Security vendors bring zombie fighters to life

Data leakage prevention might currently be the hottest IT security submarket, but vendors are also tuning up their product offerings to help customers ward off the presence of botnet-infected zombie computers.

As botnet operators continue to advance the sophistication of their attacks and the manner in which they use and manipulate their armies of infected devices, businesses are asking technology providers for new defense mechanisms, vendors claim, with both anti-virus market leader Symantec and network security specialist Arbor Networks introducing new products to address the problem this week.

Symantec -- which only last week launched its much awaited Endpoint Protection integrated desktop security suite that promises to help identify botnet-feeding malware, among many other things -- introduced a new botnet-fighting technique that is its offering at no extra charge to customers of its MSS (Managed Security Services).

In essence, the company is promising to begin correlating botnet data gathered by its 40,000-sensor-strong Global Intelligence Network with behavior detection tools it has running inside its services customers to look for zombie network activity.

The process involves the piecing together its collective intelligence about known botnet command and control centers, the malware programs that are used to propagate the attacks, and the type of behavior on corporate networks that indicates the presence of infected machines to help customers keep their PCs from getting caught up in the threats.

"We're collecting data from firewalls, network intrusion detection systems, host intrusion protection systems, and a number of other technologies in real time and feeding that into our datacenters where it can be correlated to look for botnet activity," said Grant Geyer, vice president of MSS at Symantec. "This allows us to look at all the destination IP addresses for network traffic and compare that to our lists of botnet command centers to find matches we might otherwise miss."

According to Symantec's most recent Internet Security Threat Report, published in September, the company's sensors detected more than 5 million distinct botnet-infected computers during the first six months of 2007, which represents roughly a 7 percent increase when compared to the same period last year.

Heightening the issue is the speed at which botnet operators are changing the locations of their command and control centers, which act as the brains of the distributed zombie computer systems. The average command and control center stays up and running for only four days at a time at this point, according to Symantec's latest research.

Geyer said that one of the biggest misconceptions among customers is that IDSes (intrusion detection systems) are sufficient to protect their networks from botnets. He said that unless the tools have been configured perfectly, they can be easily circumvented by the attacks.

"There's a pretty good chance that the more advanced botnet programs can get around IDS, and firewalls only offer secondary signs of infection. If the only indicator of an infection is data leaving the network on a port, then there's no chance that IDS will see it," Geyer said. "But, when we gather all this intelligence together and compare it to latest command center blacklists, it's pretty easy to tell what's going on when this traffic is heading to known botnet servers."