Zombie and Botnet Protection:

The Next Service-Level Requirement?

The evolution of bot/zombie malware from a spam delivery mechanism to a criminal tool for keystroke logging and identity theft is pushing broadband service providers to a tipping point. Even the Feds are concerned. In May of last year, the Federal Trade Commission called on more than 3,000 ISPs to take zombie-prevention measures. Since this malware resides on subscriber devices, removing it from high-speed networks is a labor-intensive and cost-prohibitive process. Let’s examine the technical challenges and approaches available to network operators for purging their networks of zombies and botnets.

Blocking is not getting the job done
The current approach to the problem — blocking outbound bot/zombie traffic using filters — clearly is not the answer. This solution treats the symptom, not the disease. Meanwhile, infected subscribers remain vulnerable and unaware their machines have been compromised. According to a recent report by Microsoft Corp., more than 60 percent of Windows PCs scanned by Microsoft’s Windows Malicious Software Removal Tool between January 2005 and March 2006 were found to run malicious bot software. From a carrier perspective, botnet traffic overloads network filters, disrupts traffic flow and impedes the delivery of legitimate content.

What’s at stake?
Most bot malware runs undetected by subscribers. Increasingly, this criminal-ware is being used to steal personal information and commit fraud. Despite the best efforts of antivirus vendors, the growing sophistication of bot infection techniques is outpacing protection products. Furthermore, a sizable population of broadband subscribers will continue to ignore Internet security guidelines and fall prey to bothearding attacks.

Service providers, on the other hand, know which subscriber machines on their networks are violating Acceptable Use Policies (AUP) and are likely to be controlled by a botmaster. These bots not only threaten subscribers, they also generate customer support calls, consume core network bandwidth and application server resources, and generate operational expenses associated with addressing AUP violations. The challenge for network operators is developing an automated solution for notifying subscribers that their machines are compromised and quarantining the device in a user-friendly environment where they can access disinfection tools and resources.

A four-step process for killing zombies
The majority of the data and resources needed to purge bot-infected computers from carrier networks are already in place. Implementing an automated solution to this problem requires a four-step closed-loop system that performs reputation accrual, quarantine isolation, remediation and reputation monitoring.

Reputation Accrual
Reputation accrual tracks host activity on the network. Based on this activity, each host accrues a reputation that is rated as inside or outside of AUP. Once established, this reputation should be published and readily accessible via a local query so that peer components can utilize reputation to allow, deny and prioritize services such as e-mail, browsing and voice.

Quarantine Isolation
Quarantine isolation redirects noncompliant subscribers into a state that only allows a facility to correct the problem. The quarantine switch should operate at an application level and redirect all SMTP, POP3 and HTTP traffic to a server where the PC can reside until it is disinfected. The switch should be instant and provide a means for the subscriber to opt back onto the network automatically or request more time to address the problem.

Remediation
The update and remediate function should place subscribers in a user-friendly walled garden or portal where they are presented with access to online resources to diagnose the problem and tools or services to remove viruses and repair machines.

Reputation Monitoring
Finally, reputation monitoring should enable proactive management when problems occur.

For zombie spam, alerts should be triggered when an IP address is added to a public reputation service such as Spamhaus and potentially may be blocked by a receiving mail system.

Leveraging DNS
A key requirement for any zombie/bot elimination system is the ability to inspect, intercept and redirect DNS traffic. This is a concept we call DNS switching. Using this approach, a network element that sits inline with DNS traffic is used to apply policy and reputation to determine when and where to forward requests to backend name servers or respond with a fixed answer that redirects a user to specialized services. For example, a reputation-enabled DNS switch could check the reputation of a PC each time name services are requested. For subscribers with a negative reputation (e.g. zombie infected), the DNS switch can redirect traffic to a remediation portal to help the subscriber remove malware from the PC.

Just as network-based spam filtering and antivirus protection now are expected services from network operators, subscribers soon will demand the same protections against bot infection. The existing DNS infrastructure provides a ready-made mechanism upon which to deploy an automated system to contain and kill zombies.

Share this article: Email, Slashdot, Digg, Del.icio.us, Yahoo!MyWeb, Windows Live Favorites, Furl
Add this article feed to: RSS, My Yahoo, Newsgator, Bloglines