Security vendors bring zombie fighters to life

Botnet-infected 'zombie' computers are an ever-growing risk, and IT security vendors are taking notice and offering more ways to fight back

Data leakage prevention might currently be the hottest IT security submarket, but vendors are also tuning up their product offerings to help customers ward off the presence of botnet-infected zombie computers.

As botnet operators continue to advance the sophistication of their attacks and the manner in which they use and manipulate their armies of infected devices, businesses are asking technology providers for new defense mechanisms, vendors claim, with both anti-virus market leader Symantec and network security specialist Arbor Networks introducing new products to address the problem this week.

Symantec -- which only last week launched its much awaited Endpoint Protection integrated desktop security suite that promises to help identify botnet-feeding malware, among many other things -- introduced a new botnet-fighting technique that is its offering at no extra charge to customers of its MSS (Managed Security Services).

In essence, the company is promising to begin correlating botnet data gathered by its 40,000-sensor-strong Global Intelligence Network with behavior detection tools it has running inside its services customers to look for zombie network activity.

The process involves the piecing together its collective intelligence about known botnet command and control centers, the malware programs that are used to propagate the attacks, and the type of behavior on corporate networks that indicates the presence of infected machines to help customers keep their PCs from getting caught up in the threats.

"We're collecting data from firewalls, network intrusion detection systems, host intrusion protection systems, and a number of other technologies in real time and feeding that into our datacenters where it can be correlated to look for botnet activity," said Grant Geyer, vice president of MSS at Symantec. "This allows us to look at all the destination IP addresses for network traffic and compare that to our lists of botnet command centers to find matches we might otherwise miss."

According to Symantec's most recent Internet Security Threat Report, published in September, the company's sensors detected more than 5 million distinct botnet-infected computers during the first six months of 2007, which represents roughly a 7 percent increase when compared to the same period last year.

Heightening the issue is the speed at which botnet operators are changing the locations of their command and control centers, which act as the brains of the distributed zombie computer systems. The average command and control center stays up and running for only four days at a time at this point, according to Symantec's latest research.

Geyer said that one of the biggest misconceptions among customers is that IDSes (intrusion detection systems) are sufficient to protect their networks from botnets. He said that unless the tools have been configured perfectly, they can be easily circumvented by the attacks.

"There's a pretty good chance that the more advanced botnet programs can get around IDS, and firewalls only offer secondary signs of infection. If the only indicator of an infection is data leaving the network on a port, then there's no chance that IDS will see it," Geyer said. "But, when we gather all this intelligence together and compare it to latest command center blacklists, it's pretty easy to tell what's going on when this traffic is heading to known botnet servers."

While Symantec has essentially been conducting the same work in a more manual fashion to ward off botnets for some time, automating the process should help protect customers from zombie attacks even as they are unfolding, he said.

Arbor catches botnets further upstream
Arbor, which markets technologies used by enterprises, ISPs, and other carriers to monitor for attacks in the traffic flowing over large networks, launched an updated version of its PeakFlow SP platform, which includes new capabilities for sniffing out botnets.

Among the upgrades to the package that will help its customers separate zombie activity from legitimate traffic are new capabilities that give network operators the ability to see what type of applications are responsible for individual packets of data, company officials said.

In addition to helping carriers and large enterprises figure out how to best align their network resources to adjust to the growing adoption of emerging technologies like VoIP, the latest version of PeakFlow will allow the companies to identify botnet attacks before they ever reach end-users, cutting off the threats further upstream, said Rob Malan, Arbor's co-founder and CTO.

"We're finding that with all the latent firepower in the networks, there are greater numbers of botnet controlled endpoints. You have all these homes and offices that have been connected to broadband, and they're being targeted, and dealing with the problem is at the top of a lot of the carriers' priorities," Malan said.

Industry watchers said that customers are looking for ways to fight the botnet issue but contend that they remain wary of being forced to pay for additional products to address the problem.

In that sense, Symantec's addition of the botnet-fighting service at no extra charge to its services customers and Arbor's play to arm carriers with defense mechanisms to protect users upstream could be well received by enterprises.

Andrew Jaquith, a security analyst for Yankee Group, said that many large corporations remain unaware of botnet activity on their networks, as evidenced by the "30 Days of Bots on the Fortune 500" project carried out by software maker Support Intelligence, which has recently highlighted the presence of zombie PCs on IP addresses controlled by massive firms, including Intel, Nationwide Insurance, and Bank of America.

Jaquith said that while more of the infections are being discovered all the time, he believes that the undiscovered botnet issue may be the biggest untold security story of 2007.

The analyst said that customers are desperate for any way that they can prevent the attacks, but he believes that if carriers attempt to turn anti-botnet technologies into paid services, then enterprises might begin pushing back.

"It's encouraging to see activity that's looking to solve the problem, but it's hard to tell if there will be a market for paid products and services, especially when the industry could use some simpler root cause techniques to address it instead of adding technology," Jaquith said. "Enterprises like those named by Support Intelligence might have an interest, and for carriers it makes sense if they approach it the right way, but they might find that they do not get good a reception from enterprises if they're looking to add more charges."

The analyst contends that carriers should be the parties responsible for protecting customers against botnets and that they could already do so if they adopted more of a white-list style approach to the types of traffic they allow onto their users' networks.

"I'm not sure if the world needs more solutions to solve this problem; what would really be helpful would be if carriers would stop pretending that they simply provide dumb pipes that deliver traffic," he said.

"The approach shouldn't be charging for extra services to keep the network clean," Jaquith said. "It would be much better if they were to limit the types of acceptable traffic in general and deny anything unusual unless customers want to pay for extra services because they support the types of traffic in which the botnet attacks are typically hidden."

Copyright © 2007 IDG Communications, Inc.