A rise in Trojan infections is resulting in a parallel explosion in spam spewing, Phish website hosting zombie boxes. Cybercriminals are now making more off of Internet fraud than via the drug trade, according to law enforcement officials. Unfortunately, as our readers have been discovering, a number of ISPs are failing to properly identify and eliminate infected PCs on their networks, even after being clearly notified of their existence.

We wanted to know why.

This Paypal phishing scam, tracked by our users, was in operation for close to a month on BellSouth's network. Our resident scambusters alerted the telco's abuse department of its existence a little more than three weeks ago.

We asked BellSouth why these scams - which can potentially lure hundreds or thousands of victims during an ISPs period of inaction - aren't taken down more quickly. BellSouth Media Relations officer Nadine Randall simply assured us BellSouth's abuse department was "keenly focused on customer satisfaction."

"Response times vary based on industry and company needs," said Randall. "Beyond that, I cannot comment on the specific issue or timing." Shortly after our conversation, the infected host disappeared.

BellSouth isn't alone when it comes to inadequate responses. Several other ISPs are as bad or worse, according to our resident security experts and scambusters.

This infected Roadrunner residential account had been running a Chase bank phishing scam for nearly forty days before being taken down after repeated requests from our users. Likewise this Optimum On-line user was compromised for almost a month and was finally taken off-line yesterday.

Why are ISPs not responding to these threats more quickly? Can it be blamed on typical bureaucratic malaise, or is this a conscious effort by ISPs to avoid accountability for infected residential machines? Talking grandma through cleaning up her infected Windows ME PC can likely eat away at support dollars and efficiency.

According to DSLReports.com user Krispy, the network security administrator for Canadian cable ISP Cogeco, the delay is often caused by a disconnect between an ISP's network ops crew and higher management. "It's difficult for finance to sanction funds for something that *appears* to bring in no revenue and also *appears* to actually frustrate customers," she tells us.

According to her, many ISP security departments are severely understaffed and overwhelmed; so consumed by daily maintenance, there's little time left for statistical analysis showing the benefits of a clean network. "Botnets do not prevail for lack of caring on the part of security departments in most ISPs, it's due to lack of knowledgeable human, financial or technical resources and the lack of support from upper management," she opines.

Matt Carothers, Manager of Abuse for Cox Communications, seems to agree. Cox is frequently cited by our resident scambusters as usually quick to respond to complaints.

According to Carothers, executives at Cox, from CTO to VP, understand that a proactive stance benefits both customers and the Internet at large. "This understanding gives our abuse department the leeway to apply creative solutions to problems and to take controversial but necessary actions such as blocking outbound port 25," Carothers tells us.

The company takes a two pronged approach to the problem, he says. The first is proactive abuse prevention, which includes blocking outbound port 25 (more technical specifics on that here -Ed.), blackholing phishing sites, blocking trojan control servers, and providing free security software to Cox customers (something we complained about last year, but is all but standard industry practice now).

The second, he says, is efficient report response. Carothers says the abuse@cox.net mailbox is approximately 85% automated, and in many cases, issues can be resolved from start to finish with no manual labor at all. "In the other cases, our systems perform enough investigation that an engineer can simply review the findings and decide what action to take," he says.

Another network engineer of a major ISP (who wanted to remain anonymous) agrees: automation, creativity, and funding are the keys. Many ISPs are taking an automated "walled garden" approach to the problem, using netflow (a cisco app that runs on the CMTS/routers) or similar tools to monitor the source, destination, protocol and other traffic specifics, looking for abnormally high numbers of ICMP flows or other traffic indicative of malware infected hosts.

When a particular machine sets off the triggers, ISPs send out automated alerts to their provisioning department to suspend the account and the modem. The impacted user can then only view pages set by the ISP; this can be anything from instructions on how to clean their system, to security update websites or web-based antivirus applications.

This keeps the infected machine off the Internet, but also eases the strain on an ISPs support department by trying to guide the user through cleaning up their own system before calling support. Insiders tell us these systems have their own technical flaws; but they also state that customers fail to read and follow the warnings and instructions.

Microsoft recently stated that of the 270 million users who used their free scanning software from January 2005 through March 2006, 3.5 million were found to have been infected by a Trojan - and were currently being used to either spam, or as host for a phishing scam. Security firm Sophos reports that among the 1,538 new threats discovered in May, 85.1% were Trojan horses.

A common thread among the ISP security professionals we spoke to is that many ISP executives treat network security like the black-sheep of the family; spending little on abuse solution development, and leaving them consistently understaffed. Criminals aren't waiting for these executives to wake up.