Select Page

Cyren Security Blog

Keeping the Zombies out

The continuing spread of botnets poses a new challenge for online and mobile application designers. Malware-infected machines often have code installed to log keystrokes, steal information, or even initiate background actions without the user’s knowledge. As designers, how do you ensure that the user really is who they say they are, while making the overall user experience simple and convenient?

Commtouch works with application providers to address this challenge. As the effective life of a botnet is short, they are usually hired out for multiple types of activity to maximize their value before they are shut down. This means that many zombie machines are often first revealed by their participation in spamming and phishing outbreaks. What does that mean?

As the largest threat intelligence platform of its kind in the world, the Commtouch GlobalView Cloud analyzes almost 4.5 trillion global transactions each year. As transactions are examined, a profile is built of the transaction itself as well as the originating host IP address and domain. When the GlobalView Cloud detects malware, spam, or phishing transactions they are instantly correlated to specific host machines, exposing their use as zombies. GlobalView Cloud then provides real-time threat intelligence on zombie machines to Commtouch partners, including their IP address, types of activity performed, and level of activity. This intelligence feed is called the Commtouch Zombie Intelligence Service.

Of course, the ideal scenario is to ensure that Malware never makes it onto a host to begin with, but the reality is that millions of zombie host machines are active and connected to the Internet on any given day, so application owners should take every precaution to prevent the zombies gaining access to their systems, or suffer the consequences – potentially fiscal, regulatory, and reputational – of a breach.

At the recent RSA show, I got the chance to speak with a number of finance sector professionals. It’s no surprise that security is always top of mind for them, but they face unique challenges in supporting growth goals for their businesses while effectively securing sensitive customer and business data and maintaining regulatory compliance. During our discussions we focused on how challenges that are similar to the zombie host problem are solved in the industry today. Here is an example which I believe holds the model for an appropriate response to the zombie host problem.

All US persons, permanent residents and legally organized businesses are required to adhere to the US Treasury’s OFAC statutes. Adherence to OFAC ensures that they do not financially transact with persons or entities subject to US Government sanctions. Penalties for violation are severe –fines range from $50,000 to $10,000,000 and prison sentences up to 30 years – so strict compliance is essential. Standard OFAC compliance processes involve a search against the online OFAC list when setting up a new business arrangement. If the person or entity searched for matches an entry on the list, the transaction must be declined and electronically reported to OFAC, along with all supporting data.

The OFAC compliance process gives us a model for extended user authentication that can be deployed whenever access by a compromised host to an application or resource could pose a threat to sensitive data or revenue generation. In this model, Commtouch partners establish the IP address and/or domain of the machine requesting access, then query the Zombie Intelligence Services data to determine if the machine is compromised. Based on the security needs of the application, if the machine is infected the developer may add additional authentication steps to ensure it is a ‘live’ user, or decline the connection altogether. In either case, data can be returned to Commtouch describing the type of activity being performed by the zombie, which then further enriches the intelligence data for that host. Because zombie machines are only active for a few hours before being shut down or made dormant, access to real-time intelligence on botnets is essential to defeat them. The botnet data contained in the GlobalView Cloud also forms a part of the foundation for the new Advanced Persistent Threat Detection capabilities that Commtouch is bringing to market later in 2013.

Developers of online applications – in particular those that provide access to financial or healthcare services or other types of sensitive data – should strongly consider either this, or a similar accreditation technique, to minimize the risk of zombie machines gaining access to their customer data and/or their business systems. If you’d like to understand more about the Commtouch Zombie Intelligence Service, please contact us.

You might also like