Comcast has announced that they are trialing a new service that alerts users when their computers are infected. You can read about it here: http://news.cnet.com/8301-27080_3-10370996-245.html. Essentially what happens is that when Comcast notices traffic that looks like bot related traffic they will pop up a message on the subscriber’s computer that indicates there is a problem and suggests steps to help clean up the computer.
I believe this is an exploratory step toward what we call the “walled garden”. In the “walled garden” scenario a user’s computer is not allowed out on the internet until they have cleaned up the infection. The walled garden approach is perhaps somewhat draconian, but does have merit. The problem is that false positives will be exceptionally annoying and troublesome for consumers and ISPs alike. The pop-up notice approach will allow Comcast to fine tune the detection mechanisms.
I applaud Comcast for this trial, but I wish Comcast took user account security seriously. What do I mean? If you use POP3 with a Comcast email account the way they have you set up your account means that your username and password are transmitted in plain text. This is an egregious security problem and it is hard to believe that Comcast might get their pop ups right when they appear to be so callous about user account credentials.
In the security community we are expecting to see the bad guys start spoofing ISP virus warnings if the practice becomes widespread enough. The measure of how significant the problem becomes will be the count of computer cleaned up by the notification verses the number of users social engineered but the notifications.
For the time being, Comcast is on the right path, but appears to lack the security awareness to pull this maneuver of properly.
Director of Technical Education
Author ESET Research, ESET