Today, Trend Micro announces a program to tackle next generation spam.

by Alex Goldman ISP-Planet Managing Editor [September 25, 2006]

A lot of teams come to our offices, dressed nicely, intelligent people. We fail to understand how impressive the team from San Jose, Calif.-based Trend Micro (world HQ in Tokyo) is until some time after the introductions. Sure, Paul Moriarty, director of product development for internet content security has been doing government work he couldn't talk about (and we're not likely to get a security clearance any time soon, either).

The background of Dave Rand, CTO, is impressive, but it's only part way through the interview that he mentions that he co-founded MAPS, and this is easy to verify.

The Trend Micro folks tell us they need a strong team, filled with Ph.Ds, to take on the internet's latest threat: botnets. It's a problem that ISPs tackle every day. Trend Micro wants to go after the source, tackling the command and control centers, and also tackle the edge, cutting off the bots from their instructions.

The new solution, announced today, is called the InterCloud Security Service. The company says the service relies on patent-pending technology it calls BASE, for Behavioral Analysis Security Engine.

Rand says the company estimates that 7 percent of all PCs host some kind of zombieware. That's a total of 75 to 100 million compromised PCs, of which 10 or 11 million may be active at any time. Of those, approximately 60 percent, he says, are spam bots.

"Let's say a large ISP in France has half a million zombies. Let's say they're calling up customers, explaining the problem, and are fixing four computers per day—they'll have solved the problem in 271 years, assuming no additional computers are infected."

A stronger DNS
The spam problem has ignited a fundamental debate about the internet, with some calling for protocols to be made less open in proposals such as DomainKeys, SPF, and Sender ID.

Trend Micro's solution is DNS-based, like DomainKeys, but does not require a global rollout. Instead, the company proposes installing its DNS servers at service providers around the world.

Moriarty says the company's appliance looks for suspicious behavior and blocks it. "Here's a trivial example. If you're sending an e-mail, you make an MX request. If you make many MX requests in a short period of time, you're a spam bot. Nobody's typing, say, 1,000 e-mails in 5 minutes."

A research team
But that's not the entire solution. Trend Micro already has a team of professionals watching malware, as any anti-virus shop does. The company recently created a new Botnet ID Team. Moriarty says the team has two areas of research: applied and general. In the applied research segment, the team is looking for developments that will effect the internet in the next 6 to 9 months. In the general research segment, the team is tracking the world's major botnets.

"We track about the 2,000 top Command and Control centers and watch the bots get orders and send results."

He says tracking isn't easy. "A Command and Control center may move every 5 minutes."

Monitoring the behavior makes it easy to cut off the commander from the troops. At a critical time, when the bot asks for instructions, the DNS server can prevent the bot from finding its commander. The result: a paralyzed zombie army.

Rand points out that once the zombie is cut off from commands, the ISP can fix the problem.

The company describes 3 steps in fixing problems: Identify, Remediate, and Remove.

Once the problem is identified, the customer can be redirected to a remediation page containing instructions on how to remove the zombie themselves or how to ask for help to fix the problem.

Moriarty says he's already built botnet research teams in the U.S. and Europe, and is hiring in the ASIAPAC region.

Keep your DNS server
We point out that while ISPs might not mind adding a DNS server, most will not want to remove the server they have in place. Rand says, "put us in there first, and put your DNS next."

Moriarty points out that Trend Micro's system can only solve the problems it's allowed to see.

He adds that because the company has servers on ISPs around the world, it's likely to see a botnet before any individual ISP notices it.

Are you a target?
Some botnets, he adds, are now directed at specific ISPs. For some time, Trend Micro has been tracking the top sources of spam worldwide on the Network Reputation page, updated in real time.

He's used to seeing China at the top of the botnet list, but due to a new piece of malware, written in Spanish and targeting Spain's ILEC, Telefonica is now the number one source of spam.

There's gold in your pain
Rand says that ISPs can stop seeing the abuse desk as a loss center and start selling services there. "Trend Micro Channel Sales allows the ISP to turn the abuse desk into a profit center."

The future
Of course, threats will change over time, and Rand touts the ability of the Trend Micro solution to evolve over time too, keeping up the arms race with the villains. Solutions cannot be hard coded, and need to be upgradeable.

One new strategy, Trend Micro says, is for smaller botnets. The malware writers think if they write a virus that will only infect several thousand computers, the anti-virus companies will ignore it.

The company notes that the Honeynet Project studied over 100 botnets between November 2004 and January 2005. The largest botnet was 226,585 zombies, but the average was about 2,000. The number needed to DDoS a typical company, Trend Micro says, was found to be 13.

Pricing and availability
The InterCloud Security Service will be offered in Q4, 2006. Pricing is not disclosed.

—End