Comcast to provide new opportunities for fake AV


Comcast Cares

Comcast has announced they are beginning a nationwide roll out of their “Constant Guard” botnet detection service. Comcast is the largest cable internet service provider in the United States, so this could have a large impact on zombied US computers.

According to Brian Krebs’s blog the service is provided by Damballa, a botnet research firm who monitor IP addresses engaged in known botnet activity. This clearly will not pick up every bot, nor virus, but it can help with some of the larger more prevalent botnets that Damballa has visibility into.

Comcast will display a JavaScript hover banner warning you that your PC may be infected and ask you to visit it’s site. They also will send customers an email to their address when it is believed they are participating in a botnet.

Comcast email about being in a botnet

My concern is that this is creating a tremendous opportunity for fake AV/scareware criminals. It’s almost an invitation… I could see injecting these banners into websites and spamming customers with these messages leading to your standard fake AV installer.

It would seem to me that they may be better off providing a number for people to call to get advice, or perhaps have an automated call system alert them to the threat. I am not opposed to the idea of helping Comcast customers clean up their act, I just feel that the messaging feels an awful lot like what the scammers are sending out.

Instead of playing softball, if Comcast is serious they could drive people to a captive portal, like you get on hotel WiFi networks. Make people clean up, and only allow them to get to legitimate security sites until they are fixed. Maybe a phone warning and then after 14 days they block you.

The good news is that “Comcast Cares” as their slogan suggests. Another bright point is that they are not inspecting your traffic in a way that may compromise your privacy. Damballa is a respected security organization and their techniques will not inspect your personal details.

Comcast, if you’re listening, can we figure out a way to do this without looking like you are hawking “Windows XP Anti-Virus 2011”? If not, more of your customers may become infected simply by confusing your messaging with the messages from those whom you are trying to stop.