The Scourge of Malware Infected Customer Devices at Big UK Broadband ISPs
A quick look at the global Threat Map from internet security giant Spamhaus can sometimes be quite illuminating. The map displays the activity of botnets around the world, fuelled by malware infected devices, and these days it’s not uncommon to see the likes of Sky (Sky Broadband), Virgin Media and BT popping up in the top ten table (i.e. ISPs with the most infected connections).
Before we get started it’s important to understand that a botnet is one big network of internet-connected devices (e.g. older smartphones, laptops, WiFi cameras, android TV boxes, routers etc.) that have been infected and hijacked by malicious software (malware). Such networks are often remotely controlled by special command servers, which are themselves managed by an individual or small groups of attackers (“bot herders“).
The Spamhaus Threat Map is essentially designed to help visualise detections of such activity across the world and displays a statistical table of the number of malware infected devices (we’ll call these ‘detections’). Spamhaus informed ISPreview that the data in their tables represents the number of IP (Internet Protocol) addresses hosted on each ISP’s network that show “signs” of being compromised.
Advertisement
“Devices using these IP addresses have been observed to be infected with malware, running trojans, being controlled by botnet C&Cs or operating as abused (residential) proxies. These IPs are legitimate but have been hijacked through third-party exploits. Spamhaus automatically adds an IP to the Exploits Blocklists when there is compelling evidence that the associated device is insecure, compromised, or infected,” said a Spamhaus spokesperson to ISPreview.
At the time of starting to write this article, on 4th March 2026, BT had just dipped out of the top table (they only occasionally enter it), while Virgin Media held 6th place with a total of 53,016 detections and Sky (Sky Broadband, Sky TV etc.) sits in 10th position with 39,248 – as measured over the previous 24 hours. Both Sky and Virgin are often present in the list.
The United Kingdom also sits in 5th position on the country table (194,105), which was at the time just below India and Brazil, with China (419,237) and the USA (650,043) dominating. But it’s worth noting that no other European country makes it into the top ten. As with the ISP table, Spamhaus confirms the country table “represents the total number of detections by country where IP addresses linked to exploited devices are hosted“.
Advertisement
The fact that a country of the UK’s modest size, as well as several of its major internet providers, are even in the top table may come as somewhat of a surprise, but it’s not that unexpected. The UK has one of the world’s largest digital economies, often ranking within the top 5 countries – behind the likes of the USA, China, and Japan.
According to the UK Government, the Digital Sector is provisionally estimated to have accounted for 6.8% of total UK Gross Value Added (GVA) in 2024 at £177.2bn in current prices – similar to the estimated 6.7% of total UK GVA in 2023 (here). Suffice to say that with an active online economy and plenty of online users, the UK likely also has a sizeable population of older internet-connected devices that may be vulnerable to remote exploits.
Such devices often reflect those that are no longer supported (EOL – End of Life) or which are still supported, but where the end-user hasn’t applied any recent firmware (software) updates to ensure they’re patched against the latest vulnerabilities. In other cases people may have had their computers or other devices directly compromised by Viruses/Trojans (malicious software) via Phishing scams or similar.
Detecting botnets
Detecting whether a device within your wider network has been compromised to become part of a botnet is also quite difficult and requires careful monitoring of all your network traffic for connectivity to foreign IP addresses, which is not something that’s easy for the average Joe or Jane. But tools like Wireshark or your router’s traffic analyser (if it has one) can help.
Advertisement
On top of that it’s worth keeping an eye out for high CPU or Fan usage on devices, where such visibility exists, as a heavily active botnet may make the mistake of sucking too much of your network bandwidth or router CPU cycles – causing increased load, which is particularly obvious when it occurs during normally low periods of usage.
The GreyNoise IP Check might also help to identify if the IP address assigned by your broadband ISP has been linked to bad traffic (note: users on a Virtual Private Network [VPN] may have an IP with a negative reputation, due to past abuse by other users). Plus it doesn’t hurt to keep an eye on activity for commonly used ports like 6667 (often used for IRC communication between bots) or 1080 (often used for SOCKS proxy servers).
In addition, botnets that spew email SPAM often like to use port 25, due to the lack of required authentication and encryption via the legacy Simple Mail Transfer Protocol (SMTP). This is one of the reasons why broadband ISPs frequently block such ports (example), despite the risk of unintended consequences.
The core advice is still relevant here – set strong and different passwords for all your network devices, use good anti-virus/internet security software and keep your devices up-to-date. Once a device within your network falls out of support, be it a smart doorbell, Android phone or some other piece of internet-connected kit, then it’s probably only a matter of time before somebody finds a way to exploit it (i.e. remove or replace it as soon as possible).
What can broadband ISPs do?
Major internet providers, like those mentioned earlier, typically operate complex network monitoring systems (i.e. traffic analysis, DNS monitoring) that are often capable of detecting when an end-user’s traffic has become associated with a known botnet or other known virus/trojan infections etc.
The signals broadband provider’s see for this are limited, but often it can be enough for a proactive provider to notify the end-user of their concerns and advise on the appropriate action. Quite a few providers also offer some degree of network-level or router-level security to help tackle such things, although those systems won’t catch everything.
ISPreview did ask Sky Broadband, BT (EE) and Virgin Media to comment on all this. Sadly, Sky didn’t respond (despite several requests), while BT declined to supply a comment, although they did indicate their belief that the information published by Spamhaus didn’t align with their own insights (i.e. they indicated the data lacked insight into how it was gathered or verified).
BT added that, during 2025, their team of 3,000 security professionals had blocked 1.6 billion attempts to access malicious domains and stopped 200 million scam SMS messages. The provider also noted that their broadband customers are given access to their anti-virus and online security services for real-time protection, while they added that users are proactively encouraged to keep their systems and passwords up-to-date.
Finally, Virgin Media, which has historically been one of the most pro-active ISPs when it comes to tackling such issues, did comment and noted how their customers are all provided with access to their ‘Essential Security‘ service at no extra cost (enabled by default). Like BT’s solution, this helps to protect them online by blocking access to websites identified as fraudulent or potentially carrying viruses, among other things.
Virgin’s service is also said to prevent any data from being shared outside a customer’s network if suspicious or malicious activity is detected on their devices.
A Virgin Media spokesperson told ISPreview:
“We take the security and protection of our customers extremely seriously and have a range of tools and services in place to help keep them safe. All customers benefit from our Essential Security product free of charge, which helps protect against scams and malicious software. This feature is switched on by default, ensuring customers are protected from day one.”
We should point out that, under recent changes in UK law – the Product Security and Telecommunications Infrastructure Act (PSTI) and Telecoms (Security) Act (TSA) – all of these providers are also required to be proactive in ensuring that the routers and other networked devices they supply are secure and kept up-to-date; upgrades are usually offered where that is no longer the case (examples here and here).
However, as pointed out above, router and software level security isn’t perfect and won’t stop everything. Enterprising attackers often scan the public internet with mass automated routines that look for devices known to be vulnerable to certain exploits, which will often sit deeper inside your network and may be exposed to remote connectivity.
Suffice to say that it’s important for people to take a holistic view of their network (i.e. don’t assume that every device on your network is protected and secure) and don’t make the mistake of assuming that your ISP can protect your home network against everything. If anything, the advent of AI control systems and the wide availability of multi-gigabit speed full fibre broadband is probably only going to make this problem even harder to tackle.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook, BlueSky, Threads.net and Linkedin.
« Openreach Offer Multiyear Fixed Price Rentals for 1Gbps UK Ethernet Lines
Advertisement
Leave a Reply
Privacy Notice: Please note that news comments are anonymous, which means that we do NOT require you to enter any real personal details to post a message and display names can be almost anything you like (provided they do not contain offensive language or impersonate a real person's legal name). By clicking to submit a post you agree to storing your entries for comment content, display name, IP and email in our database, for as long as the post remains live.
Only the submitted name and comment will be displayed in public, while the rest will be kept private (we will never share this outside of ISPreview, regardless of whether the data is real or fake). This comment system uses submitted IP, email and website address data to spot abuse and spammers. All data is transferred via an encrypted (https secure) session.
Great article. The reality is the average Joe is adding more and more risky stuff to their network without the knowledge required to keep them safe. The amount of people I personally know with rooted pirate Android TV boxes sitting on their main LAN is truly frightening.
The problem is, VLANs aren’t the simplest thing to implement and that’s if they even have the option…..or even know what a VLAN is.
Blanket network isolation policies I can see just causing people to turn it off when they have issues e.g. casting not working, wanting to stream a file from a computer, etc.
I could only see VLANs becoming common if we see ISPs implement it and maybe simplify it e.g. you add a new device and the app on your phone asks a bunch of questions or maybe queries a database to see what is required for it to function and just allows the minimum.
Alternatively of course just have the single LAN but have more ‘per device’ firewall policies which again could be done like the above.
In the case of say my HP printer, that’s a pain to have on a VLAN compared to say my Echo devices due to network discovery, etc.
@tech Unfortunately, you’re right.
The layman is incredibly used to the convenience a single LAN offers, and no ISP is going to want to stand in the way of that! The support calls alone would probably make not viable to implement.
I’ll sleep well at night with my VLANs for all my IOT! But I do fear the consequence for others.
My parents once had an issue with an infected NVR.
I managed to realise this myself due to a slow network and pfsense’s monitoring tools.
A few days later though I received an email from VM about reported malicious traffic, the problem though was that they didn’t seem to consider infected IoT devices, instead just saying to use an anti-virus which would have been useless in our case.
If you only have a standard ISP-issue router that likely doesn’t have multi-VLAN handling capability (like my Beacon 2 doesn’t), you can (maybe should?) place your smart TV and any IoT devices on the guest network.
There are downsides to this of course (e.g. PnP, casting, possible bandwidth limitations, device limitations). So it then comes down to the personal decision of security vs convenience vs cost of prosumer router/switch and the mind-boggling (to me) complexity of setting up any inter-VLAN comms while maintaining the desired level of security.
Do I have my smart TVs on the guest network? No, I don’t. But I if I had a doorbell or similar IoT device then I’d seek to place those on there.
Users may need to look at devices disconnected from the browser router control panel as their newly unboxed router may list previously disconnected USB device. A factory reset on their new router should clear disconnected USB devices before connecting their devices.