Feeds

Trend Micro to kick butt on botnets

BASE thinking

SANS - Survey on application security programs

Trend Micro has declared war on botnets, opening a zombie PC pest control service for ISPs and other big network providers.

The security software firm's weapon of choice uses in-house-developed software called the Behavioral Analysis Security Engine (BASE). This is bundled with a hardware appliance and per-seat pricing to form the InterCloud Security Service (ISS). A team of Trend Micro researchers identifies botnets for this service.

ISS goes live in Q4 and will have some as yet unnamed first day customers trading up from the beta program, Trend says. Pricing is not on the table at time of writing.

According to Trend's CTO, Dave Rand, ISS represents the first phase of a multi-year project for the company. "We expect to kick butt on botnets," he declared today. But he readily acknowledges that the enemy is resourceful and the fight won't be easy.

Botnets are networks of virus-infected PCs under the control (hence the term zombie, they have no independent life of their own) of black hat hackers, also known as botherders or botmasters. They can be huge, sometimes containing hundreds of thousands of zombies, and are used for nefarious purposes - DDOS attacks, phishing and other spam, gleaning personal data for a spot of identity theft, and click fraud spring immediately to mind. Also, botnets clog up internet traffic, causing aggravated headaches and bandwidth charges for the ISPs.

Zombie phone home

The first thing that a PC does when compromised is to phone home to the botherder, to receive new instructions or to download more software. Almost always, the zombie has to resolve the location of the botherder via DNS - as no sane botherder will live behind a fixed IP address. This handshake between bot and botherder manifests itself in "abnormal communication sequences", that ISS identifies and tracks. When the zombie PC requests a DNS resolution, the ISS hardware appliance can in real-time either ignore, redirect, or block the traffic - actions that are predefined by the network administrator.

To fight bots, Trend Micro uses behavioral analysis - an industry first, it claims. This approach, as opposed to, say, looking for the signatures or definitions of known viruses, is easily the best way to handle the mutating versions of malware released ever more quickly into the wild, it claims. According to Rand, botherders are becoming increasingly sophisticated, releasing code to grab maybe 5,000 PCs and, when they reach their target, throwing away the code never to use it again. From here it is one small step to change code for every 500 computers, or even for five computers, he says. "We are fighting people, not technology. This is an arms race. They (the botherders) are going to change, and we are going to have to change in response. It is going to be a long battle."

The internet industry is under pressure to do something about botnets. Last year the FTC joined a group of 35 government agencies worldwide in launching Operation Spam Zombie, a campaign urging ISPs to identify and quarantine customers whose PCs had been infected.

Identification is not the problem, but quarantine and repair are different matters, according to Rand. His company has alerted a French ISP to a 500,000-strong botnet: five zombies a day are being removed from the network. "At this rate it will take 271 years to clean-up," he notes.

It is all very well calling on ISPs to do something about botnets, but to date the IT security industry has "not given them the tools that they need", he says. So the most common reaction of ISPs to the botnet scourge is the "ostrich approach: put your head in the sand and hope it goes away."

But ISPs should take a more active approach in looking after the security of their customers: "It is not fair for my mother to be looking after the security of her Windows XP PC," he says.

ISPs shouldn't merely do this for the good of the internet; services such can also be a profit center, according to Rand. They could, for instance, identify repeat offenders, people whose PCs are infected often, and advise or insist that they buy anti-virus software online from - guess who?

Trend will also market ISS to enterprises and the public sector. While the vast majority of zombie PCs live in ISP-land, the consequences of infection for corporations and government agencies are much worse. "After all that's where the money [and sensitive information] is," Rand says.

Press release here. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.