Network News

X My Profile
View More Activity

Comcast Trials Browser Alerts for Bot-Infected Customer PCs

Comcast, the nation's largest residential Internet service provider, this week began rolling out an initiative to contact customers whose PCs appear to be infected with malicious software, by notifying these users via Web browser alerts.

The Philadelphia-based cable Internet company has already been alerting bot-infected customers via phone for the past year, but a pilot program in Denver that began Thursday will inform affected users with a so-called "service notice," a semi-transparent banner that overlays a portion of whatever page is being displayed in the customer's Web browser.


Customers can then either move or close the alert, or click "Go to Anti-Virus Center," for recommended next-steps, which may include downloading and running the McAfee anti-virus tools the company offers for free, or purchasing a cleanup package and allowing a Comcast technician to attempt to remotely diagnose and fix the problem.

Jay Opperman, senior director of security and privacy at Comcast, said the company opted to move to Web-based alerts due to an overwhelmingly positive response from customers who were alerted about bot infestations via telephone. To identify problem customers, the company is relying mostly on reputation information gleaned by anti-spam groups like, which track the Internet addresses of systems seen sending spam or participating in prolonged malicious activity online.

"These bots not only send spam, but [most of them] also steal financial and credit card information, and people are put at significant risk when their personal information has been stolen," Opperman said.

Customers who receive the alerts but do nothing will be reminded again in seven days if Comcast detects that the user's PC is still infected, Opperman said.

Opperman declined to say how many alerts the company has issued -- either via phone or through this new system, but said the company will focus on working out any kinks in the system before scaling it up.

"We could be serving a lot more alerts, millions really," Opperman said. "In general, the data we get [shows that] anywhere between 10-15 percent of [an average ISP's customers] is with these bots at any one time. Because it's a new system and a new experience for customers, we're going to start up slow and then scale."

Comcast is using the Denver testbed to fine tune their response to customer feedback, but the program is very much on track for completely deploying the service across the company's residential network: Opperman said he expects the initiative, which the company has dubbed "Constant Guard," to be rolled out to all of Comcast's 15.3 million residential customers by the first quarter of next year.

Opperman said he believes the project is the first of its kind in the industry, and that Comcast studied multiple alternative approaches before settling on this one. Specifically, the company considered placing problem customers in so-called "walled gardens," which attempt to limit the customer to browsing a small number of sites designed to help them clean up a bot infection. Canada's Cogeco and Cox Communications both have experimented with the walled garden approach (see my interview with Cox's Matt Carothers on this topic from back in April 2007).

"We looked at those mechanisms, and they're very disruptive to other services, like VoIP [voice over Internet protocol, or Internet-based telephone calls]," he said. "We felt the service notice was the best way to inform customers and get them to contact us so we can help. without being disruptive."

The primary challenge to this program, aside from actually helping customers rid their PCs of bot infections and keep them clean, may come from the criminals themselves. One of the most persistent threats to Internet users today are rogue anti-virus programs that use fake security alerts to trick consumers into downloading malicious programs or at the very least paying for worthless software.

Opperman said Comcast is attempting to combat this potential scam by including a link in the banner alert that explains "How do I know this notice is from Comcast?" Among the answers they will list is that Comcast will be sending affected users an e-mail alert at their primary account at the same time as the browser alert is displayed.

By Brian Krebs  |  October 9, 2009; 3:51 PM ET
Categories:  From the Bunker , Safety Tips  | Tags: bot, comcast  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Adobe Warns of Critical Threat to Reader, Acrobat Users
Next: E-Banking on a Locked Down (Non-Microsoft) PC


Will those running pop-up blockers or adBlock type programs have any problems seeing the banner?

My first instinct if such a thing popped up on my browser would be that it was malicious, so lots of publicity and bill inserts are probably a good thing. I'm not a Comcast customer but if it is successful, I'm sure other companies will consider using it as well. But, then again, if I faithful follow the security suggestions featured here -- well, it should be a moot point.

Posted by: Eremita1 | October 9, 2009 5:45 PM | Report abuse

@eremita - I don't think it's a pop-up, per se, despite what other news outlets have reported. some of the folks at comcast worked on a draft standard for the IETF that discusses the actual banner notice and how it is put together. i'll see if i can dig up the link

Posted by: BTKrebs | October 9, 2009 6:06 PM | Report abuse

It's evil of Comcast to parse and modify web pages on their way to you. Once the machinery is installed, mark my words, suddenly Comcast will start using it for commercial messages of all kinds. Better stick to the telephone, Comcast. Or send a letter.

Posted by: amturnip | October 9, 2009 6:43 PM | Report abuse

In any case, an unexpected banner that is also a link would (or should) raise red flags for the less experienced user. We advise people to avoid clicking on any link in email they're not absolutely sure is valid; and while this is quite a different thing, getting people into the habit of checking link destinations before clicking on them is hard enough. People who haven't learned these lessons are the very ones most likely to have malware-infected machines.

It would be better if the banner were not a link, but rather presented a URL in an easily copy-and-pasted form the user can verify. Unfortunately, that would probably deter many of the people who most need to use it.

Posted by: rhsimard | October 9, 2009 7:08 PM | Report abuse

So is Comcast going to wait for Spamhaus to report their own infected customers' IPs to them? It's not like you need extensive expertise to find them. Delay in taking action allows criminals to continue to profit.

Comcast should cut out the middle man by setting up spamtraps themselves, looking for emails sent from their own network. They should be running software that repeatedly checks the IP addresses of spamvertised domains/phishing sites known to be botnet hosted. And they should facilitate abuse reporting by independent investigators who come upon infected computers on Comcast's network while tracking phish, malware, spam, DDoS attacks, etc. (If they ever had a human respond instead of just an autoreply, they might get some useful information about how those investigators are finding their compromised customers in the first place.)

It's sad that the other ISP's aren't even doing this much.

Posted by: AlphaCentauri | October 9, 2009 8:24 PM | Report abuse

I am somewhat of a skeptic here. My experience has been that once a machine is infected, cleaning it can be a tricky and time-consuming process. Just downloading and installing McAfee might or might not work - viruses *actively* work to prevent antivirus software from properly functioning.

When I get called it to fix somebodys computer, I start with a BartPE boot CD to boot into a safe environment where the malware is not in control. From that environment, I can run anti-virus software to find and clean up various issues.

After this, I have sometimes had to manually repair various issues caused by malware. Including having to modify the registry.

Is the average home user up to this task? I really doubt it.

My own gut tells me that the "walled garden" approach is probably better, but I guess letting the customer know that they have a problem is a good first step.

Posted by: jackrussell252521 | October 11, 2009 12:24 PM | Report abuse

I believe that this is a good thing in the sense that they care about their customers and are telling them that they have a problem. If they have a spambot on their system, likely they also have a banking trojan on their system as well. That said, what happens if one does have a banking trojan which is more stealthy than a spam trojan? Likely Comcast is seeing those communications via its IDS/IPS, but is that group in communication with the group responsible for monitoring Spamhaus lists and the web notifications? Spamhaus data should be used to verify their IDS/IPS data, or in addition to the IDS/IPS data.

A BartPE liveCD is a good tool to use to clean a system, but a Linux liveCD solution like F-Secure's is better. Clean the system with a different vendor's AV, then use the BartPE liveCD to check to see if the system is really clean. Chances are that the installed AV software won't catch everything (after all the system got infected), and the Linux OS won't be vulnerable to Windows viruses coming in from the network, unlike the BartPE CD when networking is enabled.

Posted by: jbmoore61 | October 12, 2009 8:18 AM | Report abuse

Customers are not going to know if the alerts are real or fake. Anyone can put a message of "How do I know is Comcast?" and then tell just something credible to the user. Why can't thet contact the client with mail or email, or inside the payment account? I mean, Comcast is using the same methods that crackers use and again, it will be confusing for the general public.

Posted by: FaustoCG | October 12, 2009 10:07 AM | Report abuse

It's a good first step, but how long will it be before the botnet operators make changes to their software that prevent these warnings from being displayed? We already saw malware do this with bank statements.

Posted by: burnfromwithin | October 12, 2009 10:24 AM | Report abuse

I had a bad experience with a Linux-based liveCD for virus cleaning once. It corrupted the filesystem :-(. I guess the NTFS drivers still needed some more work. I was fortunate in the sense that I had made a total backup before starting, but it was a damned nuisance.

Another bit of experience I can share - *start* by cleaning the browser temp directories. Some systems are configured to store gigs worth of crap in there, and scanning these things can take many hours.

The other thing I can do from BartPE is mount the registry of the infected host, and examine it for malware. Things like services or drivers that don't belong, for example. For this type of thing, it is sometimes helpful to have a clean machine on the same OS version handy to use as a reference.

So I stick to BartPE. Now that being said, I have several different AV tools on that disc,

Posted by: jackrussell252521 | October 13, 2009 5:33 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company