New Trend Micro Service Goes Bot Hunting

InterCloud Security Service is a multi-phase project, said Trend's chief technology officer, with the first phase set to debut in the fourth quarter. It will be pitched to ISPs and enterprises as a way to not only sniff out zombies on their networks, but uses an unusual tactic to render bots harmless.

"[ISPs and enterprises] need a complete solution," said Dave Rand of Trend Micro. "They have to have a way to detect them in near real time and repair [the bots], too."

Rather than rely on signatures to identify fast-changing and mutating bots, InterCloud will use a behavioral analysis technology dubbed "Behavioral Analysis Security Engine" (BASE)," added Paul Moriarty, Trend's director of product development. Initially, BASE will examine the domain name system (DNS) behavior that marks certain kinds of zombie activities.

"We watch the behavior of mx requests," said Moriarty. "If there are a large number of requests in a short period, you can assume a high degree of accuracy that it's a spam bot [making the requests]."

Trend has written new code for running the DNS appliance it adds to a customer's network. Rand boasted that the code makes the hardened appliance handle DNS requests twice as fast as a typical server running BIND, the open-source software used on most DNS systems. The appliance collects suspicious data and sends it to Trend for analysis.

Once a zombie's spotted -- human researchers are involved at some point in the analysis -- InterCloud returns bot DNS requests with a null IP address, preventing the bot from contacting its herder for new commands. Trend will also notify customers of IDed bots; users can view bots from a Web-based console where they can also apply management policies.

"Enterprises just want them off the network period," said Moriarty. Only after they're discounted does the typical corporate customer think about sterilizing the zombie, he added.

ISPs, however, need automated methods to repair bot-infected PCs. InterCloud will also offer that service, with both blunt "clean all" capabilities, and when partnered with Trend's House Call technology, a "surgical" cleansing that removes only the detected bot code. The latter, of course, is faster to execute.

InterCloud is to preview at DEMOfall '06, an invite-only product launch conference which opened Monday in San Diego. When it goes on sale later this year, the service will be handled by Trend's channel partners.