Tuesday, 4 October 2011
In the lab we download a lot of malware, including the exploits that are often used to install them. We do this using standard consumer ADSL internet connections to reduce the chances of detection by the malware authors and distributors.
Last summer we had just completed a test that involved visiting at least 100 infected websites and allowing them to infect systems. We performed each task at least 12 times, so we potentially downloaded 12,000 threats in one month.
Towards the end of July we received the following (edited) email from our ISP:
We have received notification that your IP (xxx.xxx.xxx.xxx) appears to have been compromised.
The IP has likely been infected with a kind of 'virus' known as a rootkit.
It was interesting to see the attached log file, which recorded the ports and hosts used by the Torpig botnet rootkit (aka Sinowal, Anserin). While I think it's great that some ISPs are taking to trouble to monitor and report malware infections to users, I'm amazed that in the 12 months of using this service (and using it the way that we do!) we've received just one alert.
Related US news: Infosecurity magazine reports that the US Departments of Homeland Security and Commerce is requesting comments on a voluntary programme whereby ISP would notify users of botnet infections.