Alerting users that their PCs are compromised

A great deal of spam is sent by "botnets". These are (typically) Windows PCs that have been compromised in some manner, and are now illicitly controlled by a third party. This third party uses the network of thousands of PCs that they have compromised to:

  1. Send spam

  2. Host phishing sites

  3. Carry out denial of service attacks

There are many DNS based Black Lists (DNSBLs) operated by numerous groups that aim to list the IP addresses of systems that have been compromised in this way. This allows mail server operators to configure their systems to query these DNSBLs and reject messages that are being sent from a compromised system.

The problem with this approach is that it's not visible to the owner of the compromised system. They might notice that it's behaving a little slower, or that their network connection doesn't seem as fast as it was, but they're not going to know why, because there's no easy mechanism to alert them.

In a perfect world, Internet Service Providers would monitor these DNSBLs, notice when IP addresses of their customers appear on them, and terminate (or provide limited) service to that customer, along with appropriate assistance to help them clean their system.

In practice this rarely happens.

It occured to me that one way to make the fact that their PC has been compromised more visible to end users would be by enlisting the help of companies that host or provide online game environments.

For example, consider Second Life, Eve, or World of Warcraft. All huge, multi-player games/environments, to which millions of people connect every day.

If the companies that host these environments were to check the IP addresses of connecting systems against these DNSBLs, they could provide a warning to the player that it's highly likely that their PC has been compromised, and that they should make sure their anti-virus is up to date, and so on.

Further, suppose you've got a PC and an XBox or Nintendo Wii at home1. Both of those game systems support online play. And through a networking quirk that I don't need to go in to here (NAT), it's highly likely that the PC and the games console(s) are going to appear online with the same IP address.

So if the PC appears on a DNSBL the Wii or XBox is going to appear on that DNSBL too. This provides an opportunity for Microsoft and Nintendo to check the IP address, and again, place a warning in the "dashboard" (XBox dashboard, Nintendo Wi-Fi Connection) that their systems display to the user as they go online.

This could significantly raise the awareness of owners/operators of compromised PCs.

1 Guess what I got for Christmas :-)

No comments:

Post a Comment