Botnet cleanup efforts by German ISPs

I had an interesting discussion last week with Thorsten Kraft of the German ISP association, eco, on how German network providers cooperate to help reduce the number of their users’ PCs that are infected with malware. The UK Government has recently added this as an aim in our national Cyber Security Strategy so the German example may be particularly relevant.

Users who are likely to have a problem can often be identified just by looking at logfiles of attacks against the ISP’s own systems. For example most PCs only make e-mail connections to the authentication host (smtp auth) of the mail sending infrastructure of their ISP and maybe one or two other organisations (such as universities) where users may have mailboxes. A PC that also makes e-mail connections to the ISP’s mail receiving servers (mx) is very likely to be part of a botnet sending junk messages under the control of a spammer.

A commercial ISP that detects such a pattern in its logs faces a number of problems. If they notify the affected customer to warn them that the contents of their hard disk and anything they type is also likely to be accessible to whoever controls the malware then they are likely to end up with a series of expensive helpdesk calls: a strong incentive not to report the problem when one call can cost more than the ISP’s annual profit from that customer. German ISPs have also found that unsolicited contacts mentioning security problems are often mis-interpreted as attempts to sell anti-virus or premium service packages and ignored!

To address these problems, and help ISPs to help their customers, eco have established a central website that takes customers through the three steps of Informing them about botnets, Cleaning any current infection using a choice of free downloadable scanners, and Preventing future problems through a combination of technical settings and tools and user awareness. Customers who are informed of problems by their ISP can also call a central telephone hotline if they need help resolving them. As the number of infected customers decrease, ISPs benefit in terms of reputation and also financially from the reduction in traffic on their networks.

Results are impressive – the site has had seven hundred thousand visitors, about half of whom had been notified by their ISPs. The scanners seem to have dealt with the vast majority of the problems: there have been nearly a million downloads, with less than 1% of visitors calling the hotline for an average of 11 minutes each. The German government provided initial funding with the objective of getting Germany out of the top ten most infected countries on the Internet (according to Germany is the sixth largest country in terms of Internet users). While the service has been in operation Germany has in fact dropped from second to eighth in terms of infection, so is now better than average for percentage of infected users.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *