Keeping an Eye on Botnets

FireEye combines a global intelligence network with locally deployed appliances to thwart botnet activity.

Officials at network security firm FireEye have their eyes on botnets and their minds on a strategy that mixes a new anti-botnet appliance with a global intelligence and analysis service.

FireEye has integrated its FireEye Botwall 4000 appliance with its Botwall Network, a subscription-based botnet discovery and analysis service. According to the company, the service catalogs and disseminates botnet characteristics derived from malware analyses that are conducted by interconnected networks of FireEye Botwall appliances deployed at Internet service providers around the world.

"The FireEye Botwall Network is continuously analyzing Internet traffic for botnets and cataloging their whereabouts and activities," said Ashar Aziz, CEO of FireEye. "Enterprise customers participate in the global anti-bot analysis by contributing botnet characteristics and other analysis back into the global Botwall Network."

Customers are in constant contact with the network, both providing and gaining intelligence in real time. This intelligence can be used by customers to spot new bots that are speaking from within their networks to known botnet command control centers, or propagating newly found botnet malware attacks, Aziz said.


Click here to read more about a botnet attack on eBay.

The way this works is that the appliance uses intelligence from the service to provide on-site botnet propagation analysis, create reports and issue alerts to keep IT organizations abreast of botnet infiltration. Customers can also stop the growth of botnets and unauthorized communications using techniques including port level blocking, OSPF null routing and TCP connection resets, FireEye officials said.

Subscribers can opt out of contributing botnet analysis and instead set a contact interval—every few minutes or hours for example—to gather new Botwall Network intelligence for use within their local Botwall appliances, he added.

At the center of all FireEye Botwall appliances is the companys FACT (FireEye Analysis and Control Technology) engine, which analyzes network traffic for botnet malware and botnet command and control server communications within virtual victim machines.

"By analyzing suspicious network traffic flows within virtual victim machines, customers gain a new level of security accuracy and are freed from depending on signature feeds or conducting further manual analysis on network anomaly events," Aziz said. "By instrumenting the virtual machines, we are able to definitely confirm a botnet infiltration attempt as well as run the bot malware to analyze who it communicates with…and what it is doing."

"Because we have deployed FACT engines around the Internet, we have been able to analyze and collect botnet information in machine time instead of using manual human analysis within the FireEye Botwall Network," he added. "[Were] thereby able to keep up with the rapidly shifting tactics of bot herders, including the use of fast flux DNS and p2p technologies."

The company is far from the only corporation concerned with botnets. Symantec officials released Norton Antibot earlier this year, and companies such as Mi5 have added anti-botnet capabilities inside the network firewall to provide greater visibility into internal network activity and inbound and outbound traffic.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.