A start for Internet companies would be for them to participate more actively in security groups and to use data on zombies collected by third-party security companies such as CipherTrust, he said.
A few ISPs are open about their efforts -- Cox and EarthLink, for example. Others hold their security cards close to their chest, so as not to tip off the bad guys. Comcast, one of the largest broadband providers in the United States, is an example of that.
While some customers can just be handed a cable modem and will just take off, other less tech-savvy people need guidance from their provider, he noted. "There are more and more people getting online that don't have a technical background. If you are going to be a successful ISP, you have to have to hold the customer's hand a bit," Tarothers said.
Cutting off channels
Cox actively monitors its network for potentially malicious activity. It also defuses known zombies by cutting off remote control channels, Tarothers said. Zombies listen for instructions from their masters on Internet Relay Chat channels. Cox blocks traffic to the IRC servers used by zombies, which are rarely major IRC networks and are often run on another compromised machine, Tarothers said.
When a zombie is detected, Cox takes the affected PC offline. Instead of being allowed on the Web, the customer is directed to a special Web page with information on security, he said.
The attacks will get more sophisticated, Tarothers said. "It is an arms race. We come up with new proactive measures, and the Trojan makers come up with something new," he said. Tarothers said he expects more zombies will start listening for commands from their masters on peer-to-peer networks, which will preempt Cox's current defense.
Tarothers said he is not worried about privacy concerns that closer monitoring of traffic might bring. "Far more of our customers are happy to see us take an active role than are paranoid about us looking at their traffic," he said.
EarthLink also monitors for potentially abusive patterns of traffic coming in and going out of its network, said Tripp Cox, the Atlanta-based ISP's chief technology officer. Suspected activity is investigated, and customers are contacted if EarthLink believes their PC has been turned into a zombie. "We routinely investigate, disable and shut down accounts. It is a daily activity," he said.
In the future, consumers will demand a safe Internet service, and if an ISP doesn't measure up on security, members will flee to a rival provider, Forrester analyst Stamp said. "Customers will absolutely demand a clean pipe," he said.
The technology is out there for Internet companies to be able to identify zombies and botnets, Stamp added. The will of the market just has to catch up to the technology that is available.
Ultimately, if an ISP's network becomes infested with zombies, other providers will block traffic from that network, Stamp predicted. "If you don't secure your own network, then others won't connect to you," he said. In one recent case, British ISP Telewest blacklisted more than 900,000 of its customers because their systems had been compromised by spammers.
Service providers could even make a business out of helping consumers, said Russ Cooper, a senior scientist at security company Cybertrust. "Consumers that have bots and are sending out spam should be isolated and should be charged by their ISP for being saved," Cooper said.
The detection of zombies is the easiest remedy open to ISPs, and it could be touted as a competitive feature by providers, Gartner analyst John Pescatore said. "They can do more of detecting when a PC is infected and then notify the customer," he said.
Pescatore sounded a note of caution about just how much Internet companies could be expected to do, given the sophistication and seriousness of the problem. "To say that ISPs could prevent botnets from being installed would be a stretch," he said.
Even so, preventative measures such as customer education could help service providers mitigate the problem. Many of their helpdesk calls today already deal with zombie code and other malicious software that land on PCs while customers traverse the Web. In fact, ISPs should be to home users what IT departments are to office workers, said Dave Rand, chief technologist for Internet content security at Trend Micro.
While customers can be urged and even compelled under threat of disconnection to keep their computers clean, the pressure is really on the ISPs themselves to act. The call for service providers to take more responsibility for tackling the threat is coming through loud and clear -- from the government and the Internet community alike. Trend Micro's Rand, for example, said that with the number of zombies continuing to increase, ISPs have to take a more active role. "A hands-off approach has proven not to work," he said.
1%
4%
