Zombies, PCs that have been implanted with malicious code for use in attacking other PCs, are on the rise as more spammers are spreading viruses and advertisements by sending out remote access trojans (RAT) or trojan horses. Unbeknown to the user, a trojan horse can enter a PC through an email attachment or an unsecured port. The horse notifies the spammer after it has infected the PC; it then lays dormant awaiting the spammer’s call.
The spammer usually waits until a large number of computers have been infected with the trojan horse before commanding the zombies to rise. Each zombie then triggers a mechanism which sends out bulk email.
The large number of attacking computers makes it difficult to identify the source of the attack or take corrective action, especially without disrupting service for others.
Sunnyvale, Calif.-based P-Cube, soon to be part of Cisco Systems Inc. (Nasdaq: CSCO), says its Broadband Spam Control Solution detects zombie PCs soon after they wake up and begin sending out bulk mail (see Cisco Plucks P-Cube for $200M). P-Cube’s application can identify and stop a zombie attack after the first few thousand emails have been sent. This is a relatively small percentage of the total amount of spam messages outgoing during an attack, says P-Cube VP of marketing, Milind Gadekar.
Spam is an ongoing problem for service providers, using up bandwidth, overloading mail servers, and slowing down networks. Analysts say those that are most successful at combating spam will keep and sign on more customers. “[P-Cube’s application] is a helpful weapon in the ongoing attempt of ISPs to control their networks,” says Lydia Leong, a principal analyst at Gartner Inc.
The spam solution is a part of P-Cube’s traffic analysis and network control capabilities. The company has developed hardware engines that can monitor traffic at Layer 7, distinguishing traffic flows in ways traditional routers can't.
Some analysts say P-Cube’s solution appears different from those of other spam fighters because it detects zombie attacks at a very early stage, preventing spam from traveling the network.
Other strategies to control spam, such as filtering or black-listing IP addresses, slows down the network for other users and often punishes legitimate users, analysts say. These strategies filter spam after they have been delivered, failing to ease the burden of overloaded mail servers, says Gadekar.
P-Cube says its solution can stop spam attacks before they travel the network. And its method of blocking and notifying the infected PC does not affect the network for other legitimate users.
To detect infected PCs, P-Cube uses its service application Engage, which provides state-based monitoring of protocols that allows for the detection and control of any network application including Web browsing, multimedia streaming, and peer-to-peer.
Zombies hide the identity of their originator, but they leave fingerprints in network usage patterns. P-Cube’s solution performs deep packet inspection to account for the type of SMTP traffic generated by subscribers and identify suspicious patterns that exist in zombie mail traffic.
After the infected PC has been detected, P-Cube’s solution allows the service provider to deny network access. At the same time, the user is notified that the PC is infected and is instructed to contact the service provider. It’s then up to the service provider to tell the user how to cleanse the PC and take measures to prevent another attack.
— Joanna Sabatini, Reporter, Light Reading
For more on this topic, check out:
- The coming Light Reading Webinar:
— Multi-Layered Security: Security in an Insecure World
For further education, visit the archives of related Light Reading Webinars: