[Dshield] Interesting Zombie Data Graphs

Mark markt442 at yahoo.com
Fri Nov 11 13:18:26 GMT 2005


Sorry I've been asleep at the list for a while...;)

I'm a Comcast subscriber, yes it is quite dirty.

Comcast makes available to their subscribers the
McAfee Suite - free of charge. Now people have to
install it.

I spent a good 4 hours last weekend cleaning a
neighbors pc - Millenium (ewww) from several bots and
trojans. The poor thing was so heavily infected that
it wouldn't boot anymore. In typical "consumer"
fashion, she was ready to throw it out and buy a new
one. Heck, my first answer was to send her to the Geek
Squad at BestBuy and let them handle it, but my
curiousity got the better of me.

Using Helix, I brought the system up, mounted the
harddrive (ro) and scanned the drive with ClamAV. Yup
- pretty bad. I asked "do you have anything you want
saved?" - "no" was her answer.

FDISK

I then installed a license for XP SP2 that she had
purchased but never installed. Told her to go onto
Comcast's site when she got home and immediately
install the free McAfee s/w that they are providing.

Is Comcast the problem? Maybe partially - the user
base is largely uneducated about the security problem
and will not realize their is a problem until their PC
is no longer usable. 

In the US, an ISP can only perform "limited
monitoring" with the staff they have. If they go
further, they must staff to fix the problem.

I think it is perfectly reasonable to have the ISPs
take the approach of partitioning users to a
"quarantine" site (they can do this with IP
addressing) that informs the user via web page that
their system has been violating their Terms of
Service. The web page should provide information
regarding the reason for quarantine, the logs
requisite to making that decision and information (go
to the Geek Squad or similar) to help the user repair
their PC. Upon repair, the End User should be directed
to visit another web site to sign a statement
(digitally) that they've repaired said machine and
installed proper measures to prevent re-infection.

Here's where it will fail: (small sample)

Additional staffing from Comcast. Folks, they are
concerned about revenue and expense models. They need
to automate as much of this as possible. Having a web
page handle the "inform", "enforcement" and
"re-authorization" is the only way this will scale.

Too difficult for the end user. Again, what happened,
what to do, how to get back on. Signing up discounted
agreements (volume) with folks like the Geek Squad
(never used them - just falling to their marketing) to
remediate problem machines. People need to led.

Should we boycott Comcast? They are the only option I
have. I'm beyond spec for DSL (I've been haunting my
local carrier) and dial-up just doesn't cut it for my
needs. For many, they are the only horse in town.

Should Comcast get serious? Yes. Are they? I think
they are trying. It is a good start for them to have
signed a licensing agreement with McAfee. Don't worry,
McAfee benefits. Read your EULA when you install. The
default config for McAfee is to have it "phone home"
and upload   threat data seen by your system (similar
to DSHIELD). You can disable it, if you know what you
are looking for. I've been to their website that
attempts to recreate DSHIELD and ISC's info. Doesn't
work most of the time (makes you think if the s/w
does). 

Should Comcast do more? Yes. They should closely
monitor the uptake on McAfee licenses (btw, the
license expires when you stop subscribing to Comcast)
and compare that to their IDS logs (yes they are
running IDS - they just don't know what to do with
it).

Last thought, (I do not work for Comcast, but know
people who do) - many Comcast regions are run
independantly of Comcast corporate. This is a result
of their acquistion strategy (buying up local
carriers). Comcast has failed to integrate all the
carriers in a unified model. Until Comcast can do
this, the decentralized IT infrastructure will yield
varying results. 

Just some thoughts before my morning coffee.

Cheers,

Mark





		
__________________________________ 
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com


More information about the list mailing list