Security Watch

Keeping Track of patches and hacks in the IT security world.

Botnet Trackers: Stop Zombies Now or Pay Later

Some might say it's slightly self-serving for a company that sells anti-botnet technology to blame the nefarious zombie networks of infected PCs for a lion's share of today's cyber-attacks, but despite any reservations you might harbor to that end, it's clear in chatting with the folks from Damballa that the

Some might say it's slightly self-serving for a company that sells anti-botnet technology to blame the nefarious zombie networks of infected PCs for a lion's share of today's cyber-attacks, but despite any reservations you might harbor to that end, it's clear in chatting with the folks from Damballa that the effect of today's sprawling worldwide botnet infrastructure should likely not be underestimated, no matter whom you're speaking with.

On a tour last week to promote its new Failsafe 3.0 appliance, which promises to examine traffic patterns within enterprise networks to root out potential botnet communications and block the threats, Damballa's leaders shared their insight, and some pretty interesting research, from their recent experiences in battling the seemingly unstoppable spread of compromised endpoint networks.

Based on its monitoring of customer networks and other active infrastructure, the vendor estimates that traditional antivirus and IDS/IPS systems fail to capture somewhere between 20 percent and 70 percent of newly emerging malware attacks (that'd be roughly 50 percent as a whole, right?), including everything from targeted attacks and widespread Trojans.

This lack of effective defense is being driven by the proliferation of botnets that have infiltrated enterprise networks and serve as a turbocharged delivery vehicle for the full litany of attacks, claims Damballa CEO Steve Linowes.

Unless organizations adopt new security systems like its own, and move away from dependence on traditional signature-based AV systems, they've got little chance of stopping today's cutting-edge malware campaigns, the thinking goes. To see evidence that its claims aren't overstated, one need only observe the absolute havoc currently being wreaked by the Conficker botnet, Damballa executives said.

Conficker has proven so dastardly that a coalition of influential technology providers and regulators, including ICANN, Microsoft, VeriSign, F-Secure and others have banded together to try to stop its spread. The fact that virtually an entire industry has been forced to join together to stop one botnet-driven attack proves just how immense the problem has grown, the anti-botnet specialists claim.

"What we're saying is that you need something that can look at the malware and how it is moving across networks, and combine that with other intelligence to watch for the types of traffic that indicate communication back to a botnet command and control center," said Linowes. "The use of botnets as a primary driver of subsequent malware activity is a fundamental shift in the manner that the bad guys are doing business; enterprises may not want to hear that they need another layer in addition to AV and IDS, but this is an issue that demands a unique approach to stop it."

According to a study that Damballa conducted over a period of six months, one of the "leading industry AV tools" [rumored to by others to be McAfee's] caught only 50 percent of the 200,000 new attacks thrown at it, with the "typical gap between malware release and detection/remediation" using AV alone at a lengthy 54 days. On top of that, as many as 15 percent of the malware samples remained undetected after 180 days, according to the study.

That's just not going to cut it, the experts maintain.

"The fact is that botnets have become the leading platform for eCrime, because the botnet masters can get a tiny foothold within your network and sit there silently waiting for that moment when they reach out and pull in attacks that the people behind this know will beat AV and IDS for the most part," said Bill Guerry, vice president of product management at Damballa. "Trying to go after the botnet itself is much more effective in terms of eliminating the root cause of a good deal of this activity, rather than simply trying to identify every new attack and waiting for a signature from your AV provider."

The Damballa leaders don't of course recommend that anyone ditch their AV and IDS for its solutions alone, but the botnet problem has become so substantial that it can no longer be resolved without dedicated technological resources, they said.

One of the biggest strengths of its approach is that by looking at emerging botnet activity "in the cloud" and trying to stop the attacks before they can infiltrate networks in the first place - via the use of new intelligence fed down into its appliances, subsequent threats that lead to data breaches and almost anything else unpleasant that you can think of can be stopped before they can take root, Damballa's leaders maintain.

I can feel CIOs cringing as they read this and again ask themselves, "where does it end?" in terms of the seemingly endless cat and mouse game that continues to play out between attackers and the technologies that organizations are being told they must employ to stop the latest threats aimed at their IT assets.

But whether you subscribe to Damballa's solution to the problem, or alternatives pitched by people like Arbor Networks [carrier-level pattern filtering] or traditional endpoint security players including Symantec and McAfee [another feature in the endpoint suite], there's little question that organizations of all kinds are truly struggling to deal with this problem.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to [email protected].