First it was anti-virus, then anti-spam, and later anti-spyware. Sana Security offers up the latest update as a whole new front opens in the war on spyware.

by Alex Goldman ISP-Planet Managing Editor [August 30, 2007]

"Last year was the year of the rootkit," says Tim Eades, senior vice president of sales and marketing at San Mateo, Calif.-based Sana Security (sana is Latin for "sanity"). "This year, bots have picked up a lot of news. We've seen bot activity growing significantly. But they've changed. In prior years, bot networks were centralized, so you could look for a bot herder managing up to 2 million bots from a central location. The bot herder could change their mission and rent them out."

Stopping a centralized network was relatively easy compared to what Sana's seeing now. "We all stopped them in the past by cutting contact with the main guy. But the bot herder has now implemented a P2P-capable agent (it's really quite fascinating) so the bots can update and support each other. Therefore, we're trying to understand what is now a decentralized system. The herder can enter the net at any point and change the mission of the herd. It's significantly harder to control."

Bot herds are now more difficult to detect and to take down.

A new release
Eades says that identity theft has a season that follows the pattern of e-commerce. E-commerce grows with the winter holidays, and so does identity theft. So Sana Security is releasing its ID protection software just in time, in early September.

Usually, Eades says, a victim of identity theft contacts a credit agency like Equifax and cleans up the record. However, he notes, if that person's computer is owned by a bot, the information can be stolen again after the credit card numbers and other data have changed.

"Our product is focused on the generic removal of malicious software," he says. The idea is that the software should not require a signature to solve the problem. Malware should be removed even if its details are not yet familiar to Sana.

It's a downloadable product, under 10 MB. "We look for behaviors and relationships. We look at what code does, not what it is."

Of course, there are updates, but few are anticipated. Software changes rapidly but behaviors do not. Eades expects to release an update every 120 or 180 days.

"Obviously, it requires strong detection. We look at 288 different behaviors. Underneath that, we look at thousands of characteristics for the behaviors. Obviously, malware needs to talk to the outside world. It needs to survive a reboot. And as we move from Microsoft Windows XP to Vista, we have to look at the kernel differently. We increased the number of behaviors we watch from 228 to 288. We don't let software commit the crime. We convict on intent."

A key tool, Eades says, was built to defeat Hacker Defender (see 'Rootkit' Author Beaten, For Now). Sana Security's product can show the admin everything that it's monitored. "Often, we see things differently [than Task Manager]. We allow you to see what's going on at a richer and deeper level."

Pricing and availability
The product (and its name) is due to be announced on September 17, 2007.

It will be priced at $24.95 per year and there will be a revenue share for ISPs.

Larger ISPs will want access to Sana's SDK to include the product with their own-branded security bundle.

ISPs need to fight identity theft, says Eades. "While most ISPs recommend anti-spam and anti-virus software, few do credit monitoring."

—End