Viruses and Malware - The Scourge of the New Generation

Of great concern to many I'm sure is the subject of viruses and malware. A huge percentage (estimates of 80% or more) of all emails are now spam; the majority of which is being sent out from zombie machines or botnets that have been infected with trojans unbeknownst to their owners. One scary quote: "It has been estimated that up to one quarter of all personal computers connected to the internet are part of a botnet." Of course it's not just the generation of spam, the viruses can also harvest personal data and email addresses, install key loggers and other software but the spam is the thing that people notice the most. A single infected machine can churn out tens of thousands of emails a day, often more, but because the actual amount of email traffic is relatively low (maybe 50-100MB per day in some cases) it can often go unnoticed. The virus writers are in it for the money and so don't want their viruses detected easily, they'll sometimes use known vulnerabilities to spread viruses and infect unpatched machines and try and disable anti-virus software or make updating the definitions difficult. So unlike viruses like the Kakworm with its "Kagou-Anti-Kro$oft says not today!" message on the first of the month or Blaster causing constant reboots there will little sign to someone that their machine is infected. Noticing things like the data lights on the router flashing when the connection shouldn't be in use or unusual increases in usage such as in our View My Broadband Usage tool on the portal are often the only signs of a virus infection. The spammers will send out spam with random from addresses so any bounces generally won't end up going back to the person whose machine is infected. This factor is useful as we'll see when trying to identify a customer that may have a virus infection. The combined powers of these botnets can be huge and a cause for concern of just about everyone that uses the Internet. Microsoft operating systems have traditionally been the largest target, makes sense when Windows accounts for over 90% of the world's computers, but other software is also targeted such as PHP scripted sites like phpBB. Everyone therefore should be wary and at the very least keep up to date with all the latest patches for any software they use and install and maintain anti-virus software. Most routers have built in firewalls, we also offer a broadband firewall but it's always sensible to use a software firewall as well as that will have the advantage of being able to block outbound traffic as well as inbound. What though can we do as an ISP? Well, there are a number of things. Some trojans will use a built in mail server to send the spam out, so it gets sent direct to the recipients' mail servers. Recently some ISPs have been changing the setup of their mail servers so that they don't accept mail direct from a "dial-up or dynamic IP address", i.e. the mail will be rejected from someone on a broadband or dial-up connection sending the mail direct, but would be (or more likely to be) fine if sent via their ISP's mail SMTP server. To combat this some virus writers have set some trojan up to inspect the SMTP settings on an infected machine and use that to send mail. From this post from Bob one of the things we have been doing recently is to look at the amount of mail being sent via our SMTP servers and contact the customers sending the most emails. This has had a very positive result with most appreciating the call and not realising the amount of mail being sent. Consequently this has caused a drop in the amount of mail being processed by our relay servers and as such sped up delivery but also cut out a chunk of spam (which isn't going to be huge in the big scheme of things but if we can set an example I'm sure others will follow). Another good thing is that if we can cut down on the amount of spam leaving our network it's less likely that our mail servers will get blacklisted. Another thing we've been trialling recently is to use our traffic management systems to run reports on customers we think may have a virus. We've been analysing the usage of customers we know have definitely had a virus to spot usage patterns and amounts and then comparing this against other customers to try and get a match. What may surprise some people is that virus traffic doesn't always use all that much bandwidth, when looking the patterns what showed up the most was that there were regular amounts of uploads across the day and night and then across each day of the week or month. So for example, we may see one customer whose PC was on 24 hours a day, 7 days a week with an average 50MB uploaded in each of the night (midnight to 8am), day (8am to 4pm) and evening (4pm to midnight). The exact figures vary day to day but you can see an approximation and see a pattern form. Another customer may just be online during the evening but again there would be the regular pattern of email upload data and when you split it down per hour it is generally fairly evenly spread. You can often see the point of infection because the amount of email traffic increases from maybe a regular couple of megabytes or less per day to perhaps 50-150MB. It is sometimes difficult making a decision as to which customers are actually sending legitimate large quantities of email or just large emails. One way is to try and look at the pattern across a week, a business customer for example you'd be more likely to expect a higher amount of email during the day period, perhaps more on a Monday catching up after the weekend, or you may expect to see similar patterns in the download email figures for email they've received. A person sending large emails such as pictures to family and friends is also more likely to be irregular, it may always be in an evening but if we look at an hour by hour breakdown it probably won't be spread evenly across the hours, more peaks and troughs or short spikes than an even spread. It's not quite a "finger in the air" guess, but more a case of using logic to determine the customers most likely to be infected and making educated guesses based on the patterns. As we do more exercises like this we will get better at determining which customers may be infected and get better at spotting the patterns and thus pick up more customers with viruses. The more proactive we can be at doing this the better it is for everyone. Our initial exercise comprised contacting 10 customers by sending them a ticket, we discussed the exact message in our discussion forums to try and get it right and provide the right amount and right level of information for someone to be able clean up their PC as well as pointing them in the right directions to get help and also asking for feedback should the mail volumes be legitimate. Half of the customers got back to us within about 48 hours to say they would look into it or that they had already looked into it. We gave the customers a week and then rechecked the usage over the following 5 daysThen checking usage after a week and for the next 5 days shows that all bar one are showing a significantly lower amount of email uploads (the last one looks like legitimate mail). The intention is thus to analyse the data for a further batch of customers and see if we see similar success rates and from there do this on a regular basis with a view to automating the process if possible. These aren't the only things we can do to mitigate viruses. Whilst email is still the biggest way that viruses propagate, there are other ways. There are worms that use certain ports, there are file downloads, instant messenger viruses and plenty of others. Whilst tracking everything would be a very difficult job we keep a look out for major outbreaks and can if necessary develop signatures for our traffic management systems to look for certain types of activity. With the Windows firewall being switched on by default and more people using routers with built in firewalls, worms like Blaster are less likely to cause as many problems as in the past but if there are vulnerabilities out there, then there's always a possibility of someone taking advantage of it and we can work to identify and block it. It's generally considered to be a battle, a one-up-manship between the virus writers and spammers against everyone else. If we can do our bit to fight back and help clean up our little part of the Internet and use all of the tools we have at our disposal then such as our traffic management systems and usage reports then maybe we can start to win the battle. For anyone concerned that they may have a virus then you can run a free online virus scan at Trend Micro. The free version of AVG anti-virus is available here and this page may also be useful. And of course there's always our discussion forums. Dave Tomlinson