This unusual system studies bots by allowing them to infect virtual machines, then destroys the machines and the bots within them, and uses the data against the flood.

by Alex Goldman ISP-Planet Managing Editor [September 27, 2007]

This is the year of the bot. Like an unending flood, we are told, the bots are coming. Just when you have your anti-spyware in place, your anti-spam in place, and are a veteran anti-virus fighter, a new threat emerges.

Bots are the virus evolved. In the past, service providers tracked them by looking for the website that was commanding them, but the latest generation are a P2P headless beast.

In the past, systems also tracked anomalous behavior, but Ashar Aziz, CEO of FireEye, says that defining anomalous behavior is problematic. "The idea is that anomalous behavior may be malicious, but the challenge is that slightly anomalous behavior happens all the time. The network changes, anyway, over time. There is a possibility of false alerts and also missed attacks."

Do not adjust your appliance
Rather than block suspicious behavior, the Botwall 4000 series of appliances from Menlo Park, Calif.-based FireEye redirect unusual traffic to a virtual system. If the traffic infects that system, it is not passed on to the end user and the infected virtual machine is torn down. It is simply a computer session that can be eliminated with a command.

"Ashar and the engineering team have created a complete virtual architecture," explains Phillip Lin, FireEye director of product marketing. We do full installs at various patch levels. We've added instrumentation to allow you to see what's going on inside the virtual machine.

Aziz adds that all software is licensed. Most clients have site licenses, so this architecture is not a problem. "Bots target widely deployed software," he adds. "Unusual software may be the target of a human attack but not of a malware attack. Even Apple software, which is widely deployed, is generally not a target."

So how does all of this fit in a pizza box? "Unlike virtualization servers," explains Lin, "we destroy bot-infected virtual victim machines and recreate new ones instantly for further analysis."

Join the Botwall
Once a bot is identified, the appliance analyzes what it's caught and transmits metadata to all other Botwall appliances worldwide. FireEye's goal is to create a global network so that service providers and enterprise customers can see and understand bot activity worldwide in real time.

But surely service providers will be reluctant to share information? "We generally trade metadata," says Aziz. "We do not exchange information about the victims of infection. The victim data is retained by the ISP."

The company aims to be able to serve the largest ISPs and enterprises. "Our key intellectual property is scalable to thousands and tens of thousands and millions of flows and to multiple gigabit traffic flows," notes Aziz.

Pricing and availability
The company has three products in its Botwall series, all available now:

—End