A slew of software companies new and old are shipping tools aimed at slowing the botnet epidemic, but the emergence of this new market is seen by some analysts as an indictment of the existing anti-malware industry.
With reliable statistics showing a dramatic rise in botnet-related computer infections, venture capitalists are now pouring money into startups with technology promising to find and eradicate backdoor Trojans, keystroke loggers and stealth rootkits.
The latest company to cash in is NovaShield, a nine-employee company working on a specification-based monitoring product capable of identifying malicious botnet-related activities in real-time. The company has raised $5 million in two rounds of financing, including a small business innovation research grant from the U.S. National Science Foundation.
“These are new threats with new types of opportunities [for technology companies],” said Somesh Jha, co-founder and chief scientist at NovaShield. “My view is you can’t use old, signature-based technology to protect against malware associated with botnets. You have to look ahead a bit, focus on finding ways to stop botnet communications.”
Botnets – broadband-enabled PCs hijacked and seeded with software that connects to a server to receive communications from a remote attacker -have emerged as the key hub for well-organized global crime rings. The bandwidth stolen from these compromised computers -called drones or zombies – is used to steal money via spam, denial-of-service attacks and other nefarious Internet activities.
NovaShield’s technology, now in beta, will be sold to consumers and licensed to businesses. It will work alongside existing anti-virus and anti-malware defenses, providing another layer of desktop and network security.
Other companies cashing in on what is widely viewed as a gap in traditional anti-malware coverage include: Damballa, a venture-backed company with roots at the Georgia Institute of Technology; FireEye, a startup funded by Sequoia Capital; Sana Security, which sells behavioral security software; and PC Tools software. Several big-name anti-virus players, including Symantec and Trend Micro have already shipped standalone anti-botnet utilities, suggesting that Trojans and other botnet-related software should be treated as a separate product category.
This does not sit well with Andrew Jaquith, an analyst with The Yankee Group. “It’s not a good thing that security products are failing and not catching all the threats. The fact that there’s a perceived market need [for anti-botnet protection] is an indictment of anti-virus companies in general,” Jaquith said.
“It reminds me of the spyware market,” he added, noting that several companies marketed anti-spyware tools on top of anti-virus subscriptions.
“It’s a classic cycle,” said Jose Nazario, a botnet tracker and a senior software engineer at Arbor Networks. “It’s spyware all over again. New gaps emerge and new products and companies emerge.”
A Case of Double-Dipping
For companies such as Symantec, which sells the Sana-powered Norton AntiBot and anti-malware subscriptions, it’s a nickel-and-dime situation.
Symantec officials say Norton AntiBot is for a specialized, technical market segment looking for high-end tools to deal with botnets, but Jaquith said it’s a case of anti-malware companies double-dipping.
“Ultimately, it’s hard for an enterprise to justify paying twice for botnet protection when they’re already paying for anti-malware protection,” he said. “You can make the argument that anti-botnet can be intrusion and extrusion detection and pay for that as a separate layer of defense, but even that’s a bit of stretch.”
John Mitchell, professor of computer science at Stanford University and co-director of Stanford Computer Security lab, said there has been a noticeable shift in the types of emerging zero-day malware threats that result in identity theft, computer crashes and drive-by malware downloads.
“Current technologies are slow to adapt,” Mitchell said, suggesting there’s a legitimate need for newer, more powerful products capable of disrupting botnet activities.
Dan Geer, vice president and chief scientist at Verdasys, said traditional anti-virus technologies “have peaked” and are unable to cope with the rapid pace of sophisticated virus payloads. “I don’t think anti-virus protection can get better than it is today. The problem with that is that, when anti-virus fails, the effects of a successful attack are difficult to reverse,” Geer said.
This is where anti-botnet tools come in, said Tripp Cox, Damballa vice president of engineering. The 25-employee company has raised about $8 million and has introduced two enterprise-facing products that promise protection from bot armies.
Damballa’s products, which include an in-the-cloud monitoring component that runs alongside technology deployed on corporate networks, can be used to identify and isolate communications between compromised drones and the command-and-control centers on the Internet that pass instructions between hijacked machines.
“The threat itself is no longer just a virus or a piece of spyware. It’s a multi-network, multi-faceted type of threat,” Cox said. “There are multiple command-and-controls and multiple attack capabilities. You really can’t depend on anti-virus protection anymore. If you are running a business, you need a combination of multiple security tools. Signature-based anti-virus serves an important purpose, but you can’t look at bot armies the same way you look at a virus attack. There are bots that can update themselves every 30 minutes. You can’t expect signature-based anti-malware on a desktop to be effective against that.”
For Damballa, NovaShield and the venture capital firms pumping money into anti-botnet solutions, that’s the marketing message.