there were few reports of PCs suddenly refusing to find websites. This is
partially because ISPs - including Virgin Media - stepped in to handle the DNS
re-routing, meaning that some infected PCs are still being propped up.
The case raised questions about how far
authorities can - or should - go to tackle the worst malware, and who is
responsible if it all goes wrong.
Quarantine
One idea that’s been previously mooted is
quarantining infected PCs. When malware is detected that PC would be blocked from
openly accessing the internet. Microsoft’s vice president of trustworthy
computing, Scott Charney, suggested the idea at the RSA security conference in
2010, asking, “Why don’t we think about access providers who are doing
inspection and quarantine, and cleaning machines prior to access to the
internet?” Microsoft has since pulled back, renaming it “internet health” and
proposing PCs receive a “health check” before gaining access to networks.
Microsoft isn’t the first to consider the
idea. A Dutch bank has previously blocked customers with infected PCs from
accessing its online services, as it battled a particularly troubling trojan.
“That bank made some waves among the population by sending notes and letters to
its customers, saying we’re cutting off your banking,” said F-Secure Labs
security advisor Sean Sullivan, noting that the European Commission has
recently advised banks to assume that all of their customers’ PCs are infected
with a trojan. “There’s a lot of talk suggesting that if you see anything
strange in your customer base, block it - block your customers.”
ISPs also like the idea of isolating
infected PCs, Sullivan said, as PCs spewing spam clog up their networks, with
recent research from the Delft University of Technology suggesting that as much
as 6% of UK traffic comes from compromised machines. “It’s a minority of the
overall customer base, but 10% of all machines [globally] exhibiting bot-like
behaviour is a huge free resource that can be commoditised for cybercrime,”
said Sullivan.
However, there are problems to cutting off
customers beyond angering them. “It’s tricky,” said Kaspersky Lab senior
security researcher David Emm. “There’s a contract in place between myself and
the ISP to provide me with a broadband connection. If it’s to sever that,
there’s a potential problem.” He added that ISPs would need to include
severance policies in their terms of service, since cleaning up computers
without permission from users could be seen as “unauthorised modifications of a
computing device” and would therefore be in breach of the Computer Misuse Act.
Whether or not users are cut off, more
security work is being done at the network level - which becomes more important
as users shift to tablets and smartphones. “You can’t have client-side
solutions on such devices, as they’re all running different OSes, so they
definitely want to invest in building network resources that will isolate
machines into these walled repair gardens, and you can do that regardless of
the device,” said Sullivan. “All these smart devices - you can’t have antivirus
on your fridge... but you can build network resources; that’s where the
technology is moving.”
Sick notes
There are less severe ways to tackle
serious malware outbreaks. Google and Facebook displayed messages to those
users they detected as having DNSChanger infections, offering advice on how to
tackle the problem; since users are already logged into Google and Facebook,
the messages are more likely to be trusted.
Virgin Media takes it a step further,
sending letters to customers through the mail. While that may sound
old-fashioned, it’s clear the message isn’t a phishing attack, since it’s
obvious where it came from - and it’s offline. Virgin has sent two tranches of
letters, to 1,000 and 1,500 customers each time. While the ISP doesn’t keep
stats tracking the success of the programme, it believes it’s a useful tool for
extreme cases of malware. It doesn’t look for botnet traffic actively across
its own network, instead working with third-party security organisations that
alert it to odd patterns and infected machines’ IP addresses.
The risk is that such messages will become
too common, and will therefore be ignored. “There’s always that danger... that
people become a bit saturated and blase about it,” said Emm, suggesting the
technique should be reserved for the worst malware and remain targeted to only
affected users. “It isn’t like putting out a circular on a web page... this is
targeted, it’s more focused, so it isn’t dragging in people who aren’t
impacted.”
Blocked ports
Other solutions are more proactive. In
F-Secure’s home country of Finland, ISPs block specific ports that are rarely
used by consumers but frequently targeted by criminals. “It was decided
consumer ISP accounts don’t need outbound SMTP, as the typical consumer isn’t
running an email server,” said Sullivan. “There’s a whole range of ports that
malware can take advantage of that consumers typically never use... that the
customer would be happy to opt out of and would make their node on the internet
pretty useless to malware.”
Those who want access must buy a business
account or call up the ISP to have it switched on, cutting down the number of
open ports, meaning that “infecting a Finnish machine and trying to turn it
into a spam bot is impractical,” said Sullivan. “It would be the beginning of a
solution to cutting off these free resources to the bad guys.”
Malware control: what we think
Technical editor Darien Graham-Smith: It's
no insult to suggest that the typical user may not realise when their PC is
infected with malware. Modern trojans and worms are so good at concealing
themselves that even security experts sometimes miss them - a case in point
being the recent Flame worm, which circulated for at least two years before its
malicious function was discovered. If ISPs can make customers aware of threats
that might otherwise fly under the radar, it's hard to argue that they
shouldn't.
The idea of suspending infected PCs'
internet connections is troubling, however. Yes, it sends an unmissable message
to subscribers who might otherwise ignore warnings, and it prevents them from
infecting others. But for many people the internet today isn't a luxury but a
lifeline, serving as their primary (or only) connection to friends, businesses
and even the government. Even brief disconnection, bureaucracy being what it
is, is a harsh and disruptive sanction. In five European countries internet
access is now recognised as a basic human right, and it's surely only a matter
of time before the UK follows. It isn't something to be withheld lightly - and
certainly not from those whose only crime is unwittingly clicking on a dodgy
link, or naively opening a malicious email attachment.
