A recent column by John Dix in Network World paints a rather depressing picture of the state of the Internet when it comes to malware. Mr Dix points out that there are millions of compromised computers (bots) out there and that while network security people can block some of the worst there are a lot that they cannot block because these other threats are quiet enough to not be detected by current IPS/IDS etc. devices. His essential claim is that we just have to assume that every network is penetrated and/or vulnerable to penetration by cyber-criminals. The article quotes various security professionals as stating that the dangerous bot attacks are stealthy and slow moving with the attack gradually building up to its most serious level over a period of days or even weeks.
He indicates that the Zeus botnet is one of the ones people can protect against which is somewhat ironic as just a day later The Register and others reported a major data breach caused by Zeus which seems to have netted about $1 million from some UK banks.
The latter article illustrates clearly the weak point of these attacks - the need for the infected machines to "call home" to the command and control (C&C) host to get instructions and to report passwords and other sensitive data. And this, combined with the slow motion attack profile that Mr Dix's experts describe, is why he is wrong. The various malware research groups such as Shadow Server, the Malware Threat Center and so on are able to identify the currently active C&C hosts for almost all botnets and to identify networks which are likely to be used as a base for bot controllers. At ThreatSTOP we build block lists of these IP addresses that our subscribers can use to stop and log any "call home" attempt.
One of our subscribers, who discovered a botnet on his network thanks to ThreatSTOP, was able, just recently, to take a long vacation for the first time in years because now there are no more than a handful infected computers on his network at anyone time instead of upto 1000. Moreover the process of downloading the list of infections each morning and remedying the compromised systems is now something that he can leave to a junior underling.
ThreatSTOP subscribers do not need to concede the network to the bot herders and our service meets the requirements of proactivity and actionable intelligence that Dix and his experts say is the key to the future. With ThreatSTOP there is no longer any need to live with knowledge that your network is infected.