Comcast pop-ups alert customers to PC infections

Comcast is launching a trial on Thursday of a new automated service that will warn broadband customers of possible virus infections, if the computers are behaving as if they have been compromised by malware.

For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus taking control of the system and using it to send spam as part of a botnet.

The alerts are triggered "when we see computers on our network that are doing things that are known bot activities--say, a computer is spewing out thousands of spam e-mails," said Jay Opperman, senior director of security and privacy at Comcast.

The Philadelphia-based cable giant, which is the largest residential Internet service provider in the United States, with 15.3 million consumer customers, also is alerted to compromised customer computers when an IP address of one of its customers is identified as the source of spam on an industry spam list, Opperman said.

Customers in Denver are set to begin receiving notifications that their system may be infected with a virus or other malware via a pop-up message in the browser, as part of the new free service, called Comcast Constant Guard. The "Service Notice" will include a link to a Comcast security Web site where customers can follow a set of instructions to remove the malware from their computer.

If customers don't have antivirus software, they can download McAfee Internet Security Suite for free. Comcast also offers a Comcast Toolbar that includes spyware detection and removal, a pop-up ad blocker, antiphishing software, and antispam protection for e-mail.

The company first started notifying customers about the security issues about a year ago, with support representatives calling customers on the phone, Opperman said.

"We learned that customers love it," he said. "We wanted to reach more people and to automate the process."

This appears to be the first service through which a major ISP proactively notifies customers about security issues on their computers. For years, security experts have complained that ISPs are uniquely positioned, and should do more, to help customers combat security problems. But ISPs have been reluctant to assume additional responsibilities that are not central to their core service offering and for which they would then have to maintain a standard, going forward.

"I would hope that the government would do things to encourage this, if you alleviate some of the potential concerns that others may have about giving that kind of notification," said Jerry Upton, executive director of the Messaging Anti-Abuse Working Group. "I think it's the beginning of many ISPs and network providers realizing that customers need a little better knowledge of what the problems are out there."

Alissa Cooper, chief computer scientist for the Center for Democracy and Technology, said the organization welcomes Comcast's initiative.

"ISPs have a helpful role to play in helping subscribers mitigate these kinds of security threats," she said. "The challenge is...when users get these notices, do they understand them? Do they trust that they are real? Do they follow through to the point where they clean up their computers?"

The new service will eventually be rolled out in the rest of the country, replacing the phone calls Comcast has been using to notify customers to security problems, Opperman said.

Asked how many alerts have been sent to customers with Macintosh computers, Opperman said he could not provide a specific number but that there had been some.

Update 12:50 p.m. PDT October 9: Comcast is not the first to proactively monitor and help customers whose computers have been compromised. Qwest has been doing so for two years. Qwest's Customer Internet Protection Program displays a Web page with a warning to customers and offers a way to remove the infection for free before the customer can continue surfing the Web, a Qwest spokeswoman said.

And SBC (before it was part of AT&T) even quarantined customer accounts, George Ou reports on his Digital Society blog. While preventing infected computers from accessing the Internet until they are cleaned is going too far, he said, displaying warnings that could be faked by scammers might not be the answer either. Ou suggests a standardized "out-of-band notification mechanism that doesn't rely on the Web browser and can only be triggered by authorized entities," combined with remote management tools for automatic cleanup.