Sophos hunts down zombie systems

Antivirus specialist Sophos launched a service on Wednesday called ZombieAlert that uses spam traps to find unsolicited e-mail messages originating from supposedly 'protected' computers.Paul Ducklin, head of technology for Sophos Asia-Pacific, said the ZombieAlert service uses a large amount of 'spam traps' that are configured so they are unlikely to receive legitimate messages.

Antivirus specialist Sophos launched a service on Wednesday called ZombieAlert that uses spam traps to find unsolicited e-mail messages originating from supposedly 'protected' computers.

Paul Ducklin, head of technology for Sophos Asia-Pacific, said the ZombieAlert service uses a large amount of 'spam traps' that are configured so they are unlikely to receive legitimate messages. When the traps receive spam, the originating IP address of the message is looked up and if it belongs to a ZombieAlert subscriber, Sophos will inform them that one or more of their computers is being used as a spam relay.

"We endeavour to ensure that of the e-mails that enter the spam trap, there is a statistically insignificant amount of real e-mail. Everything coming in is not supposed to be there," said Ducklin.

Ducklin said that the illegitimate e-mails are traced back using their IP address: "We have the source IP where it came from and if that falls into a range owned by a customer on the service then we can let them know there are illicit emails flowing out that they may not have noticed."

James Turner, security analyst Frost & Sullivan Australia, welcomed the move because Sophos was taking a proactive approach.

"Now when they get a spam, it is not someone else reporting it to them it is them -- they are picking up themselves. They are not relying on people reporting spam to them," said Turner.

However, Turner pointed out that when a ZombieAlert subscriber is contacted by Sophos about a possible zombie, they would have very little option but to turn the computer off -- because the existing security software had not picked up the problem.

"[The subscribers can't do anything about the problem] until one of the vendors comes up with a clean up tool or a definition update. Subscribers will have to weigh up the machine and the responsibility of the person using it and then work out what to do - do they make a decision to unplug [from the network] it or not," he said.

Sophos's Ducklin said the initial target for the service will be universities and ISPs that have lots of unregulated users.

"The obvious early adopters will be environments like universities and ISPs who have huge amounts of Internet traffic, diverse populations that are not necessarily centrally regulated," said Ducklin.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All