Symantec Adds Bot Hunting to Managed Services

Enterprises may rest a bit easier now that Symantec is going after botnets, with the expansion of its Managed Security Service to include the Global Intelligence Network (GIN).

The new service scans network traffic for threat data sources, identifies malware and checks traffic against known blacklists. The service includes botnet detection at no extra charge.

“Bots,” of course, are tiny applications surreptitiously installed on a computer and used for malicious tasks like sending spam e-mails or launching a distributed denial of service (DDoS)  attack. They’re designed to remain hidden and operating in the background, waiting for orders from a remote “command and control” server. A group of bots under the control of one individual or command and control server is called a “botnet.”

There’s no truly accurate measure of how many bot-infected computers are out there, but the number is usually cast in the millions.

Not surprisingly, Symantec recorded 2,000 bot-related incidents in September alone. Without its new botnet detection methodology, the company would have missed around 55 percent of those infections, according to Grant Geyer, vice president of managed security services at Symantec.

GIN monitors known command and control servers, which are only a few thousand in number compared with the likely millions of bots. The service tracks where these servers send their instructions, and by tracing their outbound traffic, Symantec is able to find bot infections.

Within 10 minutes of discovering a botnet, GIN notifies customers of problems and the suspected IP address to be cleaned. It also provides them with all of the evidence that led to the conclusion of infection. The solution isn’t perfect because it finds infections only after the fact, but it helps, Geyer said.

The service should be of particular interest to businesses, even though botnet infection is largely believed to be a consumer problem, since home users have less security in their homes and are more often the target of the bad guys. But corporations are certainly not immune.

Adding to the problem is that in corporate networks with tens of thousands of computers, it’s easy for some systems to fall through the cracks. The most famous case came in 2001, when the University of North Carolina found a missing server that had been accidentally walled up by construction workers some four years earlier. The NetWare server continued working dutifully all that time, even though the admins had no idea where it was.

However, Geyer said the bigger risk for infection comes from users taking their computers home than from administrators losing a server to drywall.

“It is very difficult for enterprises to remain secure today,” he told “Companies will have tens of thousands of systems on the network. If a user takes a laptop home and browses around and gets infected, they can bring it back to the office.”

That’s not counting the risks associated with bad user behavior in the office — surfing to dangerous Web sites and setting up unregulated wireless access points or even their own Web servers — and IT gaffes like failing to configure a firewall properly.

“There’s no foolproof means of stopping security threats,” Geyer said. “Any organization that suggests there’s a silver bullet to solve all security problems is somewhat foolhardy. The trick is to make sure organizations have security options in depth, so even if you can’t see initial infections, you can spot the secondary problems that occur.”

News Around the Web