dslreports logo
ISPs Failing to Quickly Tackle Bot Menace
Scams stay on-line for months, sometimes longer

A rise in Trojan infections is resulting in a parallel explosion in spam spewing, Phish website hosting zombie boxes. Cybercriminals are now making more off of Internet fraud than via the drug trade, according to law enforcement officials. Unfortunately, as our readers have been discovering, a number of ISPs are failing to properly identify and eliminate infected PCs on their networks, even after being clearly notified of their existence.

We wanted to know why.

This Paypal phishing scam, tracked by our users, was in operation for close to a month on BellSouth's network. Our resident scambusters alerted the telco's abuse department of its existence a little more than three weeks ago.

We asked BellSouth why these scams - which can potentially lure hundreds or thousands of victims during an ISPs period of inaction - aren't taken down more quickly. BellSouth Media Relations officer Nadine Randall simply assured us BellSouth's abuse department was "keenly focused on customer satisfaction."

"Response times vary based on industry and company needs," said Randall. "Beyond that, I cannot comment on the specific issue or timing." Shortly after our conversation, the infected host disappeared.

BellSouth isn't alone when it comes to inadequate responses. Several other ISPs are as bad or worse, according to our resident security experts and scambusters.

This infected Roadrunner residential account had been running a Chase bank phishing scam for nearly forty days before being taken down after repeated requests from our users. Likewise this Optimum On-line user was compromised for almost a month and was finally taken off-line yesterday.

Why are ISPs not responding to these threats more quickly? Can it be blamed on typical bureaucratic malaise, or is this a conscious effort by ISPs to avoid accountability for infected residential machines? Talking grandma through cleaning up her infected Windows ME PC can likely eat away at support dollars and efficiency.

According to DSLReports.com user Krispy, the network security administrator for Canadian cable ISP Cogeco, the delay is often caused by a disconnect between an ISP's network ops crew and higher management. "It's difficult for finance to sanction funds for something that *appears* to bring in no revenue and also *appears* to actually frustrate customers," she tells us.

According to her, many ISP security departments are severely understaffed and overwhelmed; so consumed by daily maintenance, there's little time left for statistical analysis showing the benefits of a clean network. "Botnets do not prevail for lack of caring on the part of security departments in most ISPs, it's due to lack of knowledgeable human, financial or technical resources and the lack of support from upper management," she opines.

Matt Carothers, Manager of Abuse for Cox Communications, seems to agree. Cox is frequently cited by our resident scambusters as usually quick to respond to complaints.

According to Carothers, executives at Cox, from CTO to VP, understand that a proactive stance benefits both customers and the Internet at large. "This understanding gives our abuse department the leeway to apply creative solutions to problems and to take controversial but necessary actions such as blocking outbound port 25," Carothers tells us.

The company takes a two pronged approach to the problem, he says. The first is proactive abuse prevention, which includes blocking outbound port 25 (more technical specifics on that here -Ed.), blackholing phishing sites, blocking trojan control servers, and providing free security software to Cox customers (something we complained about last year, but is all but standard industry practice now).

The second, he says, is efficient report response. Carothers says the abuse@cox.net mailbox is approximately 85% automated, and in many cases, issues can be resolved from start to finish with no manual labor at all. "In the other cases, our systems perform enough investigation that an engineer can simply review the findings and decide what action to take," he says.

Another network engineer of a major ISP (who wanted to remain anonymous) agrees: automation, creativity, and funding are the keys. Many ISPs are taking an automated "walled garden" approach to the problem, using netflow (a cisco app that runs on the CMTS/routers) or similar tools to monitor the source, destination, protocol and other traffic specifics, looking for abnormally high numbers of ICMP flows or other traffic indicative of malware infected hosts.

When a particular machine sets off the triggers, ISPs send out automated alerts to their provisioning department to suspend the account and the modem. The impacted user can then only view pages set by the ISP; this can be anything from instructions on how to clean their system, to security update websites or web-based antivirus applications.

This keeps the infected machine off the Internet, but also eases the strain on an ISPs support department by trying to guide the user through cleaning up their own system before calling support. Insiders tell us these systems have their own technical flaws; but they also state that customers fail to read and follow the warnings and instructions.

Microsoft recently stated that of the 270 million users who used their free scanning software from January 2005 through March 2006, 3.5 million were found to have been infected by a Trojan - and were currently being used to either spam, or as host for a phishing scam. Security firm Sophos reports that among the 1,538 new threats discovered in May, 85.1% were Trojan horses.

A common thread among the ISP security professionals we spoke to is that many ISP executives treat network security like the black-sheep of the family; spending little on abuse solution development, and leaving them consistently understaffed. Criminals aren't waiting for these executives to wake up.
view:
topics flat nest 

cableties
Premium Member
join:2005-01-27

cableties

Premium Member

Follow the money...

"...BellSouth's abuse department was "keenly focused on customer satisfaction."

Um yeah. What they fail to tell you is the line about "generating traffic". When you learn that traffic is money, and they don't care what traffic, then its money. Your ISP gets a rate based on flow. Now, flow ebbs in and out. But let's say your rate is based on a large number of traffic. Well, what happens when that traffic is stopped to a trickle?

You pay more.

So it actually pays to have spam, bots, phishing...as it means traffic. Who cares if the users gets it, as its not attacking the ISP's end. Now, if bots were shutting down routers, and switches and servers...watch how quickly it cleans up.

Someone told me this once when I asked them to just shutdown specific traffic. Nope, was his answer.

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

1 recommendation

FFH5

Premium Member

Re: Follow the money...

Abuse departments are nothing but cost centers at all the ISPs. They bring in no money and annoy customers who they come in contact with. Therefore, they have small budgets and small staffs and most of their time is spent dealing with DMCA takedown requests.

Result: they spend virtually no time at all on zombie PCs on their network. And don't look for that to change anytime soon. Only if class action lawsuits are filed against the ISPs over this practice by lawyers representing customers whose identities have been stolen will this ever change.

tsu9
join:2001-08-17
Wheeling, IL

tsu9

Member

Re: Follow the money...

Maybe the ISPs could funnel the misspent bribe lobbyist funding into the abuse department (in addtion to actually funding other much-needed things).

....nah.

Filmore
@mc.videotron.ca

Filmore to FFH5

Anon

to FFH5

Re: Follow the money... You can make a difference!

cableties wrote:

"Result: they spend virtually no time at all on zombie PCs on their network. "

Actually, I think a difference can be made. I put in place the following web page, after learning that my ISP had been put on black lists for spam, due mainly to the large number of zombie PCs that were running rampant:

»pages.infinit.net/filmor ··· rISP.htm

Then, I began to "mass report" the zombies on my ISP's network, using the report forms on their abuse site. I mentioned that such-and-such IP had a likely trojan horse infection, and that it was likely sending out spams according to senderbase.org - that because of the black-listing for spam my own emails were being refused by certain recipients.

These reports create a sort of "back log" in the ISP customer-support "cost-center". I would follow-up with phone calls from time to time.

Why go to all this trouble? Well, the lovely thing about Montreal, Canada is the lack of competition for ISPs. There are two: Videotron and Sympatico. Both had (have?) terrible reputations for hosting spam zombies.

I never thought it would work, but my ISP *did* eliminate a fair number of zombies. The problem *does* still exist, but the numbers of zombies is in the tens, as opposed to the thousands over a year ago when I began my "campaign".

The problem with the numbers reported today, however, is that the senderbase.org reports are based on volume of email. The assumption is that high-volume cable-modem (or dynamic IP addressed) sites are likely spam-bots.

Spammers have since gotten smarter, and zombies are exploited less. This means that the spammers try for greater numbers in their bot-net armies, but the individual soldiers do less "evil" work to keep under the radar.
Skippy25
join:2000-09-13
Hazelwood, MO

1 recommendation

Skippy25 to cableties

Member

to cableties
So let me see if I have this right....

You are saying ISP's are paid by the amount of traffic they generate with their customers?

Maybe I am stupid, but I always thought ISP's purchased traffic either straight up (T1, all customers share) or through a dynamic pool (T3 capabilities, but only charged as needed). Either way the more traffic on their network the more they have to pay or the more issues their customers have fighting for bandwidth.

Doesn't seem to hold your conspiracy theory together very well.

roamer1
sticking it out at you
join:2001-03-24
Atlanta, GA

1 recommendation

roamer1 to cableties

Member

to cableties
said by cableties:

Um yeah. What they fail to tell you is the line about "generating traffic". When you learn that traffic is money, and they don't care what traffic, then its money. Your ISP gets a rate based on flow. Now, flow ebbs in and out. But let's say your rate is based on a large number of traffic. Well, what happens when that traffic is stopped to a trickle?

You pay more.
You have it reversed -- the more traffic an ISP sends and receives, the more they pay. Settlement-free peering is usually where the "flow" model comes into play and muddies the waters a bit, but SFP is largely irrelevant for consumer-oriented providers in general and BellSouth in particular.

-SC

N3OGH
Yo Soy Col. "Bat" Guano
Premium Member
join:2003-11-11
Philly burbs

N3OGH

Premium Member

People need to take security more seriously

Thing is, most users don't know they're host to this garbage. Most of them aren't running firewalls, or virus software.

It's obvious that a firewall is a mandatory item in any broadband users bag of tools/toys. Broadband providers should be making firewall usage mandatory at this point. A decent router with a built in firewall is the cheapest investment in computer security a broadband user can make.

izy
MVM
join:2000-09-21
endless loop
ProCurve (HP) V1810-24g
SonicWALL TZ215
Ubiquiti UniFi AP-LR

izy

MVM

Re: People need to take security more seriously

I'd have to disagree. ISP's cannot "force" users to run anything on their computers. The can "advise" but not "force"

It is however an ISP's responsibility to prevent network abuse on THEIR networks, such as a hosted phishing site.

What does it take a whole 5 minutes for an ISP's tech to knock a phished system off their network???

It's innevitable that a phishing site will pop-up on ANY ISP's network, it's the speediness of the ISP to respond to such reports of these sites and knock them offline ASAP. It would be interesting if justin See Profile could create some statistics on response times per ISP when it comes to fixing these problems. The data is all there in »/phishtrack
Insder
There never was a second I in my name
Premium Member
join:2005-04-27
Salem, MA

Insder

Premium Member

Re: People need to take security more seriously

Trust me, I've been getting better response times from Asian providers and european providers than from the US. A US provider, Paetec, had a phish come up and back down three times before they finally stopped letting the customer handle it, while Belgicom of Belgium took the site offline within a day and emailed me back telling me it's taken care of. It's insane how bad US support is, it's like nobody cares. Even HiNet of China sends me better responses than most US ISPs.

N3OGH
Yo Soy Col. "Bat" Guano
Premium Member
join:2003-11-11
Philly burbs

N3OGH to izy

Premium Member

to izy
said by izy:

I'd have to disagree. ISP's cannot "force" users to run anything on their computers. The can "advise" but not "force"...
Why not? It's their network, you abide by their terms. Have you read your TOS lately? My ISP Verizon has some pretty heavy handed language in it.

Example:

"Verizon may terminate the Service upon notice to you for any reason."

And the acceptable use policy specifically states:

Verizon reserves the right to deny Service to you, or immediately to terminate your Service for material breach, if your use of the Service or your use of an alias or the aliases of additional users on your account, whether explicitly or implicitly, and in the sole discretion of Verizon: (a) is obscene, indecent, pornographic, sadistic, cruel or racist in nature, or of a sexually explicit or graphic nature; (b) espouses, promotes or incites bigotry, hatred or racism; (c) might be legally actionable for any reason, (d) is objectionable for any reason, or (e) in any manner violates the terms of this Acceptable Use Policy."

So, you're going to tell me that an ISP that states in their TOS that they can terminate my service for downloading the latest "girls gone wild" video, or looking at porno pictures can't tell me I have to use a firewall??

izy
MVM
join:2000-09-21
endless loop
ProCurve (HP) V1810-24g
SonicWALL TZ215
Ubiquiti UniFi AP-LR

izy

MVM

Re: People need to take security more seriously

said by N3OGH:

So, you're going to tell me that an ISP that states in their TOS that they can terminate my service for downloading the latest "girls gone wild" video, or looking at porno pictures can't tell me I have to use a firewall??
Yup, they can monitor/restrict the flow of data to and from your computer but they can not tell you what software you must have installed on your PC. Now if they forced users to run a hardware firewall that would be great, but if my ISP told me to run a software firewall I'd drop them like a bad habit.
moonpuppy (banned)
join:2000-08-21
Glen Burnie, MD

moonpuppy (banned) to izy

Member

to izy
said by izy:

I'd have to disagree. ISP's cannot "force" users to run anything on their computers. The can "advise" but not "force"
said by izy:

It is however an ISP's responsibility to prevent network abuse on THEIR networks, such as a hosted phishing site.
The above 2 statements seem to be playing both sides of the field.

If someone is affecting network performance because they have been comprimised, then the ISP is well within their rights to disconnect them until they fix their machine. Therefore, they can "force" a customer to clean their system or not be allowed back on.

The very same argument can be used to those so-called "bandwidth hogs" that others complain about when they use too much downloading whatever they want.

ISPs need to be careful that they don't siconnect just anyone and use the "comprimised system" excuse to cover up a mistake. That being said, I have seen many of the scams exposed here and they have more than enough evidence to support their claims.

izy
MVM
join:2000-09-21
endless loop
ProCurve (HP) V1810-24g
SonicWALL TZ215
Ubiquiti UniFi AP-LR

1 edit

izy

MVM

Re: People need to take security more seriously

said by moonpuppy:

If someone is affecting network performance because they have been comprimised, then the ISP is well within their rights to disconnect them until they fix their machine. Therefore, they can "force" a customer to clean their system or not be allowed back on.
You need to re-read my statement.
moonpuppy (banned)
join:2000-08-21
Glen Burnie, MD

moonpuppy (banned)

Member

Re: People need to take security more seriously

I did. A few times actually.

A user can be forced to run anti-malware progrmas IF they have been compromised once before if they want to be allowed back on the network.
raccettura0
join:2002-09-28
USA

raccettura0 to N3OGH

Member

to N3OGH
said by N3OGH:

Thing is, most users don't know they're host to this garbage. Most of them aren't running firewalls, or virus software.

It's obvious that a firewall is a mandatory item in any broadband users bag of tools/toys. Broadband providers should be making firewall usage mandatory at this point. A decent router with a built in firewall is the cheapest investment in computer security a broadband user can make.
At this point, most know but don't care... it's cheaper and easier to not care, and every so often ask a friend to help fix it (or make a family member feel obligated).

The *only* way you'll fix this problem is if there are stiff fines for offenses... If your computer is hijacked, it will cost you $100/offense. Until then, nothing will happen, because nobody cares.

Right now there's no real consequences, hence nobody cares.

Transmaster
Don't Blame Me I Voted For Bill and Opus
join:2001-06-20
Cheyenne, WY

4 edits

1 recommendation

Transmaster

Member

We believe in Customer Service


AT&T's Abuse Department
At big Telco we believe in Abuse mitigation and we staff our Abuse department 24/7. Our abuse team numbers in the thousands and this staff of trained cockroaches are waiting to help you.

removed
Premium Member
join:2002-02-08
Houston, TX

1 recommendation

removed

Premium Member

Re: We believe in Customer Service

said by Transmaster:

At AT&T BellSouth we believe in Abuse mitigation and we staff our Abuse department 24/7. Our abuse team numbers in the thousands and our staff of trained cockroaches are waiting to help you.
BellSouth is more like it. AT&T has gotten things done fairly quickly (well, much less than 40 days!) in most of our cases...

Transmaster
Don't Blame Me I Voted For Bill and Opus
join:2001-06-20
Cheyenne, WY

Transmaster

Member

Re: We believe in Customer Service

point taken changed it to Big Telco
moonpuppy (banned)
join:2000-08-21
Glen Burnie, MD

moonpuppy (banned) to Transmaster

Member

to Transmaster
You mean they actually have a desk?

Transmaster
Don't Blame Me I Voted For Bill and Opus
join:2001-06-20
Cheyenne, WY

1 recommendation

Transmaster

Member

Re: We believe in Customer Service

Well no, this may look like a desk but it really is the apartment for all of the support staff.
moonpuppy (banned)
join:2000-08-21
Glen Burnie, MD

moonpuppy (banned)

Member

Re: We believe in Customer Service

I'm putting you on ignore until you send me a case of keyboards.

woody7
Premium Member
join:2000-10-13
Torrance, CA

woody7 to N3OGH

Premium Member

to N3OGH
and if they were, they don't update, nor do they run periodic scans....I try to help my friends, but their eyes glaze over after a couple of minutes.....then they say something like shouldn['t people who make viruses get in trouble, why do we have to go through this? I make quite a few "starbucks" cards this way....(in the cleaning) of their computers....they just want it taken care of and they don't want to have to do anything....but point and click....geesh.....

Combat Chuck
Too Many Cannibals
Premium Member
join:2001-11-29
Verona, PA

Combat Chuck

Premium Member

Re: People need to take security more seriously

said by woody7:

and if they were, they don't update, nor do they run periodic scans....I try to help my friends, but their eyes glaze over after a couple of minutes.....then they say something like shouldn['t people who make viruses get in trouble, why do we have to go through this? I make quite a few "starbucks" cards this way....(in the cleaning) of their computers....they just want it taken care of and they don't want to have to do anything....but point and click....geesh.....
Exactly.
My experience with people who are infected with crap more than once:
The first time they're scared.
The second time they're just angry.
The third time they couldn't care less as long as the computer still works.

What are you supposed to do when the users don't care? Your only options are to turn them off and then they go to a provider who doesn't care, or you babysit which takes a lot of time and the user potentially goes to another provider that doesn't complain as much.

anonposter
@optonline.net

1 recommendation

anonposter

Anon

instant disconnect

If a computer is infected it should be removed from the network until fixed. {period}

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

Re: instant disconnect

If an ISP does not act responsibly, maybe the entire ISP should be removed from the network.

That would get their attention.

anonpisser
@optonline.net

anonpisser

Anon

Re: instant disconnect

you've got my vote

hobgoblin
Sortof Agoblin
Premium Member
join:2001-11-25
Orchard Park, NY

hobgoblin to nwrickert

Premium Member

to nwrickert
said by nwrickert:

If an ISP does not act responsibly, maybe the entire ISP should be removed from the network.

That would get their attention.
Yeah....very clever idea.
the cynic
join:2003-01-25
Harbor City, CA

the cynic to anonposter

Member

to anonposter
I absolutely agree. If you cant protect your computer they you are off the net. People will learn real fast. But ISP's want to sell service so this will not happen

nwrickert
Mod
join:2004-09-04
Geneva, IL

nwrickert

Mod

Where is the department of homeland insecurity?

Why doesn't DHS take the problem of bot networks more seriously?

mr_slick
join:2003-05-22
Lynnwood, WA

mr_slick

Member

More money than drug trade?

I find it hard to believe that Internet fraud has surpassed the drug trade in revenue, but of course I could be wrong.

catseyenu
Ack Pfft
Premium Member
join:2001-11-17
Fix East

1 recommendation

catseyenu

Premium Member

Not All US ISP's Are Created Equal

As a member of the BBR Phish Team I can attest that we've had dismal response from some US ISPs.
What stands out in stark contrast is the response from Cox.
As a Cox customer for over 6 years I can attest that they really get it and do an exceptional job taking swift and decisive action against anything that threatens their customer or network integrity.
When it come to pointing my family, neighbors or business associates to a provider I'm comfortable they're in good hands with Cox.
The other ISPs could learn something from their example.

Wyattx17
Wyatt
Premium Member
join:2004-04-21
Wilton, CA

2 edits

Wyattx17

Premium Member

Bot

»video.google.com/videopl ··· 56570908

lol

»video.google.com/videopl ··· 25496919 English Subs.

I know it's off topic, but this made me think of this.
amungus
Premium Member
join:2004-11-26
America

amungus

Premium Member

interesting

can't believe this problem is so out of hand that these crooks can make money hand over fist beyond the drug trade.

glad to hear Cox is being somewhat proactive about the situation... but there is obviously a much larger problem...

when I first signed up for Cox, I told my roommate NOT to let them connect me directly to their modem, or at least to LEAVE it that way! ..when I got home a few hours later, I was staring at a modem hooked directly to my box.

They simply should not allow ANYONE to connect to the cable infrastructure without a hardware router/firewall. I immediately went out and bought a cheap (relatively... $100 at the time) Netgear router/switch... we also had to share the connection between our two computers...
Still a decent little router for being wired, has 8MB of RAM and good LAN performance. It's effectiveness in keeping the nasty away from the house was/is priceless.

IMO there should be some way to require the ISP to either rent/sell some sort of router/switched/firewall or modem combo thereof. From what I understand, many DSL modems already do this... a friend of mine has one such unit from SBC, but still uses my old router/switch unit anyway because he doesn't trust 'em for one, and just to have a switch...

Cable works differently than DSL, and all these tests every so often about how fast you can become infected are just getting much worse, and much nastier. I just don't see how the cable co's can simply ignore these things. I also doubt a DSL line would get you "infected" as quickly as a wide open cable connection... are there tests on both???

Another problem, what is the ISP to do, just cut off their customers with no explanation??? Call these people and tell them they've been cut because their computer has been hijacked??? It's got to be a problem with logistics and sheer laziness.

To start giving out real protection instead (or at least in conjunction with) of halfway clunky, voluntarily installed software is the best proactive solution...

a condum (software, which many ISP's already give away...) and a chastity belt (hardware) for the internet.

anonposter
@optonline.net

anonposter

Anon

Re: interesting

The isp's have "dropped the ball".
claudeo
join:2000-02-23
Redmond, WA

claudeo

Member

Why?

..Because there is no law that says that it is illegal to aid and abet a criminal online. This is a job for law enforcement, but law enforcement is too busy doing, er, exactly what? Whatever that is, that is not protecting the public.

••••

odreian615
join:2006-01-18
Chicago, IL

odreian615

Member

Zombies

how would you know if your PC a zombie even with all the AV's out there they are still getting people's PC's to become zombies

Fatal Vector
join:2005-11-26

Fatal Vector

Member

Re: Zombies


Ahem...

I would think you might suspect if you had half a brain, when the activity light on your modem is constatly flashing, even when you are not on the internet and your computer runs like crap because the CPU 's attention is constantly being used for the zombie spam.
bbennett3
join:2006-06-21
Apopka, FL

bbennett3

Member

The internet would be a much better place.

Great Article. It would be nice to see Internet Service Providers be a little more responsible and much more proactive. The internet would be a much better place.

jubangy
Premium Member
join:2005-03-26
Corry, PA

jubangy

Premium Member

Too Lazy

Is the final answer. If people are too lazy to invest a little time into protecting their stuff then the hell with them they should be booted. this whole mind set where everything should be point and click is real old, like anything else there is always changes that need to be made and learning to read and take care of ones self is definitely one of them. of course, this is the day and age where no one likes to take responsibility for their own actions anymore, thanks to all the smooth talking lawyers and what have you. " Gee sir, its ok we wont shut you off we know you were abused 50 years ago"...give it a rest get off your ass and take care of yourself or deal with what you have coming. But then there's also the other side of the coin to, give me a call i'll gladly fix you up for a price...

Fatal Vector
join:2005-11-26

Fatal Vector

Member

Re: Too Lazy

"this whole mind set where everything should be point and click is real old"

Joe is like this because, up till now, he has really not needed much brains to operate his stereo, TV, etc. Most consumers like Joe and Jane dont care how it works as long as it works when they flip the switch, or, press the button.

Most people are stunningly stupid when it comes to a computer and just want to point and click. This is exacerbated by companies like Microsoft and the "security suite makers who want to make their software as simple as they can for this very reason, as well as to avoid any responsibilities (and the costs thereof) of actually making software that works, reliably, with security on by default and actually requiring Joe and Jane to LEARN something.

This is because, once again, of the fact that a corporations ONLY motivation for EVERTHING they do is MONEY and accumulating as much of same as they can.

I am of the opinion that such companies will, eventually, be forced to take some responsibility, as will Joe and Jane, as the fraud problems get worse on the internet.

Sooner or later, these problems will hit a tipping point, as does, inevitably, all criminal activity (since criminals and fraudsters are just like corporations in their basic motivations), and they will be forced to do so by laws and tort.

It will be interesting to watch, I have no doubt.

zoom314
join:2005-11-21
Yermo, CA

zoom314

Member

Sounds like

SNAFU(Situation Normal All Fouled Up) as usual of course.