In the next few months, ISPs in the United States will begin receiving reports on the zombies, or PCs open to control by hackers, that lurk on their networks. The data will be sent out by the Federal Trade Commission, which said in May that zombies have become such a serious problem that more industry action is required.
Analysts said that if service providers resist the call and take a hands-off approach, people could lose their trust in online activity -- and the consequences of that could be severe.
"The Internet would eventually grind to a halt," said Paul Stamp, an analyst with Forrester Research.
Given the growth of zombie-fed threats such as phishing, ISPs can no longer afford to leave the task of securing users' PCs to the consumers themselves, critics say. But taking more responsibility to protect Internet traffic would mean monitoring activity on their networks more closely -- a move that has implications for customer privacy and for their bottom line.
The FTC has called on ISPs to identify zombies on their networks, quarantine those hijacked PCs and help customers clean them. Consumers and Microsoft are also urging service providers to act.
Zombies are put to work to relay marketing spam and to send messages used in phishing scams, which attempt to steal sensitive personal data, for example. They have also been used to host the faked Web sites in phishing scams or to mount denial-of-service attacks against online businesses targeted by extortion schemes. In addition, they're used to compromise more PCs, which are added to the networks of zombies, called "botnets."
Incidents involving the malicious code that turns PCs into zombies, also known as "bot" code, reached 13,000 from April through June, according to a recent report from McAfee. That's quadruple the number tracked by the antivirus software maker in the previous three months.
Some, including America Online, EarthLink and Cox, offer free desktop security software suites that include antivirus, firewall and sometimes anti-spyware software. These additional shields offer protection against infestation by other means than just e-mail.
Several ISPs have also taken measures to prevent zombie PCs connected to their network from sending out junk mail. A technique called "port 25 blocking" allows a provider to make sure that members' computers only send out e-mail that originates from its own server and not from a spammer's server. In addition, most service providers use techniques such as rate limiting, which control the number of e-mail messages that a member can send.
But those measures are not enough, some experts say. To take down zombies, ISPs should monitor their networks closer for traffic generated by the compromised PCs, said Dmitri Alperovitch, research engineer at CipherTrust, a security vendor in Alpharetta, Ga.
Additionally, service providers should improve customer education and could also force people to scan their PC for known vulnerabilities before going online, Alperovitch said. This could help prevent so-called drive-by installs, which deposit bot code on a PC when the owner uses an unpatched browser to visit a malicious Web site.
Others have suggested that companies cut off Internet connections for customers who don't carry out preventive measures.
1%
2%
