VM on Appliance Shuts Down Bots

FireEye recently announced new models in its line of FireEye Botwall 4000 Series appliances and the integration of the FireEye Botwall Network service with the FireEye Botwall appliances. "FireEye's Botnet Protection" provides a brief description of the appliances and network.

I wanted to find out more about the state of botnets today and how FireEye's appliances and network combat them, and Ashar Aziz, FireEye CEO and founder, and Phillip Lin, director of product marketing, filled me in.

According to Aziz, "The botnet infiltration is at pandemic level on the Internet. Anywhere from 100 million to 200 million systems are infected," both in companies and in homes. Specific companies, such as eBay and Pfizer, have been targeted in attempts to mine their customer information, and financial institutions and ecommerce companies are also popular targets. Higher education institutions are attractive to bot herders because they tend to have high-powered systems on fairly open networks, "like mini-Network Service Providers," said Lin.

Aziz said that antivirus products and intrusion detection and prevention systems (IDS/IPS) that rely on signatures or even behavior anomalies often can't detect botware, which mutates frequently. He defined bots as malware that has a connection back to a host that's controlling it.

FireEye has appliances located at aggregation points inside Network Service Provider partners as well as appliances located on customer networks. The appliances "take flows going by in the network and check whether there's malicious activity and whether that malicious activity is botnet propagation," said Aziz. "The appliance has a virtual machine that does the analysis. It can find the coordinates of the remote system that the bot is attempting to communicate with."

The virtual machine (VM) in the appliance acts as a proxy for a client endpoint, which is the bot's target machine. Lin explained that the appliance "has different Windows versions and patch levels on the VM so that we're really duplicating endpoints that are out there and seeing what the bot does on them and how it communicates back."

This VM analysis in the network layer, as opposed to the network behavior anomaly detection technique that Aziz and Lin said FireEye's competitors use, is FireEye's distinguishing feature. Aziz added that doing the analysis at Network Service Providers gives a good picture of how a botnet is evolving in real time on the Internet.

This "botnet intelligence" is then disseminated by the FireEye Botwall Network to the FireEye Botwall appliances.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.