Sick PCs should be banned from the net says Microsoft Published duration 6 October 2010

image caption Botnets can contain millions of machines

Virus-infected computers that pose a risk to other PCs should be blocked from the net, a senior researcher at software giant Microsoft suggests.

The proposal is based on lessons from public health, said Scott Charney of the firm's Trustworthy Computing team.

It is designed to tackle botnets - networks of infected computers under the control of cybercriminals.

Putting machines in temporary quarantine would stop the spread of a virus and allow it to be cleaned.

"Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society," he said in a blog post

"In the physical world, international, national, and local health organisations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others.

"Simply put, we need to improve and maintain the health of consumer devices connected to the internet in order to avoid greater societal risk."

Health test

Botnets have become the scourge of the internet and a favourite amongst cybercriminals.

Computers are recruited into a network when they become infected with a virus. These are commonly distributed by criminals as attachments in e-mail messages, and as software downloads masquerading as legitimate programs.

Networks can consist of a few hundred to a few thousand Windows machines. However, some can contain millions of PCs.

The networks are usually under the control of criminals who commonly hire them out to others for various means including pumping out spam or mounting "denial of service" attacks against websites.

"Commonly available cyber defences such as firewalls, antivirus and automatic updates for security patches can reduce risk, but they're not enough," wrote Mr Charney. "Despite our best efforts, many consumer computers are host to malware or are part of a botnet."

His proposal, presented at the International Security Solutions Europe (ISSE) Conference in Berlin, Germany, is for all computers to have a "health certificate" to prove that it is uninfected before it connects to the net.

"Although the conditions to be checked may change over time, current experience suggests that such health checks should ensure that software patches are applied, a firewall is installed and configured correctly, an antivirus program with current signatures is running, and the machine is not currently infected with known malware," he wrote in the accompanying paper

If the health certificate indicates a problem the computer could be prompted to download a missing patch or update its anti-virus settings.

"If the problem is more serious (the machine is spewing out malicious packets), or if the user refuses to produce a health certificate in the first instance, other remedies such as throttling the bandwidth of the potentially infected device, might be appropriate."

However, he said, that cutting people off the internet entirely "could well have damaging consequences".

"An individual might be using his or her internet device to contact emergency services and, if emergency services were unavailable due to lack of a health inspection or certificate, social acceptance for such a protocol might rightly wane.

"But much like a cell phone may require a password but still allow emergency calls to be made even without that password, infected computers may still be permitted to engage in certain activities."

Global attacks

Graham Cluely, of security firm Sophos, said that some ISPs had previously throttled some users suspected of having infections.

"They knock off users who look like they are sending large numbers of spam e-mails - an indication of being part of a botnet," he told BBC News.

Whilst it solves the problem, he said, it can cause problems for computer users.

"The challenge then is what the poor old user does," he said.

"They can't get on the net to download fixes."

He also said that there was a danger that many people would think that any message telling them that they had an infection on their machine was a scam.

The approach is used around the world. In Japan, for example, more than 70 ISPs have formed the Cyber Clean Center, which contacts users and provides security software to prevent further infections.

Other initiatives exist in France and Australia.

Microsoft said that to make its plan work itwould need four steps, including defining a health computer, creating a trusted system for health certificates and finding a way for ISPs to process and act on them.

Relevant legal frameworks would also be needed, it said.

But Mr Cluley questioned whether Microsoft was best placed to recommend such security measures.

"Microsoft doesn't have a faultless record when it comes to security," he said.

"It has improved over the years, but every month they have to release a package of updates.