SpyEye: A case for blocking all infected PCs from the Web?

Virgin Media announced earlier this month that the Serious Organised Crime Agency has identified around 1,500 Virgin broadband customers as having computers infected with the SpyEye trojan.

The company has warned its users and provided some guidelines on cleaning infected machines, but security firm Trusteer, which has closely followed the development of credential stealing trojans like Zeus and SpyEye, says the time may have come to consider a partial lockdown of broadband users until the owner can prove their machines as having been disinfected, echoing Microsoft’s campaign for a public health model for the internet.

According to Trusteer, while the pro-active nature of the SOCA investigation into the Virgin users’ systems may be viewed as invasive by some observers, there is a strong reason for all ISPs to work with law enforcement and security professionals in a similar way.

Amit Klein, Trusteer’s chief technology officer, says there is an equally strong case for blocking all traffic, and for HTTP traffic to display a message saying “your machine is infected, please contact Virgin ….”

“This would ensure that most of the affected users would be on the phone to the Virgin helpline in double-quick time. And it would also help to minimise the financial losses that these poor customers would experience if they had to wait until the ISP wrote to them – assuming they opened the letter of course,” he says

The problem with simply writing letters to the affected line owners, says Klein, is that they may be landlords, and it is their tenants that need to be advised of the serious security problem.

Klein argues that an internet lockdown strategy would serve the dual purposes of alerting users on the broadband circuit that there were serious security problems and so force them to call in, as well as helping to prevent further potential losses to cybercriminals as a result of the infections.

Even if only one of the 1,500 SpyEye infected users of Virgin’s network were stopped from leaking their credentials to the cybercriminals, he says, the steps taken would have been worthwhile.

“Virgin’s actions, as well as those of SOCA, are to be applauded. More than anything, this brings home to the UK’s Internet-using community in the UK the sheer scale of the SpyEye infection problem,” he says.

According to Trusteer, considering the infection identified by SOCA on a single ISP’s network, the UK as a whole is potentially facing trojan infections measuring well into five figures or more.

Trusteer has not been alone in praising Virgin Media’s actions, but should ISPs be going further to ensure infected machines are offline until they are infection free?

If your machine were infected with something like SpyEye what would you expect your ISP to do? What would be acceptable and what would not?

Personally, I would want to know and would accept that for the greater good I would not be able to access the internet until my PC was cleaned up.