If it stays on the router-side only, that's great! (Score 1)

This sounds like a promising idea to me, if the implementation stays on the router itself. It sounds like the router will look for packet sessions identical to those used by worms/viruses, and move those clients to a null-routed subnet. If it works, then by all means go for it. As long as moving customers from a live routed to null routed interface is simple, then I fully support any ISP implementing it.