July 30th, 2007
Can Trend Micro's botnet identification service make a difference?
Trend Micro today rolled out its SecureCloud software-as-a-service platform with a new Botnet Identification Service (BIS) to help find botnet command-and-control servers and block communications between them and the zombie PCs they control.
Geared towards ISPs and enterprise customers, the botnet ID service can be used to block communication to/from command-and-control servers; prevent bots from launching spam and crime-related attacks; deliver real-time updates directly to routers and network systems; and allow bot-infected PCs to continue to access other Web sites.
The approach by Trend Micro to deliver this as a service — pricing for 500,000 users is 9 cents per user — is hardly unique (Cloudmark, Arbor Networks and others are already delivering botnet mitigation products).
[ SEE: ‘Operation Bot Roast’ nets million-strong botnet operation ]
While it does help businesses, and particularly ISPs, to deal with the out-of-control botnet scourge, there’s a feeling that many service providers can’t be bothered to spend money on botnet mitigation for end users.
Last October, while writing a cover piece for eWEEK on the battle to cope with botnet-related crime, I got the feeling from talking to those in the trenches that this battle is already lost — mostly because the smaller ISPs see no ROI associated with mitigating bot-infected machines.
Worse, even if an end user machine is cleaned of bots or removed from a particular botnet, they are routinely reinfected or moved to join a different zombie army.
[SEE: Botnet herders pounce on Windows DNS RPC flaw ]
Take a look at these botnet command-and-control statistics from the Internet Security Operations Task Force (ISOTF) to get a sense of how the mitigation effort struggles with network operator bureaucracy.
Amidst the stagnation and bureaucracy, botnet herders are becoming smarter about avoiding command-and-control takedowns. The recent appearance of fast-flux DNS in botnets points to a new layer of sophistication in these crime networks and confirms ongoing fears that the botnet battle has been lost for good.
Trend Micro’s new service may provide some respite for those willing to pay but don’t look for it to make a serious difference in the larger battle.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
