Trend Micro announced a new service to help large organizations and Internet service providers (ISPs) fight networks of zombie machines, known as "botnets."
The new service, dubbed InterCloud, was announced Monday and is intended to help organizations fight botnets, fast-changing networks of rogue computers that are used in denial of service (DOS) attacks, spam campaigns, identity theft, and other malicious acts. The new service uses behavioral analysis technology, developed by Trend, and known as Behavioral Analysis Security Engine (BASE) to spot and isolate bot machines on managed networks, according to Paul Moriarty, director of product development for Internet Content Security at Trend.
BASE analyzes application and network infrastructure data, such as DNS queries and Border Gateway Protocol (BGP) routing tables. The engine can spot behavior indicative of bots, such as an abnormal series of DNS queries.
The service also uses data from Trend's global network of researchers and customers to provide intelligence on new or evolving bot activity. The company's Bot Identification Team identify and monitor bot activity globally, Trend said.
InterCloud relies, in part, on a new, hardened and revamped DNS server that allows Trend to aggregate suspicious data and report on host systems that may be infected with bot programs, Moriarty said.
"We can take a day's worth of DNS logs and tell them how many spambots or zombies they have. That's a capability that most IPSes lack," he said.
InterCloud customers can remediate infected systems by denying them access to the network, or by quarantining them and pushing out necessary updates or scanning and disinfecting them, said Dave Rand, CTO of Trend's Internet Content Security group.
The InterCloud service includes a Web-based management portal for viewing and reporting on bot activity and managing security policies, Trend said.
Botnets are one of the fastest growing and most dangerous online threats (http://www.infoworld.com/article/06/01/19/74343_HNbotnetstrace_1.html), said Rand. On any day, Trend tracks millions of infected systems that have been joined to one of a number of global bot networks. But bot infections can also jump up, depending on the availability of easy to exploit security holes, such as the recent VML vulnerability in Microsoft's Internet Explorer browser, or the Windows Server Service vulnerability that was disclosed by Microsoft in August.
Trend identified more than 250,000 new bots each day for the two days after an exploit was developed for the Server Service hole, which Microsoft patched with MS06-040. Typically, the company might identify 250,000 new bots over the course of a month, Moriarty said.
Trend researchers are also spotting many more targeted attacks, in which bots are being written for specific purposes, such as culling sensitive information from the targeted network, then forwarding it back to a command and control server, usually in a foreign country. Many of those appear aimed at identity theft, or espionage against the U.S. government or government contractors.
Few enterprise security products can scale to support hundreds of thousands or millions of hosts, which means that ISPs and very large organizations often rely on internal security teams and products to manage security. However, those company-focused teams lack the broad perspective that companies with global research operations and a global customer base can muster, Moriarty said.
InterCloud, which will be licensed by the seat, will offer ISPs the prospect of turning security into a profit center, by focusing attention on the relatively small number of infected systems, then targeting their owners with software, such at Trend's Web-based HouseCall antivirus scanner, that can clean their system and keep it from becoming reinfected. ISPs could then get a share of any software sales made through that channel, Moriarty said.
Trend Micro will feature InterCloud Security Service and the BASE technology at DEMOfall '06 this week in San Diego.