Security vendors bring zombie fighters to life
- 05 October, 2007 00:58
Data leakage prevention might be the hottest IT security submarket, but vendors are also tuning up their product offerings to help customers ward off the presence of botnet-infected zombie computers.
As botnet operators continue to advance the sophistication of their attacks and the manner in which they use and manipulate their armies of infected devices, businesses are asking technology providers for new defense mechanisms, vendors claim, with both anti-virus market leader Symantec and network security specialist Arbor Networks introducing new products to address the problem.
Symantec -- which only last week launched its much awaited Endpoint Protection integrated desktop security suite that promises to help identify botnet-feeding malware -- introduced a new botnet-fighting technique that is its offering at no extra charge to customers of its MSS (Managed Security Services).
The company is promising to begin correlating botnet data gathered by its 40,000-sensor-strong Global Intelligence Network with behaviour detection tools it has running inside its services customers to look for zombie network activity.
The process involves piecing together intelligence about known botnet command and control centres, the malware programs used to propagate the attacks, and the type of behaviour on corporate networks that indicates the presence of infected machines to help customers keep their PCs safe.
"We're collecting data from firewalls, network intrusion detection systems, host intrusion protection systems, and another of other technologies in real time and feeding that into our data centres where it can be correlated to look for botnet activity," said Grant Geyer, vice-president of MSS at Symantec.
"This allows us to look at all the destination IP addresses for network traffic and compare that to our lists of botnet command centres to find matches we might otherwise miss."
Symantec's September Internet Security Threat Report detected five million distinct botnet-infected computers during the first six months of 2007, which represents roughly a 7 per cent increase compared to the same period last year.
Botnet operators, too, are rapidly changing the locations of command and control centres for the distributed zombie computer systems. The average command and control centre stays up and running for only four days, according to Symantec's latest research.
Geyer said that IDS (intrusion detection systems) won't protect networks from botnets. He said that unless the tools have been configured perfectly, they can be easily circumvented by attackers.
"There's a pretty good chance that the more advanced botnet programs can get around IDS, and firewalls only offer secondary signs of infection. If the only indicator of an infection is data leaving the network on a port, then there's no chance that IDS will see it," Geyer said.
"But, when we gather all this intelligence together and compare it to latest command centre blacklists, it's pretty easy to tell what's going on when this traffic is heading to known botnet servers."
Automating the process should help protect customers from zombie attacks even as they are unfolding, he said.
Arbor, which markets technologies used by enterprises, ISPs, and other carriers to monitor for attacks in the traffic flowing over large networks, has launched an updated version of its PeakFlow SP platform, which includes new capabilities for sniffing out botnets.
Among the package upgrades that will help separate zombie activity from legitimate traffic are new capabilities that help network operators see what type of applications are responsible for individual packets of data, company staff said.
As well as helping carriers and large enterprises figure out how to best align their network resources to adjust to the growing adoption of emerging technologies like VoIP, the latest version of PeakFlow will allow the companies to identify botnet attacks before they ever reach end-users, cutting off the threats further upstream, said Rob Malan, Arbor's co-founder and CTO.
"We're finding that with all the latent firepower in the networks, there are greater numbers of botnet controlled endpoints. You have all these homes and offices that have been connected to broadband, and they're being targeted, and dealing with the problem is at the top of a lot of the carriers' priorities," Malan said.
Industry watchers said that customers are looking for ways to fight the botnet issue but contend that they remain wary of being forced to pay for additional products to address the problem.
Andrew Jaquith, a security analyst for Yankee Group, said many large corporations remain unaware of botnet activity on their networks, as proven by the "30 Days of Bots on the Fortune 500" project carried out by software maker Support Intelligence, which highlighted the presence of zombie PCs on IP addresses controlled by massive firms, including Intel, Nationwide Insurance and Bank of America.
Jaquith said that while more of the infections are being discovered all the time, he believes that the undiscovered botnet issue may be the biggest untold security story of 2007.
The analyst said that customers are desperate to prevent the attacks, but he believes that if carriers attempt to turn anti-botnet technologies into paid services, then enterprises might begin pushing back.
"It's encouraging to see activity that's looking to solve the problem, but it's hard to tell if there will be a market for paid products and services, especially when the industry could use some simpler root cause techniques to address it instead of adding technology," Jaquith said.
"Enterprises like those named by Support Intelligence might have an interest, and for carriers it makes sense if they approach it the right way, but they might find that they do not get good a reception from enterprises if they're looking to add more charges."
The analyst contends that carriers should be responsible for protecting customers against botnets and that they could already do so if they adopted more of a white-list style approach to the types of traffic they allow onto their users' networks.
"I'm not sure if the world needs more solutions to solve this problem; what would really be helpful would be if carriers would stop pretending that they simply provide dumb pipes that deliver traffic," he said.
"The approach shouldn't be charging for extra services to keep the network clean," Jaquith said. "It would be much better if they were to limit the types of acceptable traffic in general and deny anything unusual unless customers want to pay for extra services because they support the types of traffic in which the botnet attacks are typically hidden."